PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram
A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some reports), has surfaced as a significant cyber threat, targeting sensitive data such as web browser passwords and application session tokens.
First observed in the wild around April 2025, this malware is believed to have roots in Russian-speaking cybercrime communities, with indicators like a Telegram bot bearing a Russian name and embedded strings referencing a developer alias “Ardent.”
Drawing inspiration from open-source stealers like StormKitty, PupkinStealer is designed for quick, high-impact data theft, primarily exfiltrating stolen information via Telegram’s Bot API.
Its ease of customization and availability make it a favored tool among low-skilled cybercriminals seeking financial gain by harvesting credentials from a broad range of victims, from individual users to enterprise employees.
Emerging Threat Targets Sensitive User Data
PupkinStealer employs a range of tactics mapped to the MITRE ATT&CK framework, beginning with initial access through phishing and social engineering, often disguised as legitimate files in trojanized downloads or cracked software.
Once executed, the .NET executable (typically named PupkinStealer.exe or PlutoniumLoader.exe) leverages asynchronous tasks to steal data rapidly, targeting Chromium-based browsers like Chrome and Edge for saved credentials, hijacking Telegram and Discord session tokens, and capturing desktop files and screenshots.
Notably, it lacks persistence mechanisms, opting for a “smash-and-grab” approach that minimizes its footprint by avoiding registry modifications or scheduled tasks.
To evade detection, it terminates processes like browsers and Telegram to access locked files and uses Costura.Fody to embed dependencies, inflating binary entropy and potentially bypassing simplistic antivirus checks.
Sophisticated Tactics for Stealthy Exfiltration
Its exfiltration method is particularly stealthy, utilizing Telegram’s API over HTTPS to upload a compressed ZIP archive containing stolen data to an attacker-controlled chat, blending into legitimate traffic on port 443.
According to PicusSecuirty Report, this abuse of a trusted platform for command-and-control and data delivery highlights a growing trend among malware authors to leverage popular services for anonymity and operational simplicity.
The impact of PupkinStealer is underscored by its ability to extract a wealth of sensitive information in seconds, including plaintext passwords decrypted using Windows DPAPI, session files that bypass multi-factor authentication, and contextual metadata like usernames and IP addresses embedded in exfiltrated archives.
Defenders are urged to implement multi-layered strategies, including user awareness training to prevent execution, behavioral monitoring to detect anomalous process terminations, and network traffic analysis for outbound connections to api.telegram.org.
Indicators of compromise (IOCs) such as specific file hashes, temporary directory structures like GrabbersBrowserpasswords.txt, and hardcoded Telegram bot tokens provide critical signatures for identifying infections.
Swift incident response, including host isolation and credential resets, is essential to mitigate damage post-detection.
Indicators of Compromise (IOCs)
| Indicator Type | Details |
|---|---|
| SHA-256 Hash | 9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f |
| MD5 Hash | fc99a7ef8d7a2028ce73bf42d3a95bce |
| File Names | PupkinStealer.exe, PlutoniumLoader.exe |
| Filesystem Artifacts | GrabbersBrowserpasswords.txt, GrabbersTelegramSession*, [Username]@ardent.zip in %TEMP% |
| Network Indicator | Traffic to api.telegram.org/bot8013735771:AAE_UrTgQs…/sendDocument?chat_id=7613862165 |
| Notable Strings | “Coded by Ardent”, botkanalchik_bot |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
