A newly identified threat dubbed PupkinStealer has emerged as of April 2025. Written in C# and .NET framework, this information-stealing malware is designed to compromise Windows systems, focusing on harvesting sensitive user data and discreetly exfiltrating it using Telegram’s Bot API.
Despite its relatively simple structure and lack of persistence mechanisms or advanced evasion techniques, PupkinStealer poses a significant threat due to its targeted data collection, stealthy exfiltration strategy, and exploitation of trusted communication channels.
PupkinStealer is delivered as an unsigned .NET executable requiring manual execution. It is typically distributed through phishing campaigns, malicious file downloads, or instant messaging lures. Once executed, it begins harvesting data from the infected system without alerting the user.
What It Steals
Upon execution, PupkinStealer performs multiple actions in parallel to collect a broad range of sensitive information:
-
- Browser Credentials
- Desktop Files
- Telegram Sessions
- Discord Tokens
- Screenshots
All collected data is staged in the `%APPDATA%\Temp\[Username]\` directory, organized into subfolders such as `Grabbers\Browser`, `TelegramSession`, `Discord`, and `Screenshot`. PupkinStealer then compresses this data into a ZIP archive named after the victim’s username with the suffix `@ardent.zip`—a possible nod to the malware’s suspected author, Arden.
The archive is then uploaded using Telegram’s Bot API via HTTPS POST requests. This method uses Telegram’s encrypted and widely trusted infrastructure, making detection and blocking by traditional security tools more difficult. The malware includes metadata such as the user’s IP address, system username, and Security Identifier (SID) in the transmission.
Attribution
Initial investigations have led to tentative attribution to an actor using the alias “Ardent”, based on naming conventions within the malware and embedded strings. However, it’s important to clarify that PupkinStealer is not linked to the domain `instance-i4zsy0relay[.]screenconnect.com`, which is associated with other malware campaigns involving ConnectWise ScreenConnect.
PupkinStealer may not employ advanced techniques like code injection or kernel-level rootkits, but its focus on highly valuable data and its use of Telegram for exfiltration makes it a significant threat. Organizations and individual users alike should remain cautious of unsolicited executable files, monitor outbound Telegram Bot API traffic, and consider implementing endpoint detection tools capable of analyzing .NET binaries.
Source: hxxps[://]www[.]cyfirma[.]com/research/pupkinstealer-a-net-based-info-stealer/?ref=cybersecsentinel.com
Follow Cybersecurity88 on X and Linkedin for the latest cybersecurity news
