PupkinStealer Emerges as New .NET Malware Threat Targeting Browser and Messaging Data
Summary:
PupkinStealer is a newly identified information-stealing malware that targets Windows systems and is developed in C# using the .NET framework. First detected in April 2025, the malware is distributed primarily through phishing emails, fake software downloads, or malicious links sent via instant messaging platforms. It requires manual execution by the victim, as it does not exploit system vulnerabilities to gain access. Once launched, PupkinStealer executes its functions asynchronously, gathering sensitive data including saved credentials from Chromium-based browsers (like Chrome, Edge, and Opera), Telegram session data by stealing the tdata folder, Discord tokens from LevelDB storage, desktop files with specific extensions (.pdf, .txt, .sql, .jpg, .png), and a full-screen screenshot. All harvested information is organized into a temporary directory, compressed into a uniquely named ZIP file, and exfiltrated using Telegram’s Bot API, which complicates detection by traditional network monitoring tools due to its use of encrypted, trusted infrastructure.
Security Officer Comments:
Attribution for PupkinStealer has been tentatively assigned to a threat actor operating under the alias “Ardent,” based on hardcoded naming conventions found in exfiltrated archive files (e.g., [Username]@ardent.zip). While the malware does not feature persistence mechanisms or advanced anti-analysis techniques, it compensates with stealthy and efficient exfiltration methods that enhance its overall impact. Its simplicity belies a strategic focus on data theft through trusted infrastructure, allowing it to operate under the radar of many conventional security tools.
PupkinStealer leverages the Costura.Fody library to obfuscate its payload, embedding dependencies, and increasing the entropy of the executable’s .text section to evade basic static detection. Its exfiltration process is equally deliberate, transmitting stolen data along with key system metadata such as IP address, username, and security identifier via HTTPS POST requests to a Telegram bot. This metadata enables attackers to uniquely identify, track, and manage compromised systems.
Suggested Corrections:
Users should avoid executing files from untrusted sources and remain vigilant against phishing emails and spoofed download links. Implementing strong email filtering, along with sandbox analysis of incoming attachments, can significantly reduce the risk of initial compromise. More broadly, maintaining up-to-date antivirus protection, enabling multi-factor authentication across key accounts, and monitoring system logs for unusual outbound connections such as to Telegram’s API can be effective at detecting and preventing information-stealing malware like PupkinStealer.
Link(s):
https://cybersecsentinel.com/pupkin...-threat-targeting-browser-and-messaging-data/
PupkinStealer is a newly identified information-stealing malware that targets Windows systems and is developed in C# using the .NET framework. First detected in April 2025, the malware is distributed primarily through phishing emails, fake software downloads, or malicious links sent via instant messaging platforms. It requires manual execution by the victim, as it does not exploit system vulnerabilities to gain access. Once launched, PupkinStealer executes its functions asynchronously, gathering sensitive data including saved credentials from Chromium-based browsers (like Chrome, Edge, and Opera), Telegram session data by stealing the tdata folder, Discord tokens from LevelDB storage, desktop files with specific extensions (.pdf, .txt, .sql, .jpg, .png), and a full-screen screenshot. All harvested information is organized into a temporary directory, compressed into a uniquely named ZIP file, and exfiltrated using Telegram’s Bot API, which complicates detection by traditional network monitoring tools due to its use of encrypted, trusted infrastructure.
Security Officer Comments:
Attribution for PupkinStealer has been tentatively assigned to a threat actor operating under the alias “Ardent,” based on hardcoded naming conventions found in exfiltrated archive files (e.g., [Username]@ardent.zip). While the malware does not feature persistence mechanisms or advanced anti-analysis techniques, it compensates with stealthy and efficient exfiltration methods that enhance its overall impact. Its simplicity belies a strategic focus on data theft through trusted infrastructure, allowing it to operate under the radar of many conventional security tools.
PupkinStealer leverages the Costura.Fody library to obfuscate its payload, embedding dependencies, and increasing the entropy of the executable’s .text section to evade basic static detection. Its exfiltration process is equally deliberate, transmitting stolen data along with key system metadata such as IP address, username, and security identifier via HTTPS POST requests to a Telegram bot. This metadata enables attackers to uniquely identify, track, and manage compromised systems.
Suggested Corrections:
Users should avoid executing files from untrusted sources and remain vigilant against phishing emails and spoofed download links. Implementing strong email filtering, along with sandbox analysis of incoming attachments, can significantly reduce the risk of initial compromise. More broadly, maintaining up-to-date antivirus protection, enabling multi-factor authentication across key accounts, and monitoring system logs for unusual outbound connections such as to Telegram’s API can be effective at detecting and preventing information-stealing malware like PupkinStealer.
Link(s):
https://cybersecsentinel.com/pupkin...-threat-targeting-browser-and-messaging-data/