A new malware threat called Chihuahua Infostealer is targeting browser credentials and cryptocurrency wallets using a sophisticated infection chain and cloud services like Google Drive for delivery.
Discovered in April 2025, the .NET-based malware employs obfuscated PowerShell scripts and multi-stage execution. It avoids detection by running entirely in memory and using encrypted communication with command-and-control servers.
How It Works
Chihuahua spreads via phishing and social engineering. Victims are lured into clicking malicious links or opening documents hosted on trusted platforms. Once executed, it:
- Runs a hidden PowerShell script with elevated privileges
- Creates a scheduled task to maintain persistence
- Downloads payloads from OneDrive and other sources
- Executes payloads in memory and deletes traces
What It Steals
The malware targets browsers like Chrome, Edge, Brave, and Opera to collect:
- Passwords, cookies, and autofill data
- Browsing history and session tokens
- Crypto wallet data from browser extensions
Stealth and Evasion
To avoid detection, it uses:
- In-memory execution
- AES-encrypted data exfiltration over HTTPS
- Legitimate tools like PowerShell and Task Scheduler
- Post-infection cleanup routines
Security Takeaways
Chihuahua is part of a new wave of stealthy, persistent infostealers. Security teams should monitor PowerShell activity, block suspicious scheduled tasks, and inspect cloud-linked downloads.
MITRE ATT&CK Mapping
- T1566.002: Phishing via trusted links
- T1059.001: PowerShell execution
- T1053.005: Scheduled tasks
- T1555.003: Credential and wallet theft
- T1041: Encrypted data exfiltration
Conclusion
With its use of trusted platforms, encryption, and stealthy execution, Chihuahua Infostealer poses a growing threat to user privacy and enterprise security.
