Chihuahua Stealer, a.NET-based information-stealing malware, emerged in April 2025, posing a significant threat through its targeted attacks on browser credentials and cryptocurrency wallet data. This malware, also identified under the alias "Pupkin Stealer" 2, exhibits characteristics that suggest links to a Russian-speaking developer known as "Ardent". A peculiar trait is the embedding of transliterated Russian rap lyrics within its code, which are displayed on the console during execution, serving as a potential cultural signature of its author. The relatively swift identification of Chihuahua Stealer as Pupkin Stealer by different security vendors, such as G DATA and CyFirma 2, points towards a responsive, albeit sometimes fragmented, threat intelligence sharing ecosystem. This collaborative environment, where malware samples and signatures are disseminated, allows for quicker consolidation of knowledge and the development of defensive strategies, even if initial naming conventions differ.
source: https://www.picussecurity.com/resource/blog/chihuahua-stealer-malware-targets-browser-and-wallet-data
The malware employs a multi-stage infection process, typically initiated through social engineering. Victims are lured into executing obfuscated PowerShell loaders, often delivered via trusted cloud platforms like Google Drive or OneDrive. Chihuahua Stealer then leverages in-memory.NET assembly execution to evade detection 1, establishes persistence through scheduled tasks (e.g., "f90g30g82") 1, and compresses stolen data into ".chihuahua" archives. This data is subsequently encrypted using AES-GCM and exfiltrated via HTTPS.
The operational methodology of Chihuahua Stealer, which combines common techniques like PowerShell abuse and social engineering with more advanced features such as multi-stage loading, in-memory execution, native API-based encryption, and meticulous cleanup routines 1, marks a notable progression in infostealer design. This sophisticated approach is geared towards enhanced stealth and resilience, distinguishing it from older, more rudimentary "smash-and-grab" stealers. This evolutionary step makes it a more challenging threat for traditional signature-based defenses, reflecting a broader trend where infostealers are becoming increasingly feature-rich and evasive.
Chihuahua Stealer poses a high risk to Windows systems, with potential consequences for individuals including financial loss and identity theft. For organizations, the compromise can lead to unauthorized network access and more severe subsequent attacks. Critical defensive recommendations include the implementation of enhanced PowerShell logging and analysis, comprehensive user awareness training focused on social engineering tactics, the deployment of robust endpoint security solutions capable of behavioral analysis, and proactive hunting for known Indicators of Compromise (IOCs).
The Chihuahua Stealer was first identified in April 2025. One of the earliest public mentions of this malware surfaced from a Reddit post on April 9, 2025. In this instance, a user reported being tricked into executing an obfuscated PowerShell script, which was later identified as the loader for Chihuahua Stealer. This highlights the valuable role that public forums and community vigilance play in the early detection and reporting of emerging cyber threats, often preceding formal advisories from security vendors.
The malware is known by a few names, reflecting analysis by different cybersecurity entities:
- Chihuahua Stealer or Chihuahua Infostealer: This nomenclature is primarily used in reports by G DATA and Picus Security.
- Pupkin Stealer: This name was assigned by CyFirma in their analysis. Some reports also make a minor orthographic variation, "PumpkinStealer".
Multiple security research outlets have confirmed that Chihuahua Stealer and Pupkin Stealer refer to the same malware. Specifically, "Chihuahua Stealer" is G DATA's designation for the threat that CyFirma independently analyzed and named "Pupkin Stealer". Establishing this equivalence is crucial for cybersecurity professionals to consolidate threat intelligence from various sources and ensure a unified understanding of the threat.
While no specific, well-known threat group has been conclusively linked to Chihuahua Infostealer as of May 2025 1, several clues point towards its potential origin and developer profile. The developer behind PupkinStealer, and by extension Chihuahua Stealer, is believed to use the alias "Ardent". This attribution is supported by identifiers embedded within the malware's code, such as the string "Coded by Ardent". Furthermore, the exfiltrated data archive in PupkinStealer variants is often named using the format [Username]@ardent.zip, providing a strong indicator of this author's signature.
Reports consistently suggest that Pupkin Stealer was created by a Russian-speaking developer. This is corroborated by a distinctive characteristic of the Chihuahua Stealer: the inclusion of transliterated Russian rap lyrics within its code. These lyrics are printed to the console when the malware executes, specifically by a function named DedMaxim(). The PoraMoveStaff array within the code contains these Russian-language strings. While these lyrics do not serve any direct malicious function, they act as a unique cultural or personal fingerprint of the author, a practice sometimes seen in malware to assert authorship or for thematic branding.
Further supporting the Russian connection, the PupkinStealer variant utilizes the Telegram Bot API for data exfiltration. Analysis of the bot names used, such as ‘botKanal’ and ‘botkanalchik_bot’, suggests derivation from Russian words. Additionally, metadata associated with the Telegram bot's chat identified a user bio containing Russian text.
The combination of these elements—the "Ardent" alias, the Russian rap lyrics, and the use of Telegram with Russian linguistic markers—paints a picture of a developer or small group likely operating within the Russian-speaking cybercrime ecosystem. The presence of non-functional, self-referential elements like rap lyrics, alongside a relatively straightforward exfiltration method like Telegram bots (for the PupkinStealer variant), might indicate a developer who is less focused on extreme operational security compared to highly sophisticated, state-sponsored actors. This could suggest that the malware is more likely to be encountered in the broader cybercrime-as-a-service market or used in opportunistic attacks for direct financial gain, rather than in highly targeted espionage campaigns. Indeed, PupkinStealer has reportedly been used opportunistically by actors who may not possess advanced skills themselves. Understanding the likely operational sophistication of the developer can inform predictions about the types of campaigns the malware will be used in and aid in attribution efforts.
