PupkinStealer is a newly discovered .NET-based information-stealing malware designed to extract browser passwords, app session tokens, and files, exfiltrating data through Telegram’s Bot API. Originating from Russian-speaking cybercriminal groups, it targets Windows users indiscriminately and emphasizes rapid data theft without persistence mechanisms. #PupkinStealer #InfoStealer #Telegram #WindowsMalware #Cybercrime
Keypoints
- PupkinStealer first appeared in the wild around April 2025 and is based on open-source stealers like StormKitty, with origins linked to Russian-speaking cybercrime communities.
- The malware targets Windows systems through social engineering and phishing, delivered as a malicious .NET executable typically named PupkinStealer.exe or PlutoniumLoader.exe.
- It steals credentials by extracting passwords from Chromium-based browsers, hijacking Telegram and Discord sessions, collecting desktop files, and capturing screenshots for context.
- PupkinStealer does not establish persistence, focusing on rapid “smash-and-grab” data theft and terminates processes like browsers and Telegram to unlock and access protected files.
- Exfiltration is conducted via Telegram Bot API over HTTPS, sending stolen data archives containing victim metadata directly to attacker-controlled Telegram bots, enhancing stealth and operational security.
- The malware uses embedded compression of dependencies (Costura.Fody) but does not perform strong runtime obfuscation or antivirus evasion, relying on legitimate infrastructure and fast execution.
- Indicators of Compromise include specific executable hashes, file naming patterns, folder structures in TEMP directories, Telegram bot tokens, and network connections to Telegram API endpoints.
MITRE Techniques
- [T1566] Phishing and Social Engineering – The malware is introduced via social engineering, likely through phishing attachments or trojanized cracked software (‘typically introduced onto victim machines through social engineering, such as trojanized downloads’).
- [T1204.002] User Execution – Requires victim to execute the malicious .exe file manually (‘the user double-clicks … which then immediately executes its payload code’).
- [T1489] Process Termination – Kills browser and Telegram processes to unlock credential files (‘proc.Kill() … to unlock files’).
- [T1027] Obfuscated Files or Information – Uses Costura.Fody to embed compressed DLL dependencies, increasing binary entropy to evade simple detection (’embedding libraries inside the executable itself’).
- [T1555.003] Credentials from Web Browsers – Extracts and decrypts stored credentials from Chromium browsers by accessing the Login Data SQLite database and Local State encryption keys (‘loads encrypted passwords from the database and uses DPAPI calls to decrypt’).
- [T1528] Steal Application Access Token – Steals Telegram session files and Discord authentication tokens for account hijacking without passwords (‘copies Telegram tdata folder and extracts Discord tokens via regex’).
- [T1082] System Information Discovery – Collects user and system identifiers like username, SID, hostname, and public IP for victim profiling (‘captures username, SID, hostname, and IP to embed in exfiltration archive’).
- [T1005] Data from Local System – Harvests desktop files with sensitive extensions for exfiltration (‘scans and copies .pdf, .txt, .sql, .jpg, .png files from Desktop’).
- [T1113] Screen Capture – Takes a screenshot of the primary monitor to gather contextual information (‘saves screenshot as Screen.jpg under GrabbersScreenshot’).
- [T1560] Archive Collected Data – Compresses stolen data into a ZIP archive with victim metadata for exfiltration (‘packages all data into a ZIP archive named [username]@ardent.zip’).
- [T1041 / T1567.002] Exfiltration Over C2 Channel / Exfiltration Over Web Service – Sends stolen data to attacker via Telegram Bot API over HTTPS (‘uploads ZIP file through Telegram Bot API using a hardcoded token’).
- [T1071.001] Application Layer Protocol – Uses Telegram as a C2 channel through HTTPS API calls (‘leveraging Telegram as communication infrastructure via HTTPS requests to api.telegram.org’).
Indicators of Compromise
- [File Hash] Known PupkinStealer malware sample – SHA-256: 9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f, MD5: fc99a7ef8d7a2028ce73bf42d3a95bce.
- [File Names] Executables identified as PupkinStealer.exe or PlutoniumLoader.exe, typically .NET PE32 files around 6.21MB in size.
- [File System Artifacts] Temporary working directory structure under %TEMP%[username]Grabbers containing Browserpasswords.txt, TelegramSession folder, DiscordTokens.txt, ScreenshotScreen.jpg, DesktopFiles folder, and ZIP archives named [username]@ardent.zip.
- [Network Indicators] HTTPS POST requests to Telegram Bot API endpoints, particularly URLs with token 8013735771:AAEUrTgQsAmiAsXeDN6mehDfo3vEg-kCM and chat ID 7613862165 (e.g., https://api.telegram.org/bot8013735771:AAE_UrTgQs…/sendDocument).
- [Strings] “Coded by Ardent” phrase embedded in exfiltration captions, ZIP filenames, and malware strings; Telegram bot handle botkanalchik_bot also associated with the malware.