In April 2025, cybersecurity researchers identified a new information-stealing malware named PupkinStealer. Developed in C# using the .NET framework, this lightweight yet potent malware targets sensitive user data, including browser credentials, desktop files, messaging app sessions, and screenshots. Notably, PupkinStealer leverages Telegram’s Bot API for data exfiltration, highlighting a growing trend among cybercriminals to exploit legitimate platforms for malicious purposes.
Key Features and Capabilities
PupkinStealer is designed for rapid data harvesting, operating with minimal obfuscation or persistence mechanisms, thereby prioritizing quick execution over long-term stealth. Its primary capabilities include:
– Extraction of Browser Credentials: The malware targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Opera, Opera GX, and Vivaldi. It retrieves decryption keys from the browsers’ Local State files and uses the Windows Data Protection API to decrypt passwords stored in SQLite-based Login Data databases.
– Desktop File Collection: PupkinStealer scans the victim’s desktop for files with specific extensions (.pdf, .txt, .sql, .jpg, .png) and copies them to a temporary directory for exfiltration.
– Messaging App Session Theft: The malware targets Telegram by copying the tdata folder, which contains session files that enable account access without credentials. It also extracts Discord authentication tokens from leveldb directories using regular expressions, allowing attackers to impersonate victims.
– Screenshot Capture: PupkinStealer captures a 1920×1080 screenshot of the victim’s desktop, saving it as a .jpg file for exfiltration.
All stolen data is compressed into a ZIP archive with embedded metadata (username, public IP, and Windows Security Identifier) and sent to an attacker-controlled Telegram bot via a crafted API URL.
Technical Analysis
PupkinStealer is a 32-bit GUI-based Windows executable with a file size of 6.21 MB. Written in .NET with AnyCPU architecture, it is compatible with both x86 and x64 environments. The malware uses the Costura library to embed compressed DLLs, contributing to a high entropy value (7.998) in its .text section, despite lacking traditional packing.
Upon execution, the .NET runtime initializes the Common Language Runtime (CLR) and calls the malware’s Main() method, which orchestrates asynchronous tasks for data harvesting. Key components include:
– ChromiumPasswords Class: Handles credential extraction by creating browser-specific text files (e.g., Chrome.txt, Edge.txt) in a temporary directory (%TEMP%\[username]\Passwords) and decrypting passwords using AES-GCM.
– FunctionsForStealer and FunctionsForDecrypt Classes: Retrieve and decrypt browser keys from Local State files, enabling access to encrypted passwords.
– GrabberDesktop Method: Copies desktop files to a DesktopFiles directory, filtering by predefined extensions and silently handling errors to avoid detection.
– Telegram and Discord Modules: Locate and exfiltrate session data and authentication tokens, with Telegram’s tdata folder copied recursively and Discord tokens extracted via regular expressions.
Exploitation of Telegram for Data Exfiltration
PupkinStealer’s use of Telegram’s Bot API for data exfiltration underscores a growing trend among cybercriminals to exploit legitimate platforms for malicious purposes. By leveraging Telegram, attackers can anonymously receive stolen data, complicating detection and mitigation efforts. This method aligns with the rising popularity of Telegram among cybercriminals due to its anonymity and ease of use.
Mitigation Strategies
To protect against threats like PupkinStealer, users and organizations should implement the following measures:
1. Regular Software Updates: Ensure that all software, especially web browsers and operating systems, are up to date to patch known vulnerabilities.
2. Use of Password Managers: Avoid storing passwords directly in browsers; instead, use dedicated password managers that offer enhanced security features.
3. Multi-Factor Authentication (MFA): Enable MFA on all critical accounts to add an extra layer of security, making it more difficult for attackers to gain unauthorized access.
4. Employee Training: Educate employees about the risks of phishing attacks and the importance of not downloading or executing unknown files.
5. Endpoint Security Solutions: Deploy comprehensive endpoint security solutions capable of detecting and mitigating malware threats in real-time.
6. Network Monitoring: Implement network monitoring to detect unusual data exfiltration activities, such as unexpected communications with external servers.
Conclusion
The emergence of PupkinStealer highlights the evolving tactics of cybercriminals who are increasingly exploiting legitimate platforms like Telegram for malicious activities. By understanding the capabilities and methods of such malware, individuals and organizations can better prepare and implement effective security measures to protect sensitive information.
