Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

A new infostealing malware Shuyal has burst onto the cybercrime scene, capable of siphoning sensitive data from 19 different web browsers. First documented by researchers in July 2025, Shuyal combines extensive credential theft with advanced evasion techniques, making it a significant threat to organizations. 

Named “Shuyal” based on a clue left in its debug path (which even revealed a developer username “sheepy”, this malware goes beyond typical password stealers. It not only grabs saved login credentials, but also conducts thorough system reconnaissance and employs stealthy measures to avoid detection. 

Given the surge of infostealer activity (over 184 million passwords were leaked via infostealer malware by mid-2025, a sophisticated threat like Shuyal demands close attention from CISOs and security teams.

Comprehensive Browser Credential Theft

Shuyal is dangerous for its multi-browser credential theft. It targets 19 different browsers, including the most popular ones like Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi and even privacy-focused browsers such as Tor Browser.

Here is a full list of affected browsers:

• Google Chrome
• Microsoft Edge
• Opera
• Opera GX
• Brave
• Vivaldi
• Yandex Browser
• Chromium
• Waterfox
• Epic Privacy Browser
• Comodo Dragon
• Maxthon
• 360 Browser 
• UR Browser
• Avast Secure Browser
• Slimjet
• Cốc Cốc (Coccoc)
• Falko

This broad targeting means Shuyal can steal from the vast majority of web browsers an organization or individual might use. The malware searches each browser’s files for stored passwords. It specifically looks for the browser’s “Login Data” database, which contains saved website credentials (usernames, passwords, and URLs). 

Once located, Shuyal copies these databases and then extracts the credentials by executing SQL queries on them. The stolen passwords are initially encrypted (as browsers encrypt saved passwords), but Shuyal decrypts them by retrieving the browser’s Master Key (stored in the browser’s local profile) and using Windows cryptographic APIs to unlock the passwords. 

Ultimately, it compiles all stolen logins into a clear-text “saved_passwords.txt” file within a temporary “runtime” folder.

Shuyal also collects browsing history from victims by pulling history records from browser files (e.g. Chrome’s “History” database) and saves them into a “history.txt” for exfiltration. 

By grabbing usernames, passwords, and browsing histories, Shuyal provides cybercriminals not only immediate account access, but also context about the victim’s online behavior. Such data can facilitate account takeover, impersonation, or further targeted attacks using the victim’s own web sessions.

System Reconnaissance and Additional Data Theft

Shuyal distinguishes itself from most stealers by performing extensive system reconnaissance alongside credential theft. As soon as it runs, Shuyal spawns multiple system commands to inventory the host machine. For example, it uses Windows Management Instrumentation (WMI) commands (wmic) to query:

• Disk drives – retrieving the model and serial numbers of installed hard drives.
• Keyboard and mouse – gathering device information for input peripherals.
• Display/monitor – obtaining details about connected monitors.

It even attempts to fetch the path of the current desktop wallpaper via a PowerShell command. This level of host detail suggests the malware operators might use the info for fingerprinting victims or evading sandbox analysis (since virtual machines often have generic device info). In effect, Shuyal “cases” the victim’s system, possibly to identify high-value targets or adjust its payload behavior.

In addition to system info, Shuyal aggressively harvests other sensitive data from the machine. It calls Windows clipboard APIs to copy the entire clipboard contents, which it saves to a clipboard.txt file. 

Any sensitive information the user recently copied (passwords, keys, personal data) could be exposed this way. The malware also takes a full screenshot of the user’s desktop by invoking graphics APIs (GDI+ functions), saving a snapshot as ss.png. This screenshot could reveal additional information such as open documents, emails, or banking sessions visible on the screen.

Notably, Shuyal also targets Discord tokens; the authentication tokens for the popular messaging platform Discord. It scans for tokens from the Discord client as well as Discord’s Canary and PTB versions (testing builds). 

By stealing these tokens (stored in local files or memory), attackers can hijack the victim’s Discord accounts without needing credentials. All tokens found are consolidated into a tokens.txt log.

Stealth, Evasion, and Persistence Techniques

Shuyal’s developers have implemented aggressive evasion techniques to keep the malware hidden and running. Immediately upon infection, Shuyal searches for the Windows Task Manager process and terminates it if found. 

