Saturday, May 17, 2025
Advertisements

Chihuahua Stealer Uses Google Drive to Steal Login Credentials

by Charline
written by Charline
A new .NET-based malware, known as Chihuahua Stealer, has been discovered using Google Drive to distribute malicious PowerShell scripts designed to steal browser login data and cryptocurrency wallet information.

Cybersecurity analysts at G DATA first identified the threat in April 2025. The malware uses a multi-step attack method that begins with a Google Drive document and ends with the theft of sensitive data.

Advertisements

How the Attack Works

The attack starts when a victim opens a Google Drive document containing an obfuscated PowerShell script. Once executed, the script bypasses PowerShell security policies and loads a Base64-encoded second-stage script.

Advertisements

This script sets up persistence by creating a scheduled task named f90g30g82, which runs every minute. It searches the system’s Recent Files folder for special marker files with a .normaldaki extension.

Advertisements

If such a file is found, the malware contacts a command-and-control (C2) server at cdn.findfakesnake[.]xyz to download further payloads. If the primary server is unreachable, it switches to a backup server at cat-watches-site[.]xyz.

Advertisements

Payload and Data Theft

The final payload is a .NET assembly downloaded from flowers.hold-me-finger[.]xyz. It is loaded directly into memory using reflection techniques to avoid detection.

The malware, named Chihuahua Stealer, collects browser credentials, cookies, and cryptocurrency extension data. The stolen data is encrypted using AES-GCM and stored in a .chihuahua archive before being sent over HTTPS.

Advanced Evasion Techniques

Chihuahua Stealer uses several techniques to avoid detection. It flushes DNS caches and clears the clipboard after execution. It also creates a unique victim ID using the machine’s name and disk serial number to tag stolen data.

Security researchers noted the use of Windows Cryptography API: Next Generation (CNG) for encryption. Although this makes decryption difficult, embedded AES keys were recovered during analysis.

Detection and Recommendations

G DATA recommends monitoring PowerShell logs for unusual scheduled tasks and checking for in-memory .NET assemblies. Indicators of compromise (IOCs) include suspicious URLs such as:

  • hxxps://flowers[.]hold-me-finger[.]xyz/index2[.]php
  • Hashes related to PowerShell and payload components (e.g., afa819c9..., c9bc4fdc...)

The malware is detected under signatures such as PowerShell.Trojan-Downloader.Agent.IE1KHF and Win32.Trojan-Stealer.Chihuahua.8W7FOE.

Organizations are advised to restrict PowerShell execution policies and scan for marker files like .normaldaki. As malware increasingly uses cloud platforms for delivery, users should avoid opening unsolicited documents or links.

You Might Also Like
Advertisements
blank

Charline is the editor of ProxyServerPro's platform. She is a digital privacy and proxy solutions expert with over 10 years of experience writing and editing content related to online security, browsing solutions, and data protection. Charline has contributed to various tech publications and worked closely with professionals and businesses to enhance their understanding of proxies, internet anonymity, and digital security. Prior to joining ProxyServerPro, she worked at leading digital security firms, where she helped produce educational content aimed at helping users navigate the complexities of the online world with confidence and security.

You may also like

Threat Actors Use Malicious HTML Files to Spread Horabot Malware

Researchers Unveil New Method to Track Compartmentalized Cyber Threats

Adobe Photoshop Vulnerability Allows Arbitrary Code Execution

Earth Ammit Hackers Launch Advanced Attacks on Military Drone Supply Chains

Chinese Hackers Exploit SAP NetWeaver 0-Day to Target Critical Infrastructure

Google Threat Intelligence Launches New Technique to Detect Malicious .Desktop Files

blank

At ProxyServerPro, we are dedicated to providing cutting-edge proxy solutions tailored to meet the diverse needs of businesses and individuals. Our platform offers a comprehensive range of high-performance proxies, including residential, datacenter, and mobile options, ensuring seamless browsing, data scraping, and online anonymity. With a focus on reliability, speed, and security, we empower users to navigate the digital landscape with confidence. Whether you’re managing ad verification, market research, or web automation, ProxyServerPro is your trusted partner for scalable, efficient, and secure proxy services. Explore our portal to discover how we can elevate your online experience.

popular recommendation

What is CroxyProxy?
What is a Web Proxy Server? Types, Benefits & Use Cases
What is FoxyProxy? Features, Benefits & Use Cases
11 Nation-State Groups Exploit Microsoft Zero-Day Flaw

Useful Links

TAGS

© 2024 Copyright  proxyserverpro.com