“PupkinStealer: New Windows Malware Targeting Login Credentials and Desktop Data”

A newly discovered information-extracting malware known as “PupkinStealer” has been recognized by cybersecurity analysts, aiming at sensitive user data through a straightforward yet efficient strategy.

First detected in April 2025, this .NET-based malware programmed in C# concentrates on acquiring browser credentials, messaging application sessions, and desktop files, exfiltrating the information through Telegram’s Bot API.

Security specialists indicate that the simplicity of PupkinStealer and its reliance on legitimate platforms for command-and-control operations render it a significant threat, especially since it does not possess sophisticated anti-analysis mechanisms that typically activate security defenses.

PupkinStealer functions as a compact 32-bit executable with a file size of only 6.21 MB, developed utilizing the .NET framework and C#. Despite its relatively modest footprint, the malware showcases considerable data harvesting capabilities.

PupkinStealer Strikes Windows Systems

Security investigators have concluded that PupkinStealer aims at a specific range of sensitive data, including saved passwords and cookies from web browsers, session information from messaging applications like Telegram and Discord, as well as specific desktop files with certain extensions.

Upon activation, the malware generates a compressed ZIP file containing all extracted data, augmented with victim metadata such as username, public IP address, and Windows Security Identifier.

The design of the malware emphasizes compatibility across both x86 and x64 environments, utilizing the Costura library to incorporate compressed DLLs.

In contrast to more advanced malware types employing extensive evasion tactics, PupkinStealer depends on straightforward execution techniques and lacks persistence mechanisms, indicating a “hit-and-run” strategy meant to reduce detection during its brief operational phase.

The malware takes a 1920×1080 JPG screenshot of the victim’s desktop, supplying attackers with further contextual insights into the compromised system.

The design of PupkinStealer suggests it was intended for less-skilled threat actors and may be distributed via malware-as-a-service (MaaS) models that facilitate quick monetization through credential theft and data resale.

PupkinStealer’s utilization of Telegram’s Bot API for command-and-control and data exfiltration illustrates a growing trend among cybercriminals who exploit legitimate platforms to merge malicious traffic with regular communications.

Based on insights from security analysts, malware that employs Telegram as a C2 channel typically leverages the Telegram Bot API for communications, allowing attackers to retain control while concealing their actions within legitimate traffic flows.

Researchers have highlighted a notable vulnerability in Telegram’s Bot API that PupkinStealer exploits: all previous bot messages can be replayed by an attacker who can intercept and decrypt HTTPS traffic.

In contrast to standard Telegram messages that utilize the platform’s MTProto encryption, bot API communications are merely shielded by the HTTPS layer, resulting in a security weakness.

The malware exfiltrates the stolen information by dispatching the compressed archive to a Telegram bot using a custom API URL, with captions providing victim details and module success indicators to improve data processing efficiency.

This method allows attackers to bypass conventional network monitoring solutions by obscuring themselves within traffic directed at a popular messaging platform.

“Dedicated” Developer with Potential Russian Links

Cybersecurity analysts attribute PupkinStealer to a developer referred to as “Dedicated” based on embedded code strings identified during their analysis.

The occurrence of Russian-language phrases in the metadata of the Telegram bot, such as the term “kanal” (Russian for “channel”), implies possible Russian origins, although no conclusive geographic targeting has been confirmed.

This attribution information arises amidst increasing concerns regarding ransomware and information-extracting operations originating from Eastern European cybercriminal factions.

The rise of PupkinStealer emphasizes an evolving threat landscape where malware developers increasingly emphasize simplicity and the exploitation of legitimate platforms over intricate technical features.

Its emphasis on e-commerce-related data, encompassing browser credentials and financial platform sessions, presents significant threats to online retailers and their clientele.

Security professionals recommend that organizations adopt multi-factor authentication, routinely assess third-party application access to messaging platforms, and maintain robust endpoint protection to safeguard against this emerging threat.

As evidenced by PupkinStealer, contemporary malware no longer necessitates complex coding to effectively steal sensitive data – occasionally, the simplest methods prove the hardest to detect.