By killing Task Manager, the malware prevents a savvy user from easily noticing or killing the malicious process. To make this disruption persistent, Shuyal then edits the Windows registry to disable Task Manager altogether (DisableTaskMgr registry value). 

The victim can now no longer open Task Manager at all, greatly hindering their ability to investigate suspicious activity on the system. This is a notably aggressive defense-evasion step, as few malware families disable system tools so directly.

Shuyal also maintains persistence on the machine to survive reboots. It copies its executable into the user’s Windows Startup folder, meaning it will automatically run every time the computer starts. By installing itself in Startup, Shuyal ensures it can continue stealing data periodically or regain control even after restarts. 

The malware uses standard Win32 API calls to find the Startup path and copy itself there under a benign-sounding name. For the user or an administrator, this persistence method can be subtle – one more file in Startup is easily overlooked, especially if the process name doesn’t raise suspicion.

Once Shuyal has exfiltrated the stolen data (as described in the next section), it executes a built-in self-deletion routine to remove evidence. It creates and runs a batch script (commonly observed as util.bat) that deletes the malware’s executable and any temporary files or archives it created during runtime. 

This way, after Shuyal finishes its heist, the primary malware file may delete itself and the stolen-data files, leaving minimal traces for forensic analysts. The only thing that remains is the persistent copy in Startup for future runs, and even that could potentially delete itself after re-running, depending on the malware’s logic. 

Data Exfiltration via Telegram Bot

After accumulating a trove of credentials and system data, Shuyal needs to send this loot to its operators. It employs a clever mechanism for data exfiltration using Telegram, the popular messaging platform. 

All the stolen files (passwords, history, tokens, clipboard, screenshot, etc.) are first gathered into a single folder (often the runtime folder in the Temp directory). Shuyal then invokes PowerShell to compress this folder into a password-protected archive (commonly runtime.zip). Using PowerShell’s Compress-Archive command, it zips up the data quickly without needing external tools.

Once the data is packaged, Shuyal sends it out via an HTTP request to Telegram’s Bot API. The malware includes a hardcoded Telegram bot token and chat ID, allowing it to upload the stolen zip file directly into the attackers’ private Telegram chat. 

This technique abuses a legitimate platform (Telegram) for exfiltration, which can bypass traditional network defenses. Many organizations don’t block or inspect traffic to Telegram’s cloud infrastructure. The use of a Telegram bot also provides the attackers with near real-time delivery of stolen data in a place that’s easy to access anonymously on their end. .

After confirming the data was sent, Shuyal proceeds to execute its cleanup: it deletes the newly created archive and the stolen data files from disk. By wiping the runtime folder and related files, it ensures the evidence of what was taken is gone from the victim machine. 

Only the network transmission to Telegram (and possibly some artifacts in memory or logs) gives away the exfiltration. Defenders should be aware of any unknown Telegram bot traffic or unusual use of PowerShell archiving on endpoints as potential signs of Shuyal or similar threats.

Detection and Indicators of Compromise (IOCs)

Category	Indicator / Behavior	Details / Notes
File System Artifacts	Temp\runtime\folder creation	Stores files: saved_passwords.txt, history.txt, clipboard.txt, tokens.txt, ss.png(screenshot)
	Temp\runtime.ziparchive appears then disappears	Temporary compressed data for exfiltration
	util.bat script execution	Used for self-deletion and cleanup; any self-deleting .bat is suspicious
Process Activity	Sequential WMI queries	wmic diskdrive get model,serialnumberwmic path Win32_Keyboard get Description,DeviceIDwmic path Win32_PointingDevice get Description,PNPDeviceID (often twice)wmic path Win32_DesktopMonitor get Description,PNPDeviceIDwmic get name (incomplete command)
	PowerShell activity	Fetches wallpaper: Get-ItemProperty ‘HKCU:\Control Panel\Desktop’ … WallpaperCompresses data: Compress-Archive -Path <temp\runtime\*>
Registry & OS Changes	Task Manager disabled	HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = 1
	Task Manager terminated unexpectedly	Can be detected by EDR solutions
Network Indicators	Outbound connections to Telegram API	api.telegram.org or Telegram bot URLs with token and chat ID
	Suspicious Telegram file transfers	Encrypted traffic; uncommon in enterprise environments
AV Detection	Known detection names	Examples: Trojan-PSW.Win64.Disco.kdz (Kaspersky), Win64/Lazy (Microsoft)

Security teams are advised to integrate these IOCs and patterns into their monitoring systems and buid effective detection rules.

