A sophisticated new information stealer, dubbed SHUYAL, has been identified and analyzed via Hybrid Analysis, raising significant concerns for organizations and individuals alike.
Named after a unique identifier found in the malware’s executable PDB path, SHUYAL marks the emergence of a previously undocumented stealer with a combination of advanced credential theft capabilities, deep system reconnaissance, and refined evasion strategies.
Comprehensive Credential Theft
Hybrid Analysis reveals that SHUYAL is engineered to target a remarkably wide range of web browsers nineteen in total including mainstream options like Google Chrome, Microsoft Edge, and Opera, as well as privacy-focused browsers such as Tor and less common variants like Comodo, Slimjet, and Falkon.
Once active, the malware systematically seeks login credentials by locating each browser’s “Login Data” file, extracting encrypted passwords, and using the Windows Data Protection API (DPAPI) to decrypt and collate usernames and credentials. This information is then stored locally in dedicated runtime directories prior to exfiltration.
Beyond browser credentials, SHUYAL broadens its data collection to include browsing histories, clipboard data, system screenshots, and even Discord tokens, which it extracts from Discord’s various application versions.
Its reconnaissance routines leverage multiple WMIC and PowerShell commands to gather comprehensive details about a host’s disk drives, connected peripherals (keyboards, mice), display monitors, and even the current desktop wallpaper.
These actions provide attackers with a detailed summary of the compromised environment, potentially enabling tailored follow-up attacks.
Sophisticated Evasion
SHUYAL is particularly notable for its operational stealth. It actively searches for the Windows Task Manager process, terminating it if found, and subsequently disables it at the registry level by modifying the “DisableTaskMgr” value.
Such tactics hinder detection by vigilant users or IT administrators. To ensure persistence, the malware self-copies into the Windows Startup folder, guaranteeing execution during system reboots via established calls to Windows APIs.
After conducting its primary data theft and reconnaissance operations, SHUYAL compiles the stolen information within a temporary “runtime” directory, which is then compressed using PowerShell.
Exfiltration is carried out through a Telegram bot, combining modern communication platforms with easy attacker accessibility and anonymity.
After successful transmission, SHUYAL enacts a self-deletion routine using a temporary batch file, erasing its own components and valuable forensic evidence, leaving the targeted system’s user largely unaware of its presence and actions.
A detailed breakdown of the SHUYAL sample highlights its thorough development: anonymous pipes created for process output capture, various Windows Management Instrumentation (WMI) queries, clipboard and screenshot theft using GDI+ APIs, and comprehensive file operations for both credential extraction and log maintenance.
The malware’s operational logs are maintained locally, though subsequently erased for added stealth, and all evidence points to an actor with strong technical capability and operational security awareness.
SHUYAL’s design and behavior are emblematic of a new breed of advanced information stealers. Security teams should treat the identified indicators with urgency and deploy both defensive monitoring and proactive threat hunting to mitigate potential compromise.
Indicators of Compromise (IOCs)
| Type | Indicator / Details |
|---|---|
| SHA256 Hash | 810d4850ee216df639648a37004a0d4d1275a194924fa53312d3403be97edf5c |
| Files Created | C:\Users<User>\AppData\Local\Temp\runtime\browser\debug_log.txt C:\Users<User>\AppData\Local\Temp\runtime\browser\tokens.txt C:\Users<User>\AppData\Local\Temp\runtime\clipboard\clipboard.txt C:\Users<User>\AppData\Local\Temp\runtime\history\history.txt C:\Users<User>\AppData\Local\Temp\runtime\passwords\saved_passwords.txt C:\Users<User>\AppData\Local\Temp\runtime\pic\ss.png C:\Users<User>\AppData\Local\Temp\runtime.zip util.bat |
| Spawned Processes | wmic diskdrive get model,serialnumber wmic path Win32_Keyboard get Description,DeviceID wmic path Win32_PointingDevice get Description,PNPDeviceID wmic path Win32_DesktopMonitor get Description,PNPDeviceID powershell (wallpaper extraction and compression commands) |
| Exfiltration | hxxps[:]//api.telegram[.]org/bot7522684505:AAEODeii83B_nlpLi0bUQTnOtVdjc8yHfjQ/sendDocument?chat_id=-1002503889864 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
