PupkinStealer is a .NET-based malware designed to steal browser credentials, desktop files, Telegram sessions, and Discord tokens. It exfiltrates data via Telegram Bot API, using simple, stealthy methods without persistence. (Affected: Windows users, messaging platforms, enterprises)
Keypoints :
- PupkinStealer targets Chromium-based browser credentials, desktop files (.pdf, .txt, .sql, .jpg, .png), Telegram sessions, Discord tokens, and desktop screenshots.
- It decrypts browser passwords by extracting keys from Local State files using Windows Data Protection API.
- The malware copies Telegram’s tdata folder to hijack active sessions without reauthentication.
- Discord tokens are harvested from leveldb folders using regex to enable unauthorized access.
- A screenshot of the desktop at 1920×1080 resolution is captured and saved locally before exfiltration.
- All stolen data is compressed into a ZIP archive embedding victim metadata (username, IP, SID) for attacker tracking.
- The data is exfiltrated through a Telegram Bot API channel, leveraging Telegram’s anonymity for stealth.
- PupkinStealer shows no persistence or anti-analysis features, relying on low-profile execution for evasion.
- Attribution links the malware to an actor alias “Ardent,” with indications of Russian language usage.
- Recommendations include endpoint security, network monitoring, application whitelisting, and user awareness training to mitigate risks.
MITRE Techniques :
- Command and Scripting Interpreter (T1059) – Uses .NET runtime to execute malware code and launch asynchronous data harvesting tasks.
- Malicious File (T1204.002) – Deploys an unsigned executable that runs without user consent to harvest data.
- Compression (T1027.015) – Compresses stolen data into a ZIP archive with maximum compression to reduce detection surface.
- Registry Run Keys / Startup Folder (T1547.001) – (Reported in MITRE table, though PupkinStealer lacks persistence, this technique is generally related to persistence.)
- Credentials from Web Browsers (T1555.003) – Extracts and decrypts saved Chromium browser credentials using DPAPI keys.
- Steal Application Access Token (T1528) – Harvests Discord authentication tokens from local storage to impersonate users.
- System Information Discovery (T1082) – Gathers system metadata (username, IP, SID) embedded in exfiltration data.
- Data from Local System (T1005) – Collects files from desktop with targeted extensions for sensitive data.
- Screen Capture (T1113) – Takes screenshots of the victim’s desktop for additional information gathering.
- Local Data Staging (T1074.001) – Stores collected files in temporary directories before compression and exfiltration.
- Exfiltration Over C2 Channel (T1041) – Sends stolen information through Telegram Bot API to attacker-controlled channel.
- Exfiltration to Cloud Storage (T1567.002) – Uses Telegram cloud infrastructure to host and receive exfiltrated data.
Indicator of Compromise :
- The article lists file hashes for PupkinStealer.exe, including MD5 (fc99a7ef8d7a2028ce73bf42d3a95bce) and SHA-256 (9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f).
- Telegram Bot API URLs and tokens used for data exfiltration, e.g., API endpoint with token “8013735771:AAE_UrTgQsAmiAsXeDN6mehD_fo3vEg-kCM.”
- File paths of harvested data on victims’ machines: browser credentials (%APPDATA%Temp[Username]GrabbersBrowserpasswords.txt), Telegram sessions (%APPDATA%Temp[Username]GrabbersTelegramSession*), Discord tokens (%APPDATA%Temp[Username]GrabbersDiscordTokens.txt), screenshots (%APPDATA%Temp[Username]GrabbersScreenshotScreen.jpg), collected desktop files (%APPDATA%Temp[Username]DesktopFiles*), and the final zipped archive (%APPDATA%Temp[Username][Username]@ardent.zip).
- These IOCs provide visibility into file artifacts, network exfiltration endpoints, and token theft enabling detection and response.
Read more: https://www.cyfirma.com/research/pupkinstealer-a-net-based-info-stealer/
Views: 36