PupkinStealer is a new malware designed to steal sensitive user data such as browser credentials, desktop files, and messaging app sessions. Developed using C# and the .NET framework, it operates as a lightweight infostealer with a focus on fast data exfiltration. The malware has been active since April 2025 and leverages Telegram’s Bot API for command-and-control, taking advantage of the platform’s anonymity. Its ability to avoid detection and target specific data makes it a significant security threat for individuals and organizations.
PupkinStealer’s primary capabilities include extracting and decrypting credentials from Chromium-based browsers like Google Chrome and Microsoft Edge. It also steals files with specific extensions (.pdf, .txt, .jpg, etc.), and extracts session data from Telegram and Discord, enabling attackers to impersonate victims. In addition, it captures screenshots of the victim’s desktop for further exploitation. All the stolen data is compressed into a ZIP archive and sent to a Telegram bot controlled by the attackers, making it a highly effective tool for data exfiltration.
The malware is a 32-bit executable with a file size of 6.21 MB, written in .NET to ensure compatibility with both x86 and x64 environments.
It uses the Costura library to embed compressed DLLs, making it harder to detect. Key components of the malware include classes for credential extraction, desktop file harvesting, and Discord/Telegram data exfiltration. PupkinStealer also includes routines for taking screenshots and compressing the stolen data into ZIP files before sending them to the attacker-controlled bot.
To mitigate the risks associated with PupkinStealer, experts recommend implementing robust cybersecurity practices, such as avoiding untrusted files, using password managers, and deploying antivirus solutions.
Regular software updates and network monitoring can help detect unusual activity, such as data exfiltration to Telegram APIs. Additionally, organizations should train employees to recognize social engineering attacks and use multi-factor authentication (MFA) on platforms like Telegram and Discord to reduce the impact of this malware.
Reference:
