Stealing Login Credentials from 19 Major Browsers

A sophisticated new information stealer named SHUYAL was recently discovered by Hybrid Analysis.

It has demonstrated extensive capabilities in credential extraction from 19 different web browsers, including popular ones like Google Chrome, Microsoft Edge, Opera, Brave, and Yandex, as well as more specialized ones like Opera GX, Vivaldi, Chromium, Waterfox, Tor, Epic Privacy Browser, Comodo Dragon, Slimjet, Coc Coc, Maxthon, 360 Secure Browser, UR Browser, Avast Secure Browser, and Falkon.

Named after unique identifiers in the executable’s PDB path, which also references a “sheepy” username, SHUYAL represents a previously undocumented threat that integrates comprehensive browser targeting with advanced system reconnaissance.

Advanced Capabilities in Credential Theft

The malware performs detailed enumeration of hardware components, retrieving models and serial numbers of disk drives via WMIC commands, alongside descriptions and device IDs for keyboards, pointing devices like mice, and desktop monitors.

This reconnaissance extends to querying the desktop wallpaper path using PowerShell, although incomplete commands like “wmic get name” yield no actionable data.

Beyond hardware profiling, SHUYAL captures screenshots using GDI+ APIs such as GdiplusStartup, BitBlt, and GdipSaveImageToFile, saving them as “ss.png,” and extracts clipboard contents via OpenClipboard and GetClipboardData, storing them in “clipboard.txt.”

It further targets Discord applications standard, Canary, and PTB stealing authentication tokens, which are logged alongside browser data in files like “tokens.txt” and “debug_log.txt” within a temporary “runtime” directory.

SHUYAL’s operational sophistication is evident in its evasion tactics, including the aggressive termination of the Windows Task Manager process through TerminateProcess calls, followed by disabling it entirely by setting the “DisableTaskMgr” registry key to 1 under HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.

This prevents users from monitoring or interrupting the malware’s activities. For persistence, the stealer leverages the SHGetSpecialFolderPathA API to locate the user’s Startup folder (CSIDL_STARTUP) and copies itself there using CopyFileA, ensuring automatic execution on system boot.

Credential theft is executed meticulously: the malware locates “Login Data” databases from the targeted browsers, copies them to the current directory (e.g., “chrome_Data.db” for Chrome), and runs SQL queries like “SELECT origin_url, username_value, password_value FROM logins” to extract credentials.

Passwords are decrypted using the browser’s master key from the “Local State” file, processed via DPAPI’s CryptUnprotectData after Base64 decoding, and saved in “saved_passwords.txt.”

Browsing history is similarly pilfered from files like “\User Data\Default\History” and stored as “history.txt,” demonstrating a thorough approach to data aggregation.

Self-Deletion Mechanisms

To maintain stealth, SHUYAL employs modern exfiltration methods, compressing the “runtime” directory into “runtime.zip” via PowerShell’s Compress-Archive cmdlet and transmitting it to a Telegram bot at hxxps://api.telegram[.]org/bot7522684505:AAEODeii83B_nlpLi0bUQTnOtVdjc8yHfjQ/sendDocument?chat_id=-1002503889864.

This combines Discord token theft with Telegram-based data relay, ensuring efficient command-and-control communication.

Network events are monitored using WSAEnumNetworkEvents for socket-based detections, adding another layer of operational awareness.

According to the Report, Post-exfiltration, the malware deletes traces by removing created database copies and runtime files, enhancing its anti-forensic profile.

Finally, self-deletion is achieved through a batch script “util.bat,” which uses commands like “timeout /t 1 /nobreak >nul” and “del /f /q” to erase the executable itself after a delay, leaving minimal footprints.

This in-depth examination, blending Hybrid Analysis’s behavioral indicators with static and dynamic disassembly, underscores SHUYAL’s role as a versatile infostealer.

It not only grabs credentials but also conducts system reconnaissance, evades detection, and exfiltrates data stealthily, posing significant risks to users across diverse browser ecosystems.

Security teams are advised to monitor for these patterns, leveraging vetted access to Hybrid Analysis for sample downloads and further reverse engineering to develop robust defenses against such threats.

Indicators of Compromise (IOCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!