A new malware called PupkinStealer has been detected targeting Windows users to steal login credentials, messaging sessions, desktop files, and screenshots. First spotted in April 2025, it is a lightweight 32-bit .NET executable written in C#.
PupkinStealer collects saved passwords and cookies from Chromium-based browsers, session data from Telegram and Discord, and files with common document and image extensions from the desktop. It also captures a full-screen screenshot for attacker context.
All stolen data is compressed into a ZIP archive with victim metadata, then sent to a Telegram bot via Telegram’s Bot API. This method helps attackers hide their activity within legitimate network traffic.
The malware does not use persistence or advanced evasion techniques, indicating a quick “hit-and-run” attack style. Researchers link PupkinStealer to a developer named “Ardent” and note Russian-language metadata in the Telegram bot, suggesting possible origins.
Key Features
- Steals browser passwords, cookies, and messaging app sessions.
- Collects selected desktop files and takes screenshots.
- Exfiltrates data via Telegram Bot API to avoid detection.
- Operates without persistence, minimizing detection risk.
Recommendations
- Enable multi-factor authentication on all accounts.
- Be cautious with unknown email attachments and links.
- Keep antivirus and endpoint protection up to date.
- Monitor network traffic for unusual Telegram API activity.
Indicators of Compromise
| Type | Value |
|---|---|
| SHA-256 Hash | 9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f |
| Telegram Bot Token | 8013735771:AAE_UrTgQsAmiAsXeDN6mehD_fo3vEg-kCM |
| Telegram Chat ID | 7613862165 |
PupkinStealer highlights the growing use of simple malware that exploits legitimate platforms to steal data. Users and organizations should remain vigilant and apply layered security measures to protect sensitive information.
