Chihuahua Stealer Malware Targets Crypto Wallets, Browser Data

A newly discovered .NET‑based infostealer named Chihuahua Stealer is targeting browser data and cryptocurrency wallet extensions, raising alarms across the cybersecurity community.

First identified in April 2025 via a malicious PowerShell script shared through a cloud document, the malware uses scheduled task persistence and AES‑GCM encryption to stealthily harvest and exfiltrate user credentials and private keys.

Infection Chain and Persistence

The attack begins when victims execute an obfuscated PowerShell script, which installs a Windows scheduled task that runs every minute. This task maintains persistence and ensures the stealer remains active even after reboots.    

Data Harvesting Capabilities

Once installed, the main .NET payload collects saved browser credentials, cookies, autofill entries, and browsing history from major web browsers. It also scans for popular cryptocurrency wallet extensions, such as Rabby, Clover Wallet, and Auro, extracting private keys and session tokens.

Encryption and Exfiltration

Collected data is compressed into a proprietary archive format and encrypted using AES‑GCM via the Windows Cryptography API Next Generation. The encrypted archive is then sent over HTTPS to a hard‑coded command‑and‑control server. After successful transmission, the malware removes its scheduled task and temporary files to erase traces.

Crypto Malware Prevention Strategies

Security teams and users should take the following precautions:

1. Monitor Scheduled Tasks
   Review and alert on new or modified PowerShell‑based scheduled tasks.

2. Identify Unusual File Extensions
   Flag non‑standard archives such as those ending in .chihuahua in temporary directories.

3. Audit PowerShell Logs
   Look for signs of Base64 decoding or dynamic .NET assembly loading.

4. Strengthen Two‑Factor Authentication
   Replace SMS‑based 2FA with app‑based authenticators or hardware tokens.

5. Conduct Regular Threat Hunts
   Use endpoint detection tools to search for unusual AES‑GCM API calls associated with Windows CNG.

Detection Challenges

Chihuahua Stealer’s in‑memory execution, frequent scheduled tasks, and strong encryption make it difficult for traditional antivirus tools to detect. Its focus on browser and wallet data poses a direct threat to both online accounts and cryptocurrency assets.