“`html
A recently discovered information-harvesting malware, termed PupkinStealer, crafted in C# utilizing the .NET framework; this compact yet potent malware focuses on sensitive user data, encompassing browser credentials, desktop files, messaging app sessions, and screenshots.
As per a detailed assessment from CYFIRMA shared with Cyber Security News, PupkinStealer exploits Telegram’s Bot API for covert data extraction, highlighting the increasing trend of leveraging legitimate platforms for harmful intents.
Initially detected in April 2025, PupkinStealer is a basic infostealer that targets a specific collection of data, setting it apart from more indiscriminate malware.
.png%0D%0A)
Its dependence on Telegram for command and control corresponds with the growing appeal of this platform among cybercriminals due to its anonymity and user-friendliness. CYFIRMA attributes this malware to a developer known as “Ardent,” based on embedded code strings.
Prominent Features and Functions
PupkinStealer is engineered for swift data acquisition and functions with minimal obfuscation or persistence strategies, favoring rapid execution over enduring stealth. Its key functions encompass:
The malware retrieves and decrypts saved login details from Chromium-based browsers, such as Google Chrome, Microsoft Edge, Opera, Opera GX, and Vivaldi.
.jpg)
It extracts decryption keys from the browsers’ Local State files and employs the Windows Data Protection API to decipher passwords stored in SQLite-based Login Data databases.
PupkinStealer scans the infected user’s desktop for files with designated extensions (.pdf, .txt, .sql, .jpg, .png) and transfers them to a temporary folder for exfiltration.
This malware targets Telegram by duplicating the tdata folder, which holds session files allowing account access without credentials. Moreover, it extracts Discord authentication tokens from leveldb directories utilizing regular expressions, enabling attackers to impersonate victims.
PupkinStealer captures a 1920×1080 screenshot of the victim’s desktop, storing it as a .jpg file for exfiltration purposes.
All acquired data is compressed into a ZIP file featuring embedded metadata (username, public IP, and Windows Security Identifier) and transmitted to an attacker-controlled Telegram bot via a specially crafted API URL.
Technical Examination
PupkinStealer is a 32-bit GUI-based Windows executable with a file size of 6.21 MB. Its SHA-256 hash and coded in .NET with AnyCPU architecture, it is suitable for both x86 and x64 environments.
The malware utilizes the Costura library to embed compressed DLLs, resulting in a high entropy value (7.998) in its .text section, despite the absence of conventional packing.
When executed, the .NET runtime initializes the Common Language Runtime (CLR) and invokes the malware’s Main() method, which orchestrates asynchronous tasks for data harvesting. Significant components include:
- ChromiumPasswords Class: Manages credential extraction by generating browser-specific text files (e.g., Chrome.txt, Edge.txt) in a temporary directory (%TEMP%[username]Passwords) and decrypting passwords utilizing AES-GCM.
- FunctionsForStealer and FunctionsForDecrypt Classes: Retrieve and decrypt browser keys from Local State files, enabling access to encrypted passwords.
- GrabberDesktop Method: Copies desktop files to a DesktopFiles folder, filtering by specified extensions and silently managing errors to evade detection.
- Telegram and Discord Modules: Identify and exfiltrate session data and authentication tokens, with the Telegram tdata folder copied recursively and Discord tokens extracted through regular expressions.
- Screenshot and Compression Routines: Capture desktop screenshots and compress all obtained data into a ZIP archive using CP866 encoding and maximum compression (level 9).
Data Exfiltration via Telegram
PupkinStealer sends data to a Telegram bot identified as botKanal (username: botkanalchik_bot), potentially derived from the Russian term “kanal” (channel).
The bot accepts ZIP archives through the Telegram Bot API, with captions containing comprehensive victim information, including usernames, IP addresses, SIDs, and module success flags.
“The malware’s attribution string, “Coded by Ardent,” implies a developer functioning under this alias, with further hints indicating a potential Russian origin based on Russian-language text in associated Telegram metadata.” Cyfirma stated to Cyber Security News.
The malware’s simplicity and absence of sophisticated anti-analysis safeguards render it an accessible instrument for less-experienced threat actors. It aligns with a broader trend of modular, low-complexity infostealers available through malware-as-a-service frameworks, facilitating rapid monetization via credential theft, session hijacking, and data resale on dark web marketplaces.
Mitigation Suggestions
The straightforward architecture of PupkinStealer highlights the necessity for robust cybersecurity measures to combat such threats. Organizations and individuals can lower their risk by:
- User Vigilance: Exercise caution with files from unverified sources and refrain from clicking on suspicious links, especially those advertising questionable software.
- Antivirus and Updates: Employ reputable antivirus solutions and ensure that all software, including browsers and messaging applications, is consistently updated to correct vulnerabilities.
- Network Surveillance: Watch for unusual outbound traffic to Telegram APIs or other irregular services, which may signify data exfiltration.
- Credential Oversight: Utilize password managers to prevent storing credentials in browsers and activate multi-factor authentication (MFA) on messaging platforms such as Telegram and Discord.
- Security Consciousness: Promote a security-aware environment through regular employee training on social engineering and malware threats.
“`