In April 2025, cybersecurity researchers identified a new information-stealing malware named PupkinStealer. Developed in C# using the .NET framework, this lightweight yet potent malware targets sensitive user data, including browser credentials, desktop files, messaging app sessions, and screenshots. Notably, PupkinStealer utilizes Telegram’s Bot API for data exfiltration, highlighting a growing trend of cybercriminals exploiting legitimate platforms for malicious purposes.
Key Features and Capabilities
PupkinStealer is engineered for rapid data harvesting, operating with minimal obfuscation and lacking persistence mechanisms. This design prioritizes quick execution over long-term stealth. Its primary capabilities include:
– Extraction of Browser Credentials: The malware targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Opera, Opera GX, and Vivaldi. It retrieves decryption keys from the browsers’ Local State files and uses the Windows Data Protection API to decrypt passwords stored in SQLite-based Login Data databases.
– Desktop File Collection: PupkinStealer scans the victim’s desktop for files with specific extensions (.pdf, .txt, .sql, .jpg, .png) and copies them to a temporary directory for exfiltration.
– Messaging App Session Hijacking: The malware targets Telegram by copying the tdata folder, which contains session files that enable account access without credentials. It also extracts Discord authentication tokens from leveldb directories using regular expressions, allowing attackers to impersonate victims.
– Screenshot Capture: PupkinStealer captures a 1920×1080 screenshot of the victim’s desktop, saving it as a .jpg file for exfiltration.
– Data Exfiltration via Telegram: All stolen data is compressed into a ZIP archive with embedded metadata (username, public IP, and Windows Security Identifier) and sent to an attacker-controlled Telegram bot via a crafted API URL.
Technical Analysis
PupkinStealer is a 32-bit GUI-based Windows executable with a file size of 6.21 MB. Written in .NET with AnyCPU architecture, it is compatible with both x86 and x64 environments. The malware uses the Costura library to embed compressed DLLs, contributing to a high entropy value (7.998) in its .text section, despite lacking traditional packing.
Upon execution, the .NET runtime initializes the Common Language Runtime (CLR) and calls the malware’s Main() method, which orchestrates asynchronous tasks for data harvesting. Key components include:
– ChromiumPasswords Class: Handles credential extraction by creating browser-specific text files (e.g., Chrome.txt, Edge.txt) in a temporary directory (%TEMP%\[username]\Passwords) and decrypting passwords using AES-GCM.
– FunctionsForStealer and FunctionsForDecrypt Classes: Retrieve and decrypt browser keys from Local State files, enabling access to encrypted passwords.
– GrabberDesktop Method: Copies desktop files to a DesktopFiles directory, filtering by predefined extensions and silently handling errors to avoid detection.
– Telegram and Discord Modules: Locate and exfiltrate session data and authentication tokens, with Telegram’s tdata folder copied recursively and Discord tokens extracted via regular expressions.
– Screenshot and Compression Routines: Capture desktop screenshots and compress all stolen data into a ZIP archive using CP866 encoding and maximum compression (level 9).
Exfiltration via Telegram
PupkinStealer exfiltrates data to a Telegram bot named botKanal (username: botkanalchik_bot), likely derived from the Russian word kanal (channel). The bot receives ZIP archives via the Telegram Bot API, with captions containing detailed victim information, including usernames, IP addresses, SIDs, and module success flags.
The malware’s attribution string, Coded by Ardent, suggests a developer operating under this alias, with additional clues pointing to a possible Russian origin based on Russian-language text in related Telegram metadata.
The malware’s simplicity and lack of advanced anti-analysis defenses make it an accessible tool for less-sophisticated threat actors. It fits into a broader trend of modular, low-complexity infostealers available through malware-as-a-service models, enabling rapid monetization via credential theft, session hijacking, and data resale on dark web marketplaces.
Mitigation Recommendations
PupkinStealer’s straightforward design underscores the need for robust cybersecurity practices to counter such threats. Organizations and individuals can reduce their risk by:
– User Awareness: Exercise caution with files from untrusted sources and avoid clicking suspicious links, especially those promoting dubious software.
– Antivirus and Updates: Deploy reputable antivirus solutions and ensure all software, including browsers and messaging apps, is regularly updated to patch vulnerabilities.
– Network Monitoring: Monitor for unusual outbound traffic to Telegram APIs or other atypical services, which may indicate data exfiltration.
– Credential Management: Use password managers to avoid storing credentials in browsers and enable multi-factor authentication (MFA) on messaging platforms like Telegram and Discord.
– Security Culture: Foster a security-conscious environment through regular employee training on social engineering and malware risks.
Implementing these measures can significantly reduce the risk posed by PupkinStealer and similar malware threats.
