Chihuahua Stealer is a recently identified .NET-based infostealer malware that employs a sophisticated multi-stage infection process primarily targeting browser data and cryptocurrency wallet extensions. The infection chain begins with heavily obfuscated PowerShell scripts, utilizing Base64 encoding and hex-string transformations to evade detection. These scripts establish persistence through scheduled tasks, allowing the malware to survive system reboots and maintain long-term access. Once active, Chihuahua Stealer extracts a broad spectrum of sensitive browser data, including user credentials, cookies, autofill information, browsing history, and payment details. It specifically targets cryptocurrency wallet extensions, aiming to steal wallet credentials and potentially gain unauthorized access to digital assets. The stolen data is compressed and encrypted using AES-GCM, a modern authenticated encryption standard, before being exfiltrated to an external command and control server hosted at the domain flowers.hold-me-finger.xyz. The malware’s multi-staged payload delivery and obfuscation techniques complicate detection and forensic analysis, allowing it to operate stealthily. Although there are no known exploits reported in the wild, the malware leverages legitimate system tools such as PowerShell and scheduled tasks, increasing its ability to bypass traditional signature-based antivirus solutions that do not monitor script-based or behavioral anomalies effectively.

For European organizations, Chihuahua Stealer poses a significant threat, especially to sectors with high reliance on web browsers and cryptocurrency transactions, including financial services, fintech startups, and e-commerce platforms. The theft of browser credentials and payment information can lead to unauthorized access to corporate and personal accounts, fraudulent transactions, and data breaches compromising customer privacy. The targeting of cryptocurrency wallet extensions is particularly concerning given the increasing adoption of cryptocurrencies across Europe, potentially resulting in irreversible financial losses and reputational damage. The malware’s stealthy execution chain increases the risk of prolonged undetected data exposure. Organizations with remote or hybrid workforces using unmanaged or personal devices are especially vulnerable. Furthermore, the exfiltration of personal data to an external server raises compliance concerns under GDPR, as unauthorized data transfers outside the EU could lead to legal penalties. The malware could facilitate targeted espionage, financial fraud, and large-scale data breaches impacting European businesses and their customers.

To mitigate Chihuahua Stealer effectively, European organizations should implement targeted, multi-layered defenses: 1) Deploy advanced Endpoint Detection and Response (EDR) solutions with capabilities to monitor and analyze PowerShell activity, including script execution logs and command-line parameters, to detect obfuscated or suspicious scripts. 2) Enforce strict application whitelisting policies and restrict execution of unauthorized PowerShell scripts and scheduled tasks using Group Policy Objects (GPO) or endpoint management platforms. 3) Harden browser security by disabling or restricting installation of untrusted extensions, particularly cryptocurrency wallet extensions, and conduct regular audits of installed extensions for anomalies or unauthorized additions. 4) Implement multi-factor authentication (MFA) on all critical accounts to reduce the impact of stolen credentials. 5) Utilize network monitoring and DNS filtering solutions to block communications with known malicious domains such as flowers.hold-me-finger.xyz, leveraging up-to-date threat intelligence feeds for dynamic blocklist updates. 6) Conduct targeted user awareness training focusing on phishing and social engineering techniques that may serve as initial infection vectors. 7) Maintain regular backups of critical data and ensure incident response plans include procedures for detecting and responding to infostealer infections. 8) Monitor endpoints for unusual data compression or encryption activities that may indicate data exfiltration attempts. These measures specifically address the malware’s infection vectors, persistence mechanisms, and exfiltration techniques, going beyond generic cybersecurity advice.