PupkinStealer Emerges as New .NET Malware Threat Targeting Browser and Messaging Data

Threat Group: Ardent (tentative attribution)
Threat Type: Information Stealer
Exploited Vulnerabilities: None (requires user execution)
Malware Used: PupkinStealer
Threat Score: 🔶 Elevated (6.5/10) – Due to effective data theft techniques, reliance on trusted platforms like Telegram for exfiltration, and potential for privacy breaches across enterprise and personal systems.
Last Threat Observation: May 13, 2025

Overview

PupkinStealer is a newly discovered information-stealing malware written in C# using the .NET framework. First observed in April 2025, it targets Windows systems and is engineered to extract browser credentials, messaging sessions (Telegram, Discord), desktop documents, and screenshots. It uses Telegram’s Bot API to exfiltrate stolen data, a tactic that leverages encrypted and trusted infrastructure, making detection via traditional network filtering tools difficult.

Key functionality includes decrypting Chromium browser credentials, copying documents with specific file extensions from the desktop, capturing Telegram session data by stealing the tdata folder, extracting Discord authentication tokens, and taking a full-screen screenshot. The stolen data is compressed into a single ZIP archive and sent to an attacker-controlled Telegram bot.

Attribution is tentatively assigned to a developer using the alias “Ardent”, based on embedded code strings and the naming convention of exfiltrated files (e.g., username@ardent.zip). PupkinStealer lacks persistence and sophisticated anti-analysis techniques, making it relatively simple but still dangerous due to its targeted focus and stealthy exfiltration methods.

Importantly, this report corrects a prior misattribution: the domain instance-i4zsy0relay[.]screenconnect.com is not associated with PupkinStealer and instead belongs to separate campaigns leveraging ConnectWise ScreenConnect.

Key Details

Delivery Method:
Distributed as an unsigned .NET executable requiring manual execution, typically through phishing emails, fake downloads, or instant messaging lures.

Target:
Windows users in both enterprise and individual contexts.

Core Functions:

1. Credential Theft: Decrypts and extracts login credentials from Chromium browsers (e.g., Chrome, Edge, Opera, Vivaldi) using the Local State encryption key and Windows DPAPI.
2. Desktop File Collection: Copies documents from the user’s desktop with .pdf, .txt, .sql, .jpg, and .png extensions.
3. Telegram Session Hijack: Exfiltrates the Telegram tdata folder to steal session tokens, allowing account takeover.
4. Discord Token Theft: Extracts LevelDB tokens from standard/PTB/Canary Discord clients.
5. Screenshot Capture: Captures a 1920x1080 JPEG image of the desktop.

Obfuscation:
Uses the Costura.Fody library to embed dependencies and increase entropy within the .text section of the executable, misleading some detection heuristics.

Execution Pattern:
Upon launch, PupkinStealer asynchronously executes all functions and stores stolen data in %APPDATA%\Temp\[Username]\ under distinct directories (Grabbers\Browser, TelegramSession, Discord, Screenshot, etc.). It then compresses these into a ZIP file named [Username]@ardent.zip.

Exfiltration:
Uses Telegram Bot API via HTTPS POST requests to upload the ZIP file. Metadata such as IP, username, and SID are included in the message. Sample bot: botKanal with token 8013735771:AAE_UrTgQsAmiAsXeDN6mehD_fo3vEg-kCM.

Attack Vectors

1. User Execution: No exploits are used—initial access relies solely on the victim executing a malicious file.
2. Data Harvesting: Concurrent collection of credentials, tokens, documents, and screenshots.
3. Session Hijacking: Enables attackers to bypass credentials and MFA on messaging apps.
4. Zipping and Staging: Gathers all stolen content into a temp folder and compresses it into a uniquely named archive.
5. Exfiltration: Sends the ZIP to a Telegram bot using a hardcoded bot token and chat ID.

Known Indicators of Compromise (IoCs)

MD5

• fc99a7ef8d7a2028ce73bf42d3a95bce

SHA-256

• 9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f

URL

• https[:]//api[.]telegram[.]org/bot[BotToken]/sendDocument?chat_id=7613862165&caption

Telegram Bot Token

• 8013735771:AAE_UrTgQsAmiAsXeDN6mehD_fo3vEg-kCM

File Paths

• %APPDATA%\Temp\[Username]\Grabbers\Browser\passwords.txt
• %APPDATA%\Temp\[Username]\Grabbers\TelegramSession\*
• %APPDATA%\Temp\[Username]\Grabbers\Discord\Tokens.txt
• %APPDATA%\Temp\[Username]\Grabbers\Screenshot\Screen.jpg
• %APPDATA%\Temp\[Username]\DesktopFiles\*
• %APPDATA%\Temp\[Username]\[Username]@ardent.zip

Mitigation and Prevention

User Awareness:

• Avoid executing files from unknown sources
• Recognize phishing emails and spoofed download links

Email Filtering:

• Block attachments with executable content
• Use sandbox analysis on inbound files

Antivirus & EDR:

• Use updated AV/EDR tools with behavioral analysis
• Deploy custom YARA rules for PupkinStealer samples

2FA:

• Require 2FA on Discord, Telegram, email, and admin accounts

Log Monitoring:

• Alert on ZIP file creation in Temp folders
• Detect outbound connections to api.telegram.org from unknown executables

Patching:

• Update OS, browsers, and .NET runtime libraries

Risk Assessment

Threat Score: 🔶 Elevated (6.5/10)

High-Risk Factors:

• Telegram exfiltration avoids domain-based blocklists
• Effectively steals credentials, files, and session data

Moderating Factors:

• No persistence mechanisms
• Requires direct execution by the user

Potential Impacts:

• Credential theft and account takeover
• Breach of personal/corporate files and images
• Session hijacks for social engineering or impersonation
• Reputational and financial loss

Conclusion

PupkinStealer is a capable .NET-based stealer that exemplifies a growing class of malware abusing trusted cloud services for C2 and data exfiltration. Its reliance on user execution and lack of persistence slightly reduce its operational lifespan, but its use of Telegram’s API allows it to operate under the radar in many environments.

Organisations must adopt layered defence strategies, including endpoint detection, user education, and 2FA enforcement. Correcting previous IoC errors—like the misattributed ConnectWise domain—also demonstrates the critical need for thorough threat intelligence validation.

Sources:

• CYFIRMA – PupkinStealer: A .NET-Based Info-Stealer
  https://www.cyfirma.com/research/pupkinstealer-a-net-based-info-stealer/
• CyberNoz – PupkinStealer Malware Uses Telegram for Exfiltration
  https://cybernoz.com/pupkinstealer-a-new-net-based-malware-steals-browser-credentials-exfiltrate-via-telegram/
• Hendry Adrian – PupkinStealer Technical Breakdown
  https://www.hendryadrian.com/pupkinstealer-a-net-based-info-stealer/
• MalwareBazaar – PupkinStealer Malware Samples
  https://bazaar.abuse.ch/browse/signature/PupkinStealer/

Note: All detection queries and blocklists should be adapted for your environment and validated against legitimate Telegram usage.