![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![[FREE EBOOKS] Offensive Security Using Python, Learn Computer Forensics — 2nd edition & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Ditching a Microsoft Job to Enter Startup Purgatory with Lonewolf Engineer Sam Crombie [Podcast #171]](https://cdn.hashnode.com/res/hashnode/image/upload/v1746753508177/0cd57f66-fdb0-4972-b285-1443a7db39fc.png?#)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![T-Mobile discontinues a free number feature but a paid alternative exists [UPDATED]](https://m-cdn.phonearena.com/images/article/170235-two/T-Mobile-discontinues-a-free-number-feature-but-a-paid-alternative-exists-UPDATED.jpg?#)
![Apple's 11th Gen iPad Drops to New Low Price of $277.78 on Amazon [Updated]](https://images.macrumors.com/t/yQCVe42SNCzUyF04yj1XYLHG5FM=/2500x/article-new/2025/03/11th-gen-ipad-orange.jpeg)
![Beats Studio Buds + On Sale for $99.95 [Lowest Price Ever]](https://www.iclarified.com/images/news/96983/96983/96983-640.jpg)
-xl.jpg)
![New iPad 11 (A16) On Sale for Just $277.78! [Lowest Price Ever]](https://www.iclarified.com/images/news/97273/97273/97273-640.jpg)
![[Exclusive] Infinix GT DynaVue: a Prototype that could change everything!](https://www.gizchina.com/wp-content/uploads/images/2025/05/Screen-Shot-2025-05-10-at-16.07.40-PM-copy.png)
“PupkinStealer” A New .NET-Based Malware Steals Browser Credentials & Exfiltrate via Telegram
A newly identified information-stealing malware, dubbed PupkinStealer, Developed in C# using the .NET framework, this lightweight yet effective malware targets sensitive user data, including browser credentials, desktop files, messaging app sessions, and screenshots. According to a CYFIRMA detailed analysis shared with Cyber Security News, PupkinStealer leverages Telegram’s Bot API for stealthy data exfiltration, underscoring the […] The post “PupkinStealer” A New .NET-Based Malware Steals Browser Credentials & Exfiltrate via Telegram appeared first on Cyber Security News.
A newly identified information-stealing malware, dubbed PupkinStealer, Developed in C# using the .NET framework, this lightweight yet effective malware targets sensitive user data, including browser credentials, desktop files, messaging app sessions, and screenshots.
According to a CYFIRMA detailed analysis shared with Cyber Security News, PupkinStealer leverages Telegram’s Bot API for stealthy data exfiltration, underscoring the growing trend of exploiting legitimate platforms for malicious purposes.
First observed in April 2025, PupkinStealer is a straightforward infostealer that targets a curated set of data, distinguishing it from more indiscriminate malware.
Its reliance on Telegram for command-and-control aligns with the rising popularity of this platform among cybercriminals due to its anonymity and ease of use. CYFIRMA attributes the malware to a developer known as “Ardent,” based on embedded code strings.
Key Features and Capabilities
PupkinStealer is designed for rapid data harvesting and operates with minimal obfuscation or persistence mechanisms, prioritizing quick execution over long-term stealth. Its primary capabilities include:
The malware extracts and decrypts saved login credentials from Chromium-based browsers, such as Google Chrome, Microsoft Edge, Opera, Opera GX, and Vivaldi.
.jpg)
It retrieves decryption keys from the browsers’ Local State files and uses the Windows Data Protection API to decrypt passwords stored in SQLite-based Login Data databases.
PupkinStealer scans the victim’s desktop for files with specific extensions (.pdf, .txt, .sql, .jpg, .png) and copies them to a temporary directory for exfiltration.
The malware targets Telegram by copying the tdata folder, which contains session files that enable account access without credentials. It also extracts Discord authentication tokens from leveldb directories using regular expressions, allowing attackers to impersonate victims.
PupkinStealer captures a 1920×1080 screenshot of the victim’s desktop, saving it as a .jpg file for exfiltration.
All stolen data is compressed into a ZIP archive with embedded metadata (username, public IP, and Windows Security Identifier) and sent to an attacker-controlled Telegram bot via a crafted API URL.
Technical Analysis
PupkinStealer is a 32-bit GUI-based Windows executable with a file size of 6.21 MB. Its SHA-256 hash and Written in .NET with AnyCPU architecture, it is compatible with both x86 and x64 environments.
The malware uses the Costura library to embed compressed DLLs, contributing to a high entropy value (7.998) in its .text section, despite lacking traditional packing.
Upon execution, the .NET runtime initializes the Common Language Runtime (CLR) and calls the malware’s Main() method, which orchestrates asynchronous tasks for data harvesting. Key components include:
- ChromiumPasswords Class: Handles credential extraction by creating browser-specific text files (e.g., Chrome.txt, Edge.txt) in a temporary directory (%TEMP%\[username]\Passwords) and decrypting passwords using AES-GCM.
- FunctionsForStealer and FunctionsForDecrypt Classes: Retrieve and decrypt browser keys from Local State files, enabling access to encrypted passwords.
- GrabberDesktop Method: Copies desktop files to a DesktopFiles directory, filtering by predefined extensions and silently handling errors to avoid detection.
- Telegram and Discord Modules: Locate and exfiltrate session data and authentication tokens, with Telegram’s tdata folder copied recursively and Discord tokens extracted via regular expressions.
- Screenshot and Compression Routines: Capture desktop screenshots and compress all stolen data into a ZIP archive using CP866 encoding and maximum compression (level 9).
Exfiltration via Telegram
PupkinStealer exfiltrates data to a Telegram bot named botKanal (username: botkanalchik_bot), likely derived from the Russian word “kanal” (channel).
The bot receives ZIP archives via the Telegram Bot API, with captions containing detailed victim information, including usernames, IP addresses, SIDs, and module success flags.
“The malware’s attribution string, “Coded by Ardent,” suggests a developer operating under this alias, with additional clues pointing to a possible Russian origin based on Russian-language text in related Telegram metadata.” Cyfirma said to Cyber Security News.
The malware’s simplicity and lack of advanced anti-analysis defenses make it an accessible tool for less-sophisticated threat actors. It fits into a broader trend of modular, low-complexity infostealers available through malware-as-a-service models, enabling rapid monetization via credential theft, session hijacking, and data resale on dark web marketplaces.
Mitigation Recommendations
PupkinStealer’s straightforward design underscores the need for robust cybersecurity practices to counter such threats. Organizations and individuals can reduce their risk by:
- User Awareness: Exercise caution with files from untrusted sources and avoid clicking suspicious links, especially those promoting dubious software.
- Antivirus and Updates: Deploy reputable antivirus solutions and ensure all software, including browsers and messaging apps, is regularly updated to patch vulnerabilities.
- Network Monitoring: Monitor for unusual outbound traffic to Telegram APIs or other atypical services, which may indicate data exfiltration.
- Credential Management: Use password managers to avoid storing credentials in browsers and enable multi-factor authentication (MFA) on messaging platforms like Telegram and Discord.
- Security Culture: Foster a security-conscious environment through regular employee training on social engineering and malware risks.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
The post “PupkinStealer” A New .NET-Based Malware Steals Browser Credentials & Exfiltrate via Telegram appeared first on Cyber Security News.