The primary infection vector for Chihuahua Stealer is social engineering, where victims are manipulated into executing a malicious PowerShell script. These scripts, or documents that trigger their execution, are frequently delivered through trusted cloud storage platforms such as Google Drive and OneDrive. This method is effective because it leverages the inherent trust users place in these widely used services, potentially bypassing email security filters that might block direct attachments or links to less reputable domains. An observed case involved a user being lured into opening what appeared to be a legitimate Google Drive document, which then initiated the execution of an embedded, obfuscated script.
While delivery via Google Drive has been confirmed, infostealers like Chihuahua are known to propagate through various other channels. These include malvertising (malicious advertisements), trojanized downloads (legitimate software bundled with malware), and the exploitation of other trusted platforms like GitHub. Phishing emails and messages impersonating IT support or other trusted entities are also common methods to deliver the initial payload. For the PupkinStealer variant, distribution is likely through phishing emails containing malicious attachments or links, or via cracked software packages offered on dubious websites.
Chihuahua Stealer employs a sophisticated multi-stage infection chain designed to deliver its main payload while evading detection. This layered approach is a hallmark of modern malware aiming for stealth and resilience.
Stage 1: PowerShell Loader
The attack typically commences with the execution of a compact PowerShell loader script. This initial script can use Invoke-RestMethod to fetch an encoded payload from a remote source 1 or may contain a Base64-encoded string that it decodes and executes directly in memory using iex (Invoke-Expression). The iex method allows the script to run with bypassed execution policies and in a silent manner, crucial for avoiding user alerts and basic security restrictions. This fileless initiation helps to avoid writing overtly malicious code to disk, thereby circumventing some antivirus scans.
Stage 2: Payload Reconstruction
The first-stage loader is responsible for decoding or deobfuscating the next stage of the attack. This often involves reconstructing a larger, more heavily obfuscated payload, which might be encoded in hexadecimal format. Techniques observed include the stripping of custom delimiters (e.g., the "\~" character) from the encoded data and converting the hexadecimal values into ASCII text. This process dynamically builds the third-stage script directly in memory. Such runtime reconstruction of malicious code is a deliberate tactic to evade static analysis by security tools and sandboxes, which may not execute the code long enough or with the right context to observe its true nature.
Stage 3:.NET Assembly Loading and Execution
The deobfuscated script then proceeds to retrieve the main Chihuahua Stealer payload, which is a.NET assembly. This core malicious component might be fetched from an attacker-controlled Command and Control (C2) server (e.g., flowers[.]hold-me-finger[.]xyz 4) or another cloud-hosted URL, such as one on OneDrive. The.NET assembly itself is often Base64-encoded. Upon retrieval, it is decoded (e.g., using the.NET method ::FromBase64String()). A critical step for evasion is that the decoded.NET assembly is loaded directly into memory using.NET Reflection capabilities, specifically ::Load(...). Its Main method is then invoked to initiate the stealer's operations. This in-memory execution ensures that the primary malicious binary is never written to the disk, significantly reducing the likelihood of detection by traditional file-based antivirus solutions.
Evasion Tactics
Chihuahua Stealer incorporates several evasion tactics:
- Obfuscation: PowerShell scripts utilize Base64 encoding and hex-string obfuscation to mask their malicious content.
- In-memory execution: As described, loading and running the.NET payload directly in memory bypasses many disk-based scanning mechanisms.
- Use of trusted platforms: Leveraging Google Drive and OneDrive for payload delivery helps the malware bypass network filters and gain an initial foothold by abusing user trust.
- Process Termination (PupkinStealer variant): The PupkinStealer variant actively terminates running processes of targeted applications, such as web browsers and messaging clients. This allows it to access their data files (e.g., credential stores) without interference or file-locking issues.
- Wiping traces: After completing its objectives, the malware attempts to remove evidence of its presence by clearing the console, wiping clipboard contents, and deleting files and directories it created during its operation.
The malware's significant reliance on PowerShell for multiple stages of its operation—including initial loading, persistence mechanisms, and potentially elements of its command and control logic—underscores the critical need for robust PowerShell logging and sophisticated analysis capabilities within security operations. The use of Invoke-Expression (iex) and in-memory.NET assembly loading via Reflection specifically targets environments that may have weak PowerShell security configurations or inadequate Endpoint Detection and Response (EDR) visibility into script execution processes. Attackers increasingly abuse legitimate system tools like PowerShell, a technique often referred to as "living off the land," because these tools are ubiquitous, inherently trusted by the operating system, and their malicious use can be difficult to distinguish from benign administrative activities. Consequently, organizations must progress beyond merely restricting PowerShell access; they need to implement comprehensive monitoring and hardening strategies, such as enabling detailed script block logging, integrating with the Antimalware Scan Interface (AMSI), and deploying tools capable of analyzing obfuscated scripts and detecting anomalous in-memory activities.
