The cybersecurity community is on high alert following the emergence of PupkinStealer, a newly discovered .NET-based infostealer that specializes in exfiltrating sensitive user data by abusing the Telegram platform.
First detected in April 2025, PupkinStealer (sometimes appearing as PlutoniumLoader.exe) deploys a rapid, “smash-and-grab” methodology to harvest browser credentials, app authentication tokens, desktop files, and live screenshots from compromised Windows machines dispatching the stolen archive to attackers through Telegram’s encrypted Bot API.
Technical Profile
PupkinStealer operates as a 6.21 MB, .NET Windows executable, delivered typically through phishing campaigns and trojanized downloads masquerading as legitimate or pirated software.
Upon execution, the malware launches asynchronously orchestrated routines to simultaneously harvest credentials from Chromium-based browsers (Google Chrome, Edge, Opera, Brave, Vivaldi), clone Telegram Desktop sessions by targeting tdata folders, extract Discord authentication tokens, grab select desktop documents, and capture a full-resolution screenshot of the active desktop.
This multi-threaded design ensures that the entire theft operation completes in seconds, significantly reducing the window for detection and response.
Unlike more complex malware, PupkinStealer does not establish persistence; it relies solely on being triggered by the user and then exits after collecting and exfiltrating data.
Its evasion strategy includes the termination of process locks forcefully killing browser or Telegram processes to unlock credential databases thus facilitating the extraction of sensitive data.
Although initial static analysis suggested possible packing or obfuscation due to the high entropy of the executable, it was identified as a result of Costura.Fody embedding dependencies, rather than