“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals and enterprises.

Developed in C# using the .NET framework, this 32-bit GUI-based Windows executable targets sensitive user data with a focused and efficient approach.

First observed in April 2025, PupkinStealer is designed to harvest a specific range of data, including browser credentials, personal files from desktops, session information from messaging platforms like Telegram and Discord, and desktop screenshots.

What makes this malware particularly insidious is its method of exfiltration, leveraging the Telegram Bot API to transmit stolen data to attacker-controlled servers with minimal traceability.

A New Threat in the Cyber Landscape

PupkinStealer, with a file size of 6.21 MB and identified by the MD5 hash fc99a7ef8d7a2028ce73bf42d3a95bce, operates by initiating multiple asynchronous tasks upon execution.

Its Main() method, managed by the .NET Common Language Runtime (CLR), orchestrates data theft through distinct modules.

One primary function targets Chromium-based browsers such as Chrome, Edge, and Opera by extracting decryption keys from Local State files and decrypting saved credentials stored in SQLite databases using AES-GCM algorithms.

Additionally, it scans the victim’s desktop for files with extensions like .pdf, .txt, and .jpg, copying them to a temporary directory.

The malware also exfiltrates Telegram session data by copying the ‘tdata’ folder, enabling unauthorized account access without credentials, while Discord tokens are harvested from leveldb storage using regular expressions for potential impersonation.

Technical Breakdown of Malicious Operations

A screenshot of the primary screen at 1920×1080 resolution is captured and, along with all collected data, compressed into a ZIP archive with embedded metadata such as username, IP address, and Security Identifier (SID).

According to Cyfirma Report, this archive, often named in the format [Username]@ardent.zip, is then sent to a Telegram bot identified as ‘botkanalchik_bot’ using a crafted API URL, incorporating detailed system information in the caption.

Attributed to a developer alias “Ardent,” as evidenced by embedded code strings, PupkinStealer lacks advanced obfuscation or persistence mechanisms, relying instead on low-profile execution to evade detection.

Its use of legitimate services like Telegram for command-and-control highlights a growing trend among cybercriminals favoring anonymity and ease of use.

As part of a broader landscape of modular infostealers, PupkinStealer underscores the evolving simplicity and accessibility of malware-as-a-service offerings, posing a challenge to cybersecurity defenses.

Organizations are urged to implement robust endpoint security, continuous network monitoring, and user awareness training to mitigate risks associated with such threats.

Indicators of Compromise (IoCs)

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download