To ensure its continued operation on a compromised system, Chihuahua Stealer establishes persistence primarily through the creation of a scheduled task. This task is often given a name composed of random-looking characters to blend in with legitimate system tasks, with "f90g30g82" being a specifically identified name in observed infections. Security analysts anticipate that future variants will likely use different, similarly randomized names to evade simple signature-based detection. This scheduled task is configured to execute a PowerShell command at frequent intervals, such as every minute.
The persistence mechanism is further refined by marker-based execution logic. The scheduled PowerShell job periodically checks for the presence of custom marker files on the system. These files act as signals, indicating an active infection or dictating whether the malware should proceed with certain actions, such as fetching additional payloads. Files containing ".normaldaki" in their name or as a file extension, particularly found in user directories like the "Recent Files" folder, have been identified as such infection markers.
If these marker files are detected, or other predefined conditions are met, the persistence script can dynamically fetch additional payloads or instructions from attacker-controlled C2 servers. This capability points to a modular design, allowing the attackers to update or extend the malware's functionality post-infection and maintain a stealthy operational profile.
Interestingly, some analyses of the PupkinStealer variant suggest it may lack specific persistence mechanisms, favoring rapid execution and data theft. This apparent discrepancy between the "Chihuahua Stealer" and "PupkinStealer" profiles could indicate several possibilities: different versions of the malware may exist with varying feature sets; persistence could be a configurable module offered by the developer "Ardent"; or PupkinStealer might represent an earlier, simpler iteration, with Chihuahua Stealer being an evolution that incorporates more robust persistence. This variability highlights the dynamic nature of malware development and distribution, underscoring the need for defenders to anticipate diverse TTPs even within the same malware family. Relying on a single report indicating a lack of persistence could prove to be a critical oversight if a persistent variant is encountered.
Chihuahua Stealer is fundamentally an infostealer, designed to harvest sensitive information from compromised systems. Its primary targets are web browser data and cryptocurrency wallet information.
The malware is programmed to identify and target a range of popular web browsers. It often contains a predefined list of browser paths, stored internally under a variable such as SinBinoklya, to locate credential stores and other valuable data. Browsers targeted include, but are not limited to: Google Chrome, Chromium, Brave, Opera (including its GX variant), Microsoft Edge, Slimjet, MapleStudio's ChromePlus, and Iridium. From these browsers, the stealer aims to extract credentials (usernames and passwords), cookies, autofill data (including payment information), browsing history, and active session data.
A significant focus of Chihuahua Stealer is the theft of data related to cryptocurrency wallets. It actively searches for and exfiltrates information from cryptocurrency wallet extensions installed in browsers. The malware achieves this by identifying and copying data from specific folders associated with known wallet extension IDs.
The PupkinStealer variant exhibits a broader range of data theft capabilities. In addition to browser credentials and crypto wallet data, it is also designed to steal data from Telegram and Discord messaging applications, general email clients, and clipboard contents. It also captures desktop files and takes screenshots of the victim's desktop. To decrypt stored browser passwords, PupkinStealer specifically targets Chromium-based browsers, locating their "Login Data" SQLite databases and the corresponding "Local State" files which contain the encryption key. It then utilizes the Chromium credential API logic, in conjunction with Windows Data Protection API (DPAPI) calls, to decrypt these passwords.
Once sensitive data has been collected, Chihuahua Stealer prepares it for exfiltration to attacker-controlled infrastructure. This process involves several steps to package, secure, and transmit the stolen information, followed by attempts to erase its operational footprint.
Data Staging and Compression:
The harvested data is first staged. In some instances, a plaintext file, such as Brutan.txt, may be written to the malware's working directory to temporarily hold some of the collected information. Subsequently, all stolen data is compressed into an archive file. This archive is characteristically given the ".chihuahua" extension. The PupkinStealer variant, on the other hand, creates a ZIP archive typically named [Username]@ardent.zip, where [Username] is the victim's Windows username.
Encryption:
To protect the stolen data during transit and to hinder analysis if intercepted, the compressed archive is encrypted. Chihuahua Stealer employs AES-GCM (Advanced Encryption Standard in Galois/Counter Mode) for this purpose. Notably, it utilizes native Windows Cryptography API: Next Generation (CNG) functions to perform the encryption. This use of native APIs is a somewhat uncommon but effective technique among stealers, as it reduces the malware's dependency on external libraries and can make its cryptographic operations appear more like legitimate system activities. The encrypted output file may be named using a victim-specific identifier, for instance, \<victimID>VZ. The choice of native Windows APIs for encryption is a subtle yet impactful technique. It not only minimizes the malware's external dependencies, thereby reducing its overall footprint, but also allows its cryptographic activities to potentially blend more seamlessly with normal system operations. This can make detection more challenging for security tools that primarily look for suspicious third-party cryptographic libraries. Therefore, identifying malicious encryption cannot solely depend on spotting unusual libraries; it requires a contextual understanding of which process is performing the encryption, the nature of the data being encrypted, and its ultimate destination. The recommendation to flag uncommon AES-GCM usage via Windows CNG APIs, particularly when correlated with outbound HTTPS traffic, directly addresses this challenge by focusing on the behavior and context rather than just the tool.
C2 Communication and Data Exfiltration:
The encrypted and compressed data is then exfiltrated over HTTPS to C2 servers controlled by the attackers. An observed exfiltration endpoint for Chihuahua Stealer is hxxps[:]//flowers[.]hold-me-finger[.]xyz/index2[.]php. Other domains, such as cdn.findfakesnake.xyz and cat-watches-site.xyz, have been associated with fetching payloads or instructions. In contrast, the PupkinStealer variant is known to use the Telegram Bot API for exfiltrating stolen data.
