A newly recognized information-stealing malware, dubbed PupkinStealer, Developed in C# utilizing the .NET framework, this light-weight but efficient malware targets delicate consumer information, together with browser credentials, desktop information, messaging app periods, and screenshots.
In response to a CYFIRMA detailed evaluation shared with Cyber Safety Information, PupkinStealer leverages Telegram’s Bot API for stealthy information exfiltration, underscoring the rising development of exploiting reliable platforms for malicious functions.
First noticed in April 2025, PupkinStealer is an easy infostealer that targets a curated set of information, distinguishing it from extra indiscriminate malware.
Its reliance on Telegram for command-and-control aligns with the rising reputation of this platform amongst cybercriminals on account of its anonymity and ease of use. CYFIRMA attributes the malware to a developer often known as “Ardent,” primarily based on embedded code strings.
Key Options and Capabilities
PupkinStealer is designed for speedy information harvesting and operates with minimal obfuscation or persistence mechanisms, prioritizing fast execution over long-term stealth. Its main capabilities embody:
The malware extracts and decrypts saved login credentials from Chromium-based browsers, resembling Google Chrome, Microsoft Edge, Opera, Opera GX, and Vivaldi.
It retrieves decryption keys from the browsers’ Native State information and makes use of the Home windows Knowledge Safety API to decrypt passwords saved in SQLite-based Login Knowledge databases.
PupkinStealer scans the sufferer’s desktop for information with particular extensions (.pdf, .txt, .sql, .jpg, .png) and copies them to a short lived listing for exfiltration.
The malware targets Telegram by copying the tdata folder, which accommodates session information that allow account entry with out credentials. It additionally extracts Discord authentication tokens from leveldb directories utilizing common expressions, permitting attackers to impersonate victims.
PupkinStealer captures a 1920×1080 screenshot of the sufferer’s desktop, saving it as a .jpg file for exfiltration.
All stolen information is compressed right into a ZIP archive with embedded metadata (username, public IP, and Home windows Safety Identifier) and despatched to an attacker-controlled Telegram bot by way of a crafted API URL.
Technical Evaluation
PupkinStealer is a 32-bit GUI-based Home windows executable with a file dimension of 6.21 MB. Its SHA-256 hash and Written in .NET with AnyCPU structure, it’s appropriate with each x86 and x64 environments.
The malware makes use of the Costura library to embed compressed DLLs, contributing to a excessive entropy worth (7.998) in its .textual content part, regardless of missing conventional packing.
Upon execution, the .NET runtime initializes the Frequent Language Runtime (CLR) and calls the malware’s Major() technique, which orchestrates asynchronous duties for information harvesting. Key elements embody:
ChromiumPasswords Class: Handles credential extraction by creating browser-specific textual content information (e.g., Chrome.txt, Edge.txt) in a short lived listing (%TEMP%[username]Passwords) and decrypting passwords utilizing AES-GCM.
FunctionsForStealer and FunctionsForDecrypt Lessons: Retrieve and decrypt browser keys from Native State information, enabling entry to encrypted passwords.
GrabberDesktop Methodology: Copies desktop information to a DesktopFiles listing, filtering by predefined extensions and silently dealing with errors to keep away from detection.
Telegram and Discord Modules: Find and exfiltrate session information and authentication tokens, with Telegram’s tdata folder copied recursively and Discord tokens extracted by way of common expressions.
Screenshot and Compression Routines: Seize desktop screenshots and compress all stolen information right into a ZIP archive utilizing CP866 encoding and most compression (degree 9).
Exfiltration by way of Telegram
PupkinStealer exfiltrates information to a Telegram bot named botKanal (username: botkanalchik_bot), doubtless derived from the Russian phrase “kanal” (channel).
The bot receives ZIP archives by way of the Telegram Bot API, with captions containing detailed sufferer data, together with usernames, IP addresses, SIDs, and module success flags.
“The malware’s attribution string, “Coded by Ardent,” suggests a developer working underneath this alias, with extra clues pointing to a potential Russian origin primarily based on Russian-language textual content in associated Telegram metadata.” Cyfirma stated to Cyber Safety Information.
The malware’s simplicity and lack of superior anti-analysis defenses make it an accessible device for less-sophisticated menace actors. It matches right into a broader development of modular, low-complexity infostealers obtainable via malware-as-a-service fashions, enabling speedy monetization by way of credential theft, session hijacking, and information resale on darkish net marketplaces.
Mitigation Suggestions
PupkinStealer’s simple design underscores the necessity for sturdy cybersecurity practices to counter such threats. Organizations and people can scale back their danger by:
Person Consciousness: Train warning with information from untrusted sources and keep away from clicking suspicious hyperlinks, particularly these selling doubtful software program.
Antivirus and Updates: Deploy respected antivirus options and guarantee all software program, together with browsers and messaging apps, is usually up to date to patch vulnerabilities.
Community Monitoring: Monitor for uncommon outbound site visitors to Telegram APIs or different atypical providers, which can point out information exfiltration.
Credential Administration: Use password managers to keep away from storing credentials in browsers and allow multi-factor authentication (MFA) on messaging platforms like Telegram and Discord.
Safety Tradition: Foster a security-conscious setting via common worker coaching on social engineering and malware dangers.
Are you from the SOC and DFIR Groups? – Analyse Actual time Malware Incidents with ANY.RUN -> Begin Now for Free.
