Cybersecurity researchers at Point Wild’s Lat61 Threat Intelligence Team have found a new infostealer called Shuyal Stealer, a malware strain designed to steal login credentials from not one or two, but 17 different web browsers.
How Shuyal Stealer Profiles and Exploits Systems
Shuyal Stealer is also capable of profiling targeted machines in depth, collecting information about disks, input devices and display setups by using Windows Management Instrumentation commands. That kind of device mapping gives attackers a clear picture of a victim’s system, which can be used for targeted identity theft or other follow-on attacks.
The malware also captures contextual data that many infostealers ignore. It takes screenshots, records clipboard contents and extracts Discord authentication tokens. These capabilities let attackers have real context into what the victim is doing on their device, which can turn a straightforward password stealing into a complete account takeover and know more about the victim’s online activities than other malware would.
Data Exfiltration and Persistence Methods
According to the Lat61 blog post shared with HackRead.com, the malware compresses the collected files with PowerShell and sends them through a hardcoded Telegram bot. Researchers found a specific bot token and chat ID used to deliver the archive directly to the attacker’s account. After the transfer completes, Shuyal deletes the archive and clears traces to complicate forensic work.
Shuyal quietly copies its executable into the Windows Startup folder using the CopyFileA API. It also shuts down Task Manager processes and modifies the registry to disable Task Manager entirely, preventing users from spotting or stopping it.
Browser Targeting and Data Theft
When analysing how it steals data, Point Wild’s researchers noted Shuyal’s efficiency. It specifically looks for the “Login Data” file found in browser directories, running a SQL query to extract URLs, usernames, and encrypted passwords.
Each stolen session or token is saved locally and then zipped for exfiltration. Files such as tokens.txt, clipboard.txt and ss.png document different parts of the victim’s digital life, from saved passwords to copied text and active windows. The malware keeps a history.txt log of which browsers and apps it scanned. Here is the list of targeted browsers:
- Tor
- Edge
- Epic
- Brave
- Opera
- Vivaldi
- Coc Coc
- Maxthon
- Chromium
- Waterfox
- Comodo
- Slimjet
- Yandex
- Falkon
- Chrome
- Opera GX
- 360 Browser
Self-Deletion, Expert Insight and Mitigation
After exfiltration finishes, Shuyal runs a self-deletion routine. It launches a batch script named util.bat that removes the archive and related files, making incident response and attribution harder.
Dr Zulfikar Ramzan, CTO of Point Wild and head of the Lat61 Threat Intelligence Team, summarised the threat as a powerful infostealer that targets many browsers, disables Task Manager and quietly sends harvested data over Telegram, then removes its traces.
“Shuyal is an infostealer extraordinaire, built for breadth and stealth. It raids credentials from browsers, kills the Windows Task Manager, and quietly exfiltrates data over Telegram. It’s a smash-and-grab, then vanishes,” he said.
Unlike other infostealers, Shuyal Stealer is both a privacy and security risk because it takes credentials plus contextual data that help attackers turn stolen secrets into account takeovers. Its combination of system profiling, wide browser coverage and clean-up process places it among the more capable infostealers active today.
If you suspect an infection, Point Wild advises rebooting into Safe Mode with Networking and scanning with a reliable antivirus. The malware is detected as Trojan.W64.100925.Shuyal.YR.