Trace Removal (Cleanup):
As a final step, Chihuahua Stealer attempts to meticulously erase its tracks from the compromised system. This cleanup routine includes deleting files and directories created during its operation and clearing the console and clipboard contents. This demonstrates a conscious effort by the malware authors to hinder forensic analysis and evade detection post-infection.
Identifying Indicators of Compromise (IOCs) associated with Chihuahua Stealer (and its alias Pupkin Stealer) is crucial for detection, threat hunting, and incident response. The following tables consolidate known network and host-based IOCs derived from available analyses. Security teams should leverage these IOCs to bolster their defenses by blocking malicious infrastructure, searching logs for suspicious activity, and developing specific detection rules for their security tools. The use of seemingly random names for artifacts like scheduled tasks (e.g., "f90g30g82") and unique file extensions (e.g., ".chihuahua," ".normaldaki") represents a deliberate choice by the malware authors. While random names aim to blend with system noise, their unusual structure or the commands they execute can still be anomalous. The unique extensions are particularly strong indicators, as legitimate software is highly unlikely to employ them. These types of IOCs are valuable for initial detection but can be readily altered by attackers in subsequent malware variants, emphasizing the need for behavioral detection capabilities alongside static IOC monitoring. The distinct ".chihuahua" extension might also serve as a form of branding by the malware author, akin to the embedded rap lyrics.
The following network indicators have been associated with Chihuahua Stealer operations, primarily for command and control (C2) communication, payload delivery, and data exfiltration.
Table 4.: Network Indicators of Compromise for Chihuahua/Pupkin Stealer
| Indicator Type |
Indicator Value |
Associated Malware Stage/Activity |
Source Snippet(s) |
| Domain/URL |
flowers[.]hold-me-finger[.]xyz |
C2: Payload retrieval, Data exfiltration |
1 |
| URL |
hxxps[:]//flowers[.]hold-me-finger[.]xyz/index2[.]php |
C2: Data exfiltration endpoint |
1 |
| Domain |
cat-watches-site[.]xyz |
C2: Fallback C2 for payloads/instructions |
1 |
| Domain |
cdn.findfakesnake.xyz |
C2: Payload/Instruction retrieval |
1 |
| Domain/URL |
onedrive[.]office-note[.]com |
Payload Hosting (OneDrive-based) |
4 |
| URL |
hxxps://onedrive[.]office-note[.]com/res?a=c\&b=\&c=8f2669e5-01c0-4539-8d87-110513256828\&s=...JWT... |
Payload Hosting (Specific OneDrive URL) |
4 |
| API Usage |
Telegram Bot API |
Data Exfiltration (PupkinStealer variant) |
3 |
Host-based indicators are critical for identifying infections on endpoints. These include file hashes, specific file names and extensions, scheduled task details, and characteristic PowerShell command line patterns. The overlap in some generic antivirus detection signatures (e.g., Trojan.Gen.MBT, WS.Malware.) for both PupkinStealer and Chihuahua Stealer 7 further substantiates that they are the same or very closely related malware. These generic detections often rely on heuristic and behavioral analysis, capturing the underlying malicious activity even before highly specific signatures for "Chihuahua" become widely available. This underscores the importance of multi-layered endpoint defenses that include heuristic engines, as they can provide an initial line of defense against new or slightly modified malware variants.
Table 4.: Host-Based Indicators of Compromise for Chihuahua/Pupkin Stealer
| Indicator Type |
Indicator Value |
Description/Context |
Source Snippet(s) |
| File Hash (SHA256) |
afa819c9427731d716d4516f2943555f24ef13207f75134986ae0b67a0471b84 |
PowerShell Loader Script |
1 |
| File Hash (SHA256) |
c9bc4fdc899e4d82da9dd1f7a08b57ac62fc104f93f2597615b626725e12cae8 |
Chihuahua Stealer.NET Payload |
1 |
| File Extension |
.chihuahua |
Extension for compressed stolen data archive; found in temp/user directories |
1 |
| File Name/Extension Pattern |
Files with .normaldaki in name or as extension |
Marker files for active infection; found in user directories, "Recent Files" folder |
1 |
| File Name |
Brutan.txt |
Plaintext staging file for stolen data; found in working directory |
4 |
| File Extension |
.VZ |
Extension for encrypted output file (e.g., \<victimID>VZ) |
4 |
| File Name Pattern (PupkinStealer) |
[Username]@ardent.zip |
ZIP archive of stolen data (PupkinStealer variant); found in Temp directory |
8 |
| Directory Structure (PupkinStealer) |
Grabbers\Browser\passwords.txt, Grabbers\TelegramSession\*, Grabbers\Discord\Tokens.txt, Grabbers\Screenshot\Screen.jpg, DesktopFiles\* |
Staging folders for stolen data (PupkinStealer variant) |
8 |
| Scheduled Task Name |
f90g30g82 or similarly random strings |
Persistence mechanism; runs PowerShell command frequently (e.g., every minute) |
1 |
| PowerShell Command Line |
powershell.exe -EncodedCommand \<long_base64_string> or similar (e.g. -e, -en, -enc) |
Execution of Base64-encoded PowerShell commands |
1 |
| PowerShell Command Line |
Contains iex (Invoke-Expression) |
Direct execution of strings as commands |
4 |
| PowerShell Command Line |
Contains ::FromBase64String() and ::Load() |
In-memory loading of.NET assemblies |
1 |
| Registry Key (Scheduled Tasks) |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Tasks |
General location for scheduled task definitions |
15 |
| Registry Key (Scheduled Tasks) |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree |
