A new malware strain named PupkinStealer is posing a serious threat to Windows users by stealing sensitive login information from web browsers. Security experts first discovered the malware in April 2025.
Developed in C# and using the .NET framework, PupkinStealer focuses on stealing credentials from Chromium-based browsers such as Google Chrome, Microsoft Edge, Opera, and Vivaldi. The malware exploits local encryption keys and the Windows Data Protection API (DPAPI) to extract saved login data.
Spread Through Phishing and Fake Downloads
PupkinStealer spreads through social engineering attacks. Victims are tricked into running an unsigned executable file. Attackers typically deliver this file via phishing emails, fake software downloads, or messaging platforms.
Stealing More Than Just Passwords
Once installed, PupkinStealer silently collects a wide range of sensitive information. This includes:
- Browser passwords
- Telegram sessions
- Discord tokens
- Files with extensions like .pdf, .txt, .sql, .jpg, and .png
- Screenshots of the victim’s desktop
Using Telegram for Data Exfiltration
One of the most concerning features of PupkinStealer is how it sends stolen data. The malware creates a ZIP archive named “[Username]@ardent.zip” and stores it in a temporary folder. It then uses the Telegram Bot API to send this data back to attackers.
This method helps PupkinStealer avoid detection. By using Telegram’s encrypted network, the malware bypasses traditional security filters. The data traffic looks like normal Telegram activity, making it harder for security tools to spot the theft.
Limited Persistence but High Impact
Security firm Cybersec Sentinel reports that PupkinStealer does not have persistence mechanisms. This means it does not stay on the system after a reboot. However, its targeted data collection makes it a serious privacy threat to both companies and individual users.
Experts believe the malware’s creator uses the alias “Ardent”, based on clues found in the malware’s code.
Technical Details of the Attack
PupkinStealer organizes stolen data into folders inside %APPDATA%\Temp[Username]. It separates browser data, messaging tokens, and screenshots for easier exfiltration. The malware uses asynchronous execution to collect information from different sources at the same time.
The stolen data is sent using a HTTP POST request to Telegram’s API. The request format looks like this:
- https://api.telegram.org/bot<token>/sendDocument?chat_id=<id>&caption
Because the data is sent through Telegram, traditional security systems might not flag this activity as malicious.
Threat Level Assessment
Cybersec Sentinel has rated PupkinStealer with a threat score of 6.5 out of 10, marking it as an elevated risk. The malware’s ability to steal credentials and hijack messaging sessions could lead to account takeovers and further phishing attacks.
Conclusion
While PupkinStealer lacks advanced persistence features, its efficient credential theft and use of trusted communication channels make it a notable cyber threat. Experts warn Windows users to stay alert for phishing scams and suspicious downloads.
