New SHUYAL Attacking 19 Popular Browsers to Steal Login Credentials

A sophisticated new information stealer named SHUYAL has emerged in the cybersecurity landscape, demonstrating unprecedented scope in its credential harvesting capabilities.

The malware targets login credentials from 19 different web browsers, ranging from mainstream applications like Google Chrome and Microsoft Edge to privacy-focused browsers such as Tor and Epic.

This comprehensive approach makes SHUYAL particularly dangerous, as it can compromise user credentials regardless of their browser preferences.

The stealer operates through a multi-stage attack vector that begins with system reconnaissance and progresses to credential extraction and data exfiltration.

SHUYAL employs advanced evasion techniques, including automatic disabling of Windows Task Manager and sophisticated anti-detection mechanisms that help it remain undetected during its malicious operations.

The malware’s self-deletion capabilities further enhance its stealth profile, removing traces of its activity after completing its primary functions.

Hybrid Analysis researchers identified SHUYAL through comprehensive behavioral analysis, naming it based on unique identifiers discovered in the executable’s Program Database (PDB) path.

The malware demonstrates remarkable technical sophistication, combining traditional credential theft with modern exfiltration methods that utilize Discord token harvesting and Telegram-based data transmission infrastructure.

The impact of SHUYAL extends beyond simple password theft, as the malware captures system screenshots, clipboard content, and performs detailed system reconnaissance.

This comprehensive data collection approach provides attackers with a complete profile of victim systems and user activities, significantly amplifying the potential for further exploitation and identity theft.

Advanced Evasion and Persistence Mechanisms

SHUYAL’s persistence strategy centers on sophisticated defense evasion techniques that ensure long-term system compromise while avoiding detection.

The malware establishes persistence by copying itself to the Windows Startup folder using the CopyFileA function, ensuring automatic execution upon system restart.

This persistence mechanism is coupled with aggressive anti-analysis features that actively interfere with security tools and system monitoring.

The stealer’s most notable evasion tactic involves systematically targeting Windows Task Manager. Upon execution, SHUYAL enumerates running processes to locate taskmgr.exe and terminates it using the TerminateProcess method.

Following termination, the malware modifies the registry value DisableTaskMgr to 1, effectively preventing users from launching Task Manager to investigate suspicious system activity.

SHUYAL performs extensive system reconnaissance through Windows Management Instrumentation (WMI) commands, gathering detailed information about disk drives, input devices, and display configurations.

The malware executes commands such as wmic diskdrive get model,serialnumber and wmic path Win32_Keyboard get Description,DeviceID to profile the infected system comprehensively.

The credential extraction process utilizes a sophisticated SQL query: SELECT origin_url, username_value, password_value FROM logins executed against browser databases.

The malware decrypts stored passwords by extracting the Master key from browser Local State files, base64-decoding the key, and utilizing Windows Data Protection API (DPAPI) through CryptUnprotectData for decryption operations.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now