Contains task GUID, index, security descriptor |
16 |
| Registry Key (Scheduled Tasks) |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks |
Contains task components (triggers, actions) |
15 |
| File Path (Scheduled Tasks) |
C:\windows\system32\tasks\ (and subfolders) |
XML definitions of scheduled tasks (Vista and later) |
16 |
| File Path (PowerShell Sched. Jobs) |
%localappdata%\Microsoft\Windows\PowerShell\ScheduledJobs |
Location for PowerShell scheduled job definitions |
16 |
| AV Detection (Loader Example) |
PowerShell.Trojan-Downloader.Agent.IE1KHF (G DATA) |
Antivirus signature for PowerShell loader component |
4 |
| AV Detection (Payload Example) |
Win32.Trojan-Stealer.Chihuahua.W7FOE (G DATA) |
Antivirus signature for main.NET stealer payload |
4 |
| AV Detection (Generic Examples) |
Trojan Horse, Trojan.Gen., Trojan.Gen.MBT, WS.Malware., SONAR.MalTraffic!gen1, SONAR.Stealer!gen1, Heur.AdvML.* |
Generic/Heuristic detections by Broadcom/Symantec for Pupkin/Chihuahua |
7 |
Chihuahua Stealer, and its alias PupkinStealer, primarily target systems running the Windows operating system. The malware's victimology appears to be opportunistic rather than narrowly focused on specific industries or demographics. It is designed to harvest valuable data from any compromised system, making both individual home users and employees within organizations potential targets. PupkinStealer, in particular, is described as indiscriminate in its targeting approach. The malware's core function is to locate and exfiltrate stored passwords, personal files, and data from messaging applications, irrespective of the victim's profile.
While no specific geographical regions are consistently highlighted as primary targets for Chihuahua/PupkinStealer campaigns in the analyzed materials, one illustrative example mentions PupkinStealer's involvement in the theft of over 31,000 banking passwords belonging to Australian customers. However, this appears to be a general example of infostealer impact rather than an indication of a specific campaign focus for this particular malware. Broader infostealer threat reports, such as those covering Lumma Stealer, indicate high concentrations of activity in the United States, various parts of South America, Europe, and several Asian countries. However, this general infostealer distribution does not necessarily reflect the specific operational scope of Chihuahua Stealer.
The opportunistic nature of Chihuahua/PupkinStealer, combined with reports suggesting its availability to "likely low-skilled actors" 8, implies that it might be part of a Malware-as-a-Service (MaaS) ecosystem or is easily obtainable from underground forums. This accessibility lowers the barrier to entry for a wider range of cybercriminals. The proliferation of such tools often leads to a higher volume of attacks from a more diverse set of actors. These actors may not all possess high levels of skill, potentially resulting in campaigns that are "noisier" or less sophisticated in their targeting but remain dangerous due to the malware's inherent capabilities.
The compromise by Chihuahua Stealer poses significant risks to both individual users and organizations.
For Individuals: The primary risks include a severe compromise of user privacy, the potential for identity theft, and direct financial fraud. Access to stolen banking credentials, cryptocurrency wallet seed phrases or private keys, and other personal data can lead to unauthorized transactions and financial losses.
For Organizations: The implications can be far-reaching:
- Credential Theft and Unauthorized Access: The theft of corporate credentials stored in browsers or obtained through compromised personal devices used for work can grant attackers unauthorized access to sensitive internal systems, applications, and data.
- Data Breaches and Financial Loss: Successful intrusions can escalate into full-blown data breaches, leading to significant financial losses from recovery efforts, regulatory fines, and legal liabilities.
- Reputational Damage: Data breaches and security incidents can severely damage an organization's reputation, eroding customer trust and impacting business relationships.
- Facilitation of Further Attacks: Stolen credentials are often sold on dark web markets or used by attackers to conduct lateral movement within corporate networks. This can pave the way for more severe attacks, including ransomware deployment or persistent espionage.
- BYOD Risks: The general trend of infostealers targeting Bring Your Own Device (BYOD) environments 18 means that if Chihuahua infects an employee's personal device that is also used for work purposes, it can serve as a bridge into the corporate network and resources.
Chihuahua Stealer is not an isolated phenomenon but rather a reflection of broader evolutionary trends within the infostealer threat landscape. Its design philosophy—emphasizing stealth, feature richness, multi-stage loading, cloud-based delivery mechanisms, native API utilization for encryption, and meticulous cleanup routines—positions it as an example of the increasing sophistication in infostealer development. This marks a departure from older, simpler "smash-and-grab" types of stealers that were easier to detect and mitigate.
The data targeted by Chihuahua—browser credentials, cookies, autofill information, and cryptocurrency wallets—aligns perfectly with the most commonly sought-after information by modern infostealers. This stolen data, often referred to as "logs," is highly monetizable and frequently traded on dark web marketplaces.