It’s also wise to ensure anti-malware signatures are up-to-date. By now, antivirus vendors have given Shuyal various detection names (e.g., Trojan-PSW.Win64.Disco.kdz by Kaspersky, or Win64/Lazy by Microsoft). Robust endpoint protection should ideally quarantine this threat on execution.

Mitigation and Prevention Strategies

To defend against Shuyal, Twilight Cyber recommends the following measures:

Strengthen Email and Web Gateways
Since stealers often arrive via phishing or malicious downloads, ensure that email filters are catching known malware attachments and phishing lures. Implement URL filtering to block access to known malicious sites or fake software download pages. 

User education is crucial here as well, as staff must be able to recognize phishing emails and suspicious links, so they don’t inadvertently run malware.

Endpoint Protection and Least Privilege
Deploy reputable endpoint security that can detect malicious behavior (like strange WMI usage or credential dumping patterns) rather than just known signatures. Enable features like Controlled Folder Access or similar, which might prevent unknown programs from reading credential stores. Running daily work not as an administrator can also limit what malware like Shuyal can access or install (for instance, standard users can’t easily disable system tools or install to certain protected directories).

Credential Hygiene and Monitoring
Encourage the use of password managers and discourage saving passwords directly in browsers where possible. If credentials aren’t stored in browsers, stealers will have less to pilfer. More importantly, enforce multi-factor authentication (MFA) on all critical accounts. Stolen passwords alone (even if Shuyal grabs them) may not be sufficient for an attacker to breach an MFA-protected account. 

Additionally, implement continuous dark-web monitoring to detect if any corporate or employee credentials surface in underground forums or marketplaces.

Network Egress Monitoring
As mentioned, monitor for unusual outbound connections, especially to services not typically used in your environment (such as Telegram, or new VPNs/hosting providers).

 Shuyal’s exfiltration can potentially be stopped or caught if outbound traffic is filtered and logged. Some organizations choose to block personal communication tools (or at least flag them) on corporate networks for this reason.

Shuyal in the Infostealer Landscape

Shuyal arrives at a time when infostealer malware is booming. According to Twilight research, 2025 has seen an average of over 200,000 new infostealer infections each month, reaching a total of well over 1 million for the year.

Lumma remains the most popular stealer, despite global law enforcement actions. Just a couple of months before Shuyal’s discovery, the FBI conducted a takedown that disrupted the Lumma Stealer in May 2025. However, the criminals behind Lumma regrouped and are now active again. 

For more details on the Lumma stealer, please read this post:

This pattern highlights that the demand for stolen credentials remains high, and adversaries are constantly introducing new tools like Shuyal to replace or augment older ones.

Based on how other infostealers proliferate, attackers could distribute Shuyal through a variety of channels:

• Phishing campaigns with infected attachments
• Links on social media or forum posts
• Trojanized software (pirated apps or “cracks”
• Fake CAPTCHA/installation pages. 

All these methods have been used to great success by other stealer malware to infect large numbers of victims. Organizations should therefore be alert to multiple ingress points for signs of malware delivery.

Protect Against Infostealers With Twilight

The emergence of Shuyal underscores that the infostealer threat landscape is more dangerous than ever A single infection can put an organization at risk of espionage, fraud, and costly breaches.

Twilight specializes in exactly this domain. We continuously scan underground forums, marketplaces, and leak sites for stolen credentials and indicators tied to malware like Shuyal. By leveraging Twilight’s intelligence, companies can receive early warnings if their employee or customer data appears in stealer logs or criminal channels. 

Our platform correlates infostealer data with your domain and user accounts, enabling you to rapidly neutralize compromised credentials before they’re used in attacks. 

Don’t wait until your organization’s credentials are up for sale. Contact Twilight today, or initiate your FREE scan now to check if any of your corporate or employee credentials have already been exposed on the dark web.

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox