Chihuahua Stealer is a newly discovered, multi-stage, .NET-based infostealer malware that employs advanced stealth techniques to exfiltrate sensitive data. The infection starts with an obfuscated PowerShell script shared through a malicious Google Drive document. This script initiates a chain of payloads, achieving persistence via scheduled tasks that periodically check for marker files and communicate with command-and-control (C2) servers. The final payload, Chihuahua Stealer, targets web browser data and cryptocurrency wallet extensions. It compresses stolen information into a .chihuahua archive and encrypts it using AES-GCM via Windows Cryptography API (CNG), then exfiltrates the data over HTTPS. It also cleans up any traces after execution. Unique characteristics include its modular architecture, encrypted exfiltration, and cultural identifiers like embedded Russian rap lyrics. This malware highlights an evolution in infostealers toward more covert and resilient delivery mechanisms.

‍