Significantly, infostealers like Chihuahua often serve as an initial access vector, providing the foothold and credentials necessary for subsequent, more devastating attacks such as ransomware deployment or comprehensive account takeovers. ESET researchers noted that infostealer families like Lumma Stealer are typically a "foreshadowing of future, much more devastating attacks". The infostealer landscape is characterized by continuous innovation, with malware authors constantly refining capabilities and evasion techniques to bypass security measures. Chihuahua's adoption of.NET in-memory execution and its use of Windows CNG APIs for encryption are indicative of this ongoing arms race.
Recent intelligence from June 2025 highlights several key trends in the infostealer domain:
- The notorious Lumma Stealer, despite a significant disruption operation in May 2025, is showing signs of resurgence.
- Following Lumma's takedown, the Acreed infostealer is reportedly emerging as a dominant strain on the "Russian Market" platform for stolen credentials.
- Infostealer attacks saw a 58% surge, with a notable trend of over 70% of infected devices being personal ones, often implicating BYOD scenarios.
- Infostealers were implicated in nearly a quarter (24%) of all cyber incidents in 2024, marking a 104% year-over-year increase in their prevalence.
- The delivery of infostealers via phishing emails escalated dramatically, with an 84% increase in weekly incidents in 2024 compared to 2023. Early 2025 data indicates this surge continued, reaching 180% compared to 2023 levels.
- Credential harvesting was the primary impact in 29% of security incidents during 2024.
- A concerning development is the adoption of Artificial Intelligence (AI) by threat actors to enhance their campaigns. AI is being used to build more convincing phishing websites, create deepfakes for social engineering, and generate malicious code, making infostealer campaigns more efficient and harder to detect.
The absence of specific, widespread campaign reporting directly attributed to Chihuahua/PupkinStealer by major threat intelligence groups or government cybersecurity agencies (such as CISA, NCSC, BSI, or ANSSI) in the provided information 1 is noteworthy. This could suggest that its campaigns are either not yet large-scale enough to trigger major public alerts, are being categorized under general "infostealer activity" in broader reports, or are still pending full characterization and attribution by these larger entities. Given its discovery in April 2025, it's plausible that comprehensive intelligence reporting is still developing. Nevertheless, security teams should not solely rely on high-profile alerts to gauge a threat's severity; the technical capabilities demonstrated by Chihuahua/PupkinStealer alone warrant proactive defensive measures.
Effectively countering threats like Chihuahua Stealer requires a multi-layered security approach encompassing robust detection mechanisms, proactive preventative measures, diligent system hardening, and well-defined incident response procedures. The malware's use of PowerShell,.NET in-memory execution, scheduled tasks for persistence, and delivery via trusted cloud services necessitates a defense-in-depth strategy, as no single security control is likely to be entirely foolproof.
Early and accurate detection is paramount in mitigating the impact of Chihuahua Stealer.
- Leveraging Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM):
- EDR and SIEM solutions should be configured to monitor for behavioral anomalies consistent with Chihuahua's Tactics, Techniques, and Procedures (TTPs). This includes tracking process execution chains, inter-process communication, and unusual file system or registry modifications.
- Correlation of host and network events within a SIEM can help identify the distinct stages of the infection chain, from initial PowerShell execution to data exfiltration.
- Security solutions like Uptycs EDR have demonstrated the ability to detect similar.NET stealers (e.g., Stealerium) by correlating generic behavioral rules and employing YARA process scanning capabilities.
- PowerShell Logging and Anomaly Detection:
- Given PowerShell's central role in Chihuahua's execution, comprehensive logging is critical. Enable PowerShell Script Block Logging (Event ID 4104), Module Logging (Event ID 800 for module loads and Add-Type context), and PowerShell Transcription. While automatic script block logging (default in PowerShell v5 and later) captures code containing suspicious terms, enabling global script block logging provides complete visibility into all executed scripts.
- Monitor PowerShell logs specifically for evidence of Base64 decoding combined with.NET Reflection techniques, such as the use of ::Load().
- Scrutinize PowerShell command lines for suspicious arguments and switches, including -EncodedCommand (and its variants -e, -en, -enc), -nop (NoProfile), -noni (NonInteractive), iex (Invoke-Expression), .downloadstring, and downloadfile.
- Detect instances of PowerShell executing scripts from unexpected or unusual directories, such as public user folders (e.g., C:\Users\Public\).
- Ensure the Antimalware Scan Interface (AMSI) is enabled and integrated with PowerShell. AMSI provides visibility into both on-disk and in-memory script execution and can log attempts to bypass its protections (Event ID 1101 via ETW).
- Network Monitoring:
- Implement blocking rules for known malicious C2 domains and IP addresses associated with Chihuahua Stealer (refer to Section 4.).
- Alert on PowerShell jobs that run frequently (e.g., via scheduled tasks) and make outbound network connections, especially to unfamiliar, recently registered, or known malicious domains.
- A sophisticated detection technique involves flagging uncommon usage of AES-GCM encryption via Windows CNG APIs, particularly when this activity is correlated with subsequent outbound HTTPS traffic to suspicious destinations. This requires security tools capable of monitoring API usage at a granular level and correlating it with network activity, which may be beyond the capabilities of basic EDR solutions.
- Monitor for network connections to legitimate cloud storage services (like Google Drive or OneDrive) that are immediately followed by suspicious PowerShell activity or downloads.
- Investigate unusual HTTP POST requests, especially those containing large encrypted payloads, directed to unfamiliar domains.
