PupkinStealer Targets Windows Users to Steal Browser Login Credentials

A newly identified information-stealing malware dubbed PupkinStealer has emerged as a significant threat to Windows users, with its first sightings reported in April 2025.

Written in C# using the .NET framework, this malicious software is engineered to pilfer sensitive data, including browser credentials, messaging app sessions from platforms like Telegram and Discord, desktop documents, and full-screen screenshots.

What sets PupkinStealer apart is its cunning use of Telegram’s Bot API for data exfiltration, a method that leverages encrypted, trusted infrastructure to bypass traditional network filtering tools.

This approach makes it particularly challenging for security systems to detect and block the malware’s outbound communications.

New C# Malware Exploits Telegram

Distributed as an unsigned .NET executable, PupkinStealer relies on social engineering tactics such as phishing emails, fake downloads, or instant messaging lures to trick victims into manually executing the malicious file.

Once launched, it asynchronously executes a series of targeted functions: decrypting and extracting login credentials from Chromium-based browsers like Chrome, Edge, Opera, and Vivaldi using the Local State encryption key and Windows DPAPI.

Collecting desktop files with extensions such as .pdf, .txt, .sql, .jpg, and .png; hijacking Telegram sessions by stealing the tdata folder for potential account takeover; extracting authentication tokens from Discord clients (standard, PTB, and Canary) via LevelDB; and capturing a 1920×1080 JPEG screenshot of the victim’s desktop.

The stolen data is meticulously organized into distinct directories under %APPDATA%Temp$$Username], compressed into a ZIP archive named [Username]@ardent.zip, and uploaded to an attacker-controlled Telegram bot via HTTPS POST requests.

Metadata such as the victim’s IP address, username, and SID are included in the transmission, providing attackers with additional context for exploitation.

Notably, the malware employs the Costura.Fody library to embed dependencies and increase entropy in the executable’s .text section, a rudimentary obfuscation tactic to evade some detection heuristics.

According to Cybersec Sentinel Report, tentative attribution points to a developer alias “Ardent,” inferred from embedded code strings and file naming conventions.

A Threat to Enterprise and Individual Users

Despite its lack of persistence mechanisms or advanced anti-analysis techniques, PupkinStealer’s focused functionality and stealthy exfiltration method render it a potent threat, scoring an elevated risk rating of 6.5/10.

Its ability to steal credentials, session data, and personal files poses risks of account takeover, social engineering, and reputational or financial damage.

Mitigation requires a multi-layered approach: user education to avoid executing suspicious files, email filtering to block executable attachments, updated antivirus and EDR tools with behavioral analysis, custom YARA rules for detection, 2FA enforcement on critical accounts, and log monitoring for unusual ZIP file creation or connections to api.telegram.org.

PupkinStealer exemplifies a growing trend of malware abusing trusted cloud services for command-and-control and data theft, underscoring the need for robust endpoint security and validated threat intelligence-evident in the correction of a prior misattribution of the domain instance-i4zsy0relay[.]screenconnect.com, which is unrelated to this campaign.

Indicators of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!