The impact of SHUYAL extends beyond simple password theft, as the malware captures system screenshots, clipboard content, and performs detailed system reconnaissance. SHUYAL performs extensive system reconnaissance through Windows Management Instrumentation (WMI) commands, gathering detailed information about disk drives, input devices, and display configurations. SHUYAL employs advanced evasion techniques, including automatic disabling of Windows Task Manager and sophisticated anti-detection mechanisms that help it remain undetected during its malicious operations. The malware establishes persistence by copying itself to the Windows Startup folder using the CopyFileA function, ensuring automatic execution upon system restart. The malware demonstrates remarkable technical sophistication, combining traditional credential theft with modern exfiltration methods that utilize Discord token harvesting and Telegram-based data transmission infrastructure. The malware decrypts stored passwords by extracting the Master key from browser Local State files, base64-decoding the key, and utilizing Windows Data Protection API (DPAPI) through CryptUnprotectData for decryption operations. Following termination, the malware modifies the registry value DisableTaskMgr to 1, effectively preventing users from launching Task Manager to investigate suspicious system activity. The malware executes commands such as wmic diskdrive get model,serialnumber and wmic path Win32_Keyboard get Description,DeviceID to profile the infected system comprehensively. The stealer operates through a multi-stage attack vector that begins with system reconnaissance and progresses to credential extraction and data exfiltration. SHUYAL’s persistence strategy centers on sophisticated defense evasion techniques that ensure long-term system compromise while avoiding detection. A sophisticated new information stealer named SHUYAL has emerged in the cybersecurity landscape, demonstrating unprecedented scope in its credential harvesting capabilities. Hybrid Analysis researchers identified SHUYAL through comprehensive behavioral analysis, naming it based on unique identifiers discovered in the executable’s Program Database (PDB) path. This comprehensive data collection approach provides attackers with a complete profile of victim systems and user activities, significantly amplifying the potential for further exploitation and identity theft. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This persistence mechanism is coupled with aggressive anti-analysis features that actively interfere with security tools and system monitoring. This comprehensive approach makes SHUYAL particularly dangerous, as it can compromise user credentials regardless of their browser preferences. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The malware targets login credentials from 19 different web browsers, ranging from mainstream applications like Google Chrome and Microsoft Edge to privacy-focused browsers such as Tor and Epic. The credential extraction process utilizes a sophisticated SQL query: SELECT origin_url, username_value, password_value FROM logins executed against browser databases.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 28 Jul 2025 17:20:24 +0000