- File System and Registry Monitoring:
- Actively hunt for the presence of unusual file extensions such as ".chihuahua" or ".normaldaki," or specific marker files, particularly in user Temp directories or the "Recent Files" folder.
- Monitor for the creation of scheduled tasks with random-looking names (e.g., f90g30g82) that are configured to run PowerShell commands. Key registry locations for scheduled tasks include HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Tasks and its TaskCache subkeys.
- Anti-Analysis Technique Detection (General for.NET Stealers):
- While not explicitly detailed for Chihuahua, other.NET stealers like Stealerium employ anti-analysis techniques such as checking for debuggers (e.g., isDebuggerPresent() API), virtualized environments (emulators, VirtualBox), specific analysis processes (Process Hacker, Wireshark), and known sandbox IP addresses (VirusTotal, anyRun). Defenders should consider detection strategies for these common evasion methods as part of a broader defense against.NET malware.
Proactive measures are essential to prevent initial infection and harden systems against Chihuahua Stealer's TTPs.
- User Awareness and Anti-Phishing Training:
- Continuously educate users to recognize and report social engineering attempts, suspicious emails, and malicious documents, particularly those originating from cloud services that prompt for script execution or macro enablement.
- Reinforce policies against clicking suspicious links or opening attachments from unverified sources.
- PowerShell Security Best Practices:
- Execution Policies: Enforce restrictive PowerShell execution policies (e.g., AllSigned or RemoteSigned) through Group Policy. While Chihuahua Stealer is known to use bypasses (e.g., -ExecutionPolicy Bypass), well-configured policies add an important layer of defense against less sophisticated script execution attempts.
- Application Control: Implement robust application control solutions like Windows Defender Application Control (WDAC), which is the preferred method, or AppLocker. Properly configured WDAC policies can restrict PowerShell to Constrained Language Mode, significantly limiting its capabilities and mitigating a wide array of malicious PowerShell tradecraft, including many techniques used by Chihuahua Stealer.
- Just Enough Administration (JEA): Implement JEA to limit administrative privileges, reducing the impact if an account with PowerShell access is compromised.
- Principle of Least Privilege: Ensure users and processes operate with the minimum necessary permissions.
- Tamper Protection: For environments using Microsoft Defender, enable Tamper Protection to prevent malicious scripts or actors from disabling security features or creating exclusions.
- Securing.NET Framework and Mitigating In-Memory Threats:
- Keep the.NET Framework and runtime environments updated with the latest security patches.
- Employ advanced endpoint security solutions that offer visibility into.NET Common Language Runtime (CLR) activities and can detect or prevent suspicious in-memory assembly loads. Concepts like those demonstrated by the ClrGuard tool (hooking LoadImage() within the CLR) are relevant here.
- Utilize exploit protection capabilities, such as Microsoft Defender Exploit Guard. Mitigations like Arbitrary Code Guard (ACG) could potentially interfere with the dynamic code execution methods used by malware if appropriately configured for PowerShell or other relevant processes.
- Browser Security Hygiene:
- Ensure all web browsers are kept up-to-date with the latest versions and security patches.
- Advise users to use reputable ad-blocking and script-blocking extensions.
- Implement policies or provide guidance on disabling or carefully managing browser synchronization features, especially to prevent corporate passwords from becoming accessible on potentially less secure personal devices.
- Educate users about the risks associated with saving all passwords directly in browser password managers, particularly on shared or inadequately secured systems.
- Cryptocurrency Wallet Security Hygiene:
- For significant cryptocurrency holdings, strongly recommend the use of hardware (cold storage) wallets, which keep private keys offline and immune to online attacks.
- Encourage the use of multi-signature (multisig) wallets for valuable assets, as they require multiple approvals for transactions.
- Mandate strong, unique passwords and enable two-factor authentication (2FA) for all crypto-related accounts and software wallets. Emphasize the use of authenticator apps over SMS-based 2FA due to SIM-swapping risks.
- Users must exercise extreme caution with browser extensions claiming to be cryptocurrency wallets, verifying their authenticity meticulously, as Chihuahua Stealer specifically targets wallet extension data.
- Advise against accessing cryptocurrency wallets or exchanges over public Wi-Fi networks without using a trusted VPN service.
- Train users to identify and avoid phishing sites that impersonate legitimate wallet providers or exchanges.
- Endpoint Protection and Patch Management:
- Deploy and diligently maintain up-to-date EDR and next-generation antivirus (NGAV) solutions that incorporate behavioral detection, machine learning, and anti-exploit capabilities. Ensure antivirus signatures and threat intelligence feeds are continuously updated.
- Implement a rigorous patch management program to ensure that operating systems, browsers, document viewers, and all other third-party applications are regularly updated with the latest security patches.
- Configure host-based and network firewalls to block unauthorized outbound connections and restrict access to known malicious infrastructure.
- General Security Best Practices:
- Enforce strong password policies and mandate the use of Multi-Factor Authentication (MFA) across the organization for all critical services and user accounts.
- Establish and regularly test a robust data backup and recovery plan. Critical data should be backed up frequently, and backups should be encrypted and stored securely, preferably offline or in an isolated environment.
- Adopt Zero Trust Network Architecture (ZTNA) principles, which operate on the "never trust, always verify" maxim, requiring strict authentication and authorization for all access requests.
- Consider proactive threat intelligence services to search for mentions of company domains, employee credentials, or sensitive data on infostealer marketplaces and dark web forums.
