CyberSecurityBoard
Sponsor Register Login

Chihuahua Stealer Leverages Google Drive Document to Steal Browser Login Credentials

A newly discovered .NET-based infostealer dubbed “Chihuahua Stealer” has emerged as a significant threat, exploiting Google Drive documents to deliver malicious PowerShell scripts and steal sensitive data. Organizations are advised to restrict PowerShell execution policies and monitor for marker files (.normaldaki). G DATA’s detection rules, including PowerShell.Trojan-Downloader.Agent.IE1KHF and Win32.Trojan-Stealer.Chihuahua.8W7FOE, provide coverage against known variants. Once executed, the script establishes persistence via scheduled tasks, dynamically retrieves payloads from multiple command-and-control (C2) servers, and exfiltrates encrypted data over HTTPS. The attack chain begins with a heavily obfuscated PowerShell script embedded in a Google Drive document. The campaign gained attention after a Reddit user reported being tricked into executing a suspicious script linked to a Google Drive file, which initiated the stealthy payload delivery. The infection begins when victims open a Google Drive document containing an obfuscated PowerShell script. G DATA researchers noted that the malware’s use of Windows Cryptography API: Next Generation (CNG) for AES-GCM encryption and marker-based payload activation reflects a deliberate focus on avoiding detection. This script establishes persistence by creating a scheduled task named “f90g30g82” that runs every minute. First identified by G DATA analysts in April 2025, the malware targets browser credentials, cookies, and cryptocurrency wallet extensions through a multi-stage attack chain. This assembly, Chihuahua Stealer, exfiltrates stolen data as an AES-GCM-encrypted “.chihuahua” archive. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. When executed, the script bypasses execution policies and decodes a Base64 payload, which reconstructs a second-stage hex-encoded script. G DATA’s report emphasizes the importance of monitoring PowerShell logs for irregular scheduled tasks and in-memory .NET assembly loading. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 15 May 2025 13:34:52 +0000


Cyber News related to Chihuahua Stealer Leverages Google Drive Document to Steal Browser Login Credentials

