PupkinStealer, a newly discovered information-stealing malware, is making waves in the cybersecurity landscape after researchers identified it in April 2025. Written in .NET, the malware is engineered to quickly grab credentials and tokens from web browsers and messaging apps before exfiltrating the data via Telegram.
Rapid Smash-and-Grab Attacks
Unlike traditional malware that attempts to establish persistence or long-term access, PupkinStealer performs rapid “smash-and-grab” operations. It executes swiftly, collects data, and exits, minimizing its detection window.
The malware targets Chromium-based browsers such as:
- Google Chrome
- Microsoft Edge
- Opera
- Brave
- Vivaldi
It also attacks desktop messaging apps, forcibly terminating Telegram Desktop to steal the entire tdata folder, allowing the attackers to hijack sessions without triggering MFA or login alerts.
Telegram: The Stealth Exfiltration Channel
What sets PupkinStealer apart is its use of Telegram’s Bot API for data exfiltration. After collecting credentials and tokens, it compresses the stolen information into a ZIP archive titled:
[Username]@ardent.zip
The ZIP file is stored in the victim’s %TEMP% directory. The malware then sends it via a POST request to Telegram:
https://api.telegram.org/bot<BOT_TOKEN>/sendDocument?chat_id=<CHAT_ID>&caption=
This approach has several advantages for attackers:
- Uses legitimate and trusted infrastructure (Telegram)
- Encrypted traffic over HTTPS (port 443)
- Instant notification and data delivery to attacker’s Telegram app
Russian Cybercrime Ties
The malware includes Russian-language elements and references the alias “Coded by Ardent”, linked to Russian-speaking cybercrime forums. Its structure bears resemblance to open-source malware like StormKitty, indicating shared or borrowed development resources.
Detection and Mitigation
According to Picus Security, PupkinStealer does not use anti-analysis techniques but relies on its short runtime and minimal footprint. Indicators of compromise (IOCs) include:
- SHA-256 Hash:
9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f - ZIP archives stored in
%TEMP% - Network activity to
api.telegram.org - Unusual termination of browser or messaging processes
Security Recommendations
Organizations should enhance endpoint defenses and implement the following:
- Behavioral detection tools to catch rapid data exfiltration
- Network monitoring for unusual HTTPS connections to Telegram’s API
- Hardening of local browser storage and credential vaults
- Alerts on process termination of high-value applications like browsers and messengers
“PupkinStealer shows how threat actors increasingly rely on stealth, speed, and legitimate services to bypass traditional security controls,” said researchers at Picus Security.
As malware continues to evolve, so must detection strategies—especially when adversaries use everyday apps like Telegram as covert exfiltration channels.