Should a Chihuahua Stealer infection be suspected or confirmed, a swift and methodical incident response is crucial to contain the threat and mitigate its impact.
- Isolation: Immediately isolate the affected endpoint(s) from the network to prevent potential lateral movement by the attacker or further data exfiltration.
- Persistence Removal: Identify and remove the scheduled task(s) used by Chihuahua Stealer for persistence. This involves deleting the task (e.g., "f90g30g82") from the Task Scheduler and verifying its removal from the corresponding registry locations and file system paths.
- Artifact Removal: Delete all identified malicious files, including the initial loader scripts, any staged.NET assemblies (if found on disk, though unlikely for the main payload), marker files (e.g., .normaldaki), and data archives (e.g., .chihuahua or [Username]@ardent.zip).
- Credential Invalidation: Assume all credentials stored in web browsers on the compromised machine have been stolen. All associated passwords must be changed immediately. This includes corporate accounts, personal email, banking, social media, and any other online services. Session cookies should also be considered compromised, necessitating forced logout from active sessions where possible.
- Cryptocurrency Wallet Remediation: If cryptocurrency wallets (software or browser extension-based) were present on the compromised system, assume private keys, seed phrases, and wallet files have been exfiltrated. If funds are accessible, attempt to immediately transfer them to new, secure wallets that have not been exposed to the compromised environment. This is a time-critical action.
- Forensic Analysis: Conduct a thorough forensic analysis of the compromised system(s) to determine the full scope of the infection, identify all malicious activities, and ascertain if other systems on the network were affected. This includes reviewing PowerShell execution logs, network traffic logs, EDR alerts, and file system changes.
- Log Review and Hunting: Expand the investigation by reviewing logs (PowerShell, network, SIEM, EDR) across the environment for any signs of Chihuahua Stealer activity or related IOCs on other systems.
- IOC and Detection Rule Updates: Update internal threat intelligence databases, blocklists, and security tool detection rules (e.g., YARA rules, EDR queries) based on the findings from the incident.
Chihuahua Stealer, also known as Pupkin Stealer, represents a notable entry in the ever-evolving landscape of.NET-based information stealers. Its multi-stage infection process, reliance on obfuscated PowerShell scripts delivered via trusted cloud platforms, in-memory.NET execution, and dedicated data exfiltration routines for browser credentials and cryptocurrency wallet data, underscore a trend towards more sophisticated and evasive malware. The malware's attempts at persistence via scheduled tasks and its efforts to clean up traces post-infection further highlight its design for stealth and resilience. While not attributed to a major state-sponsored group, its links to a developer known as "Ardent" and its Russian-language artifacts provide some insight into its origins.
The emergence of Chihuahua Stealer within the broader context of the infostealer market is significant. This market is characterized by continuous innovation, with threat actors persistently developing new malware and refining existing tools to harvest valuable credentials and data. The high demand for stolen information fuels this ecosystem. A particularly concerning trend is the increasing use of Artificial Intelligence by attackers to enhance the effectiveness of phishing campaigns, generate malicious code, and create more convincing social engineering lures 18, thereby amplifying the threat posed by infostealers.
The operational characteristics of Chihuahua Stealer emphasize a critical challenge for cybersecurity defenders: attackers are becoming increasingly skilled at blending their malicious activities with legitimate system processes and trusted online services. This "living off the land" approach, which leverages ubiquitous tools like PowerShell and native Windows APIs, makes detection inherently more difficult and necessitates a shift towards more sophisticated, behavior-based security analytics. The entire lifecycle of Chihuahua, from its PowerShell-initiated infection through its.NET execution to its encrypted data exfiltration, demonstrates the interconnectedness of various security domains. A weakness in user awareness can facilitate initial compromise; inadequate endpoint logging can allow the.NET payload to execute undetected; and insufficient network monitoring can fail to identify the exfiltration of sensitive data. This underscores the need for holistic, integrated security architectures and cross-functional security teams capable of correlating events across different layers of the IT environment.
To maintain a proactive cybersecurity posture against threats like Chihuahua Stealer and the wider spectrum of infostealers, organizations should prioritize the following strategic initiatives:
- Enhance Visibility: Invest in tools and processes that provide deep visibility into PowerShell execution (including script block logging and AMSI integration) and.NET runtime activities (including in-memory operations).
- Continuous User Education: Regularly train users to recognize and report evolving social engineering tactics, particularly those involving phishing emails, malicious attachments, and deceptive links delivered via trusted platforms.
- Adopt Zero Trust Principles: Implement a Zero Trust security model, especially concerning credential access, endpoint security, and network segmentation. Verify explicitly, use least privilege access, and assume breach.
- Regular Security Control Validation: Continuously review, test, and update security controls (EDR, NGAV, firewalls, email security) against the latest TTPs observed in infostealer campaigns. Breach and Attack Simulation (BAS) platforms can be valuable for this purpose.
- Leverage Threat Intelligence: Subscribe to and actively utilize threat intelligence feeds to stay informed about new malware variants, IOCs, attacker methodologies, and emerging trends in the infostealer landscape.
- Focus on Rapid Detection and Response: Given that infostealers often serve as a precursor to more damaging attacks like ransomware, the ability to rapidly detect, contain, and remediate infections is paramount to minimizing overall business impact.
By adopting these strategic measures, organizations can significantly improve their resilience against Chihuahua Stealer and the broader, dynamic threat posed by information-stealing malware.
source: