Cybersecurity researchers have identified a sophisticated new information stealer, dubbed SHUYAL, that demonstrates unprecedented browser targeting capabilities.
It successfully extracts credentials from 19 different web browsers while employing advanced evasion techniques to avoid detection.
Named after unique identifiers discovered in the executable’s PDB path, this previously undocumented malware combines extensive credential theft with sophisticated system reconnaissance and anti-detection mechanisms.
Advanced Evasion and System Reconnaissance
SHUYAL employs aggressive defense evasion tactics that set it apart from conventional information stealers.
The malware automatically terminates the Windows Task Manager through process enumeration and subsequently disables it entirely by modifying the “DisableTaskMgr” registry value, preventing users from monitoring system activity.
This dual-layered approach ensures operational stealth throughout its execution cycle.
The stealer performs comprehensive system reconnaissance by spawning multiple processes to gather detailed hardware information.
Using Windows Management Instrumentation Command-line (WMIC), SHUYAL extracts disk drive models and serial numbers, keyboard and mouse specifications, and monitor details.
Additionally, it retrieves the desktop wallpaper path through PowerShell commands, creating a complete system fingerprint for potential future targeting.
Comprehensive Data Theft Capabilities
SHUYAL targets a wide range of browsers, including mainstream applications like Chrome, Edge, and Firefox, as well as privacy-focused alternatives such as Tor, Epic, and Waterfox.
The complete target list encompasses Chrome, Brave, Edge, Opera, Opera GX, Yandex, Vivaldi, Chromium, Waterfox, Tor, Epic, Comodo, Slimjet, Coccoc, Maxthon, 360 Browser, UC Browser, Avast, and Falkon.
The malware executes sophisticated SQL queries against browser databases, explicitly targeting the “Login Data” files with the query “SELECT origin_url, username_value, password_value FROM logins”.
It decrypts stored passwords by extracting the Master key from browsers’ “Local State” files, base64-decoding the key, and utilizing Windows DPAPI CryptUnprotectData functions for credential decryption.
Beyond browser credentials, SHUYAL captures clipboard content, takes system screenshots using GDI+ APIs, and steals Discord tokens from multiple Discord variants, including Discord Canary and Discord PTB.
Stealth Operations and Self-Destruction
SHUYAL maintains persistence by copying itself to the user’s Startup folder while establishing operational stealth through the systematic removal of evidence.
The malware compresses stolen data into archives using PowerShell compression before exfiltrating information through Telegram bot infrastructure, providing attackers with a reliable command-and-control channel.
Upon completing its malicious activities, SHUYAL executes a self-deletion mechanism using a batch file called “util.bat” that removes all traces of the malware’s presence, including temporary files and browser database copies.
This comprehensive cleanup process significantly complicates forensic analysis and detection efforts, rendering SHUYAL a perilous threat to both enterprises and individual users.
Indicators of Compromise
SHA256
810d4850ee216df639648a37004a0d4d1275a194924fa53312d3403be97edf5c
