A new infostealing malware, dubbed “Shuyal” by researchers at Hybrid Analysis, has emerged, demonstrating sophisticated capabilities in exfiltrating sensitive data from a wide array of browsers, including those focused on privacy.
Named Shuyal based on unique identifiers found in its executable’s PDB path, this previously undocumented stealer targets 19 different browsers. These include mainstream applications such as Chrome and Edge, as well as privacy-focused options like Tor, Brave, Opera, OperaGx, Yandex, Vivaldi, Chromium, Waterfox, Epic, Comodo, Slimjet, Coccoc, Maxthon, 360browser, Ur, Avast, and Falko. Beyond stealing credentials typically saved in browsers, Shuyal performs extensive system reconnaissance.
It gathers detailed information about disk drives, input devices, and display configurations. The malware also captures system screenshots and clipboard content. All collected data, including stolen Discord tokens, is exfiltrated via a Telegram bot infrastructure. Shuyal integrates aggressive defense evasion techniques.
Upon deployment, it immediately disables Windows Task Manager by modifying the “DisableTaskMgr” registry value. It also maintains operational stealth through self-deletion mechanisms, using a batch file to remove traces of its activity after completing its primary functions. Once Shuyal is deployed, it attempts to access login credentials from its targeted browsers.
The malware spawns multiple processes to retrieve model and serial numbers of available disk drives, information about installed keyboards and mice, and details regarding attached monitors. It also captures a screenshot of current activity and steals clipboard data. The stealer utilizes PowerShell to compress collected data into a folder within the “%TEMP%” directory before exfiltration via the Telegram bot.
The malware is designed for stealth, deleting newly created files from browser databases and all files from the runtime directory that were previously exfiltrated. Shuyal also establishes persistence by copying itself to the Startup folder. The emergence of Shuyal highlights the continuously shifting threat landscape, influenced by factors such as law enforcement operations.
For instance, an FBI operation in May disrupted the Lumma stealer operation, though its resurgence indicates the adaptive nature of cybercriminals. While Hybrid Analysis did not disclose the distribution methods for Shuyal, other stealers have been disseminated through various means, including social media posts, phishing campaigns, and captcha pages.
Infostealing malware often serves as a precursor to more severe cyberattacks, such as ransomware, business email compromise (BEC), and other enterprise threats. Given the significant danger posed by infostealing malware, Hybrid Analysis researcher Vlad Pasca recommends that defenders leverage the insights provided in their blog post on Shuyal to develop more effective detection and defense mechanisms.
The post includes a comprehensive list of indicators of compromise (IOCs), such as files created by the stealer, processes spawned, and the address of the Telegram bot used for data exfiltration.