Chihuahua Stealer Leverages Google Drive Document to Steal Browser Login Credentials - A newly discovered .NET-based infostealer dubbed “Chihuahua Stealer” has emerged as a significant threat, exploiting Google Drive documents to deliver malicious PowerShell scripts and steal sensitive data. Organizations are advised to ...
11 hours ago Cybersecuritynews.com
Credentials are Still King: Leaked Credentials, Data Breaches and Dark Web Markets - Infostealers infect computers, steal all of the credentials saved in the browser along with active session cookies and other data, then export it back to command and control infrastructure before, in some cases, self-terminating. This article will ...
1 year ago Bleepingcomputer.com
Google shares "fix" for deleted Google Drive files - Google says it identified and fixed a bug causing customer files added to Google Drive after April-May 2023 to disappear. The fix isn't working for all affected users. Once recovery is complete, you'll see a new folder on your desktop with the ...
1 year ago Bleepingcomputer.com
Fake Browser Updates Targeting Mac Systems With Infostealer - A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems. Experts say this could be the ...
1 year ago Darkreading.com
RedLine Stealer Malware Deployed Via ScrubCrypt Evasion Tool - A new version of the ScrubCrypt obfuscation tool is being used to target organizations with the RedLine Stealer malware, fraud sensor network Human Security has warned. Human's Satori Threat Intelligence Team said it has uncovered the new build of ...
1 year ago Infosecurity-magazine.com
New Germlin Stealer Advertised on Hacker Forums Steals Credit Card Data & Login Credentials - Cyber Security News - For credit card data theft, Gremlin Stealer employs specialized functions that target stored payment information across multiple browsers. First spotted being advertised on underground forums and Telegram channels, Gremlin Stealer represents a ...
2 weeks ago Cybersecuritynews.com
Facebook ads push new Ov3r Stealer password-stealing malware - A new password-stealing malware named Ov3r Stealer is spreading through fake job advertisements on Facebook, aiming to steal account credentials and cryptocurrency. The fake job ads are for management positions and lead users to a Discord URL where a ...
1 year ago Bleepingcomputer.com
'Ov3r Stealer' Malware Spreads Through Facebook to Steal Crates of Info - The malware by design exfiltrates specific types of data such as geolocation, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Office documents, and antivirus product information, according ...
1 year ago Darkreading.com
New Android Malware 'Salvador Stealer' That Phish & Steals Your Banking Details & OTPs - Cybersecurity researchers have discovered a sophisticated new Android malware called “Salvador Stealer” that targets banking credentials and one-time passwords (OTPs) through an elaborate phishing scheme. Once active, Salvador Stealer ...
1 month ago Cybersecuritynews.com
Google Cloud Next 2024: New Data Center Chip Joins Ecosystem - Google Cloud announced a new enterprise subscription for Chrome and a bevy of generative AI add-ons for Google Workspace during the Cloud Next '24 conference, held in Las Vegas from April 9 - 11. Overall, Google Cloud is putting its Gemini generative ...
1 year ago Techrepublic.com
Lumma malware can allegedly restore expired Google auth cookies - The Lumma information-stealer malware is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. Session cookies are specific web cookies used to allow a browsing ...
1 year ago Bleepingcomputer.com
Efficient Document Merging Strategies for Professionals - In this article, we'll offer practical strategies and tips for efficient document merging, helping professionals focus on producing quality work for their clients. Manual merging allows you to pick and choose the pages you want to join together to ...
11 months ago Hackread.com
Google Patches Another Chrome Zero-Day as Browser Attacks Mount - For the fourth time since August, Google has disclosed a bug in its Chrome browser technology that attackers were actively exploiting in the wild before the company had a fix for it. Integer Overflow Bug The latest zero-day, which Google is tracking ...
1 year ago Darkreading.com CVE-2023-6345 CVE-2023-4863 CVE-2023-5217 CVE-2023-28205 CVE-2023-32409 CVE-2023-28204 CVE-2023-32373
Serpent Stealer Acquire Browser Passwords and Erases Logs - Beneath the surface of the cyber realm, a silent menace emerges-crafted with the precision of the. NET framework, the Serpent Stealer slithers undetected through security measures, leaving traces of its intrusion. It can also steal sensitive data, ...
1 year ago Gbhackers.com
AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition - Rhadamanthys and Lumma, alongside other stealer malware families like Meduza, StealC, Vidar, and WhiteSnake, have also been found releasing updates in recent weeks to collect cookies from the Chrome web browser, effectively bypassing newly introduced ...
7 months ago Thehackernews.com
Google Chrome Zero-Day Bug Under Attack, Allows Code Injection - Google has patched a high-severity zero-day bug in its Chrome Web browser that attackers are actively exploiting. The vulnerability, assigned as CVE-2024-0519, is the first Chrome zero-day bug that Google has disclosed in 2024, and the second in the ...
1 year ago Darkreading.com CVE-2024-0519 CVE-2024-0517 CVE-2024-0518 Hunters
Ahead of Regulatory Wave: Google's Pivotal Announcement for EU Users - Users in the European Union will be able to prevent Google services from sharing their data across different services if they do not wish to share their data. Google and five other large technology companies must comply with the EU's Digital Markets ...
1 year ago Cysecurity.news
ESET Threat Report: ChatGPT Name Abuses, Lumma Stealer Malware Increases, Android SpinOk SDK Spyware's Prevalence - Cybersecurity company ESET released its H2 2023 threat report, and we're highlighting three particularly interesting topics in it: the abuse of the ChatGPT name by cybercriminals, the rise of the Lumma Stealer malware and the Android SpinOk SDK ...
1 year ago Techrepublic.com
Google: Malware abusing API is standard token theft, not an API issue - Google is downplaying reports of malware abusing an undocumented Google Chrome API to generate new authentication cookies when previously stolen ones have expired. In late November 2023, BleepingComputer reported on two information-stealing malware ...
1 year ago Bleepingcomputer.com
Deceptive Cracked Software Spreads Lumma Variant on YouTube - FortiGuard Labs recently discovered a threat group using YouTube channels to distribute a Lumma Stealer variant. These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and ...
1 year ago Feeds.fortinet.com
Researchers Claim Design Flaw in Google Workspace Puts Organizations at Risk - Google is disputing a security vendor's report this week about an apparent design weakness in Google Workspace that puts users at risk of data theft and other potential security issues. According to Hunters Security, a flaw in Google Workspace's ...
1 year ago Darkreading.com Hunters
New Powerful Nullpoint-Stealer With Extensive Capabilities Hosted on GitHub - While the repository explicitly states the project is “built as a cybersecurity lab tool” for malware analysis practice, ethical hacking labs, blue team defense testing, and “understanding how modern stealers operate,” ...
2 weeks ago Cybersecuritynews.com
Malware abuses Google OAuth endpoint to 'revive' cookies, hijack accounts - Session cookies are a special type of browser cookie that contains authentication information, allowing a person to automatically log in to websites and services without entering their credentials. These types of cookies are meant to have a limited ...
1 year ago Bleepingcomputer.com
Vidar Stealer With New Deception Technique to Steal Browser Cookies & Stored Credentials - Vidar Stealer, an information-stealing malware first identified in 2018, has evolved with a sophisticated new deception technique targeting cybersecurity professionals and system administrators. G Data security researchers identified an unusual Vidar ...
1 month ago Cybersecuritynews.com
Browser-in-the-Browser attacks target CS2 players' Steam accounts - A new phishing campaign targets Counter-Strike 2 players utilizing Browser-in-the-Browser (BitB) attacks that display a realistic window that mimics Steam's login page. Basically, this phishing technique creates fake browser windows within real ...
1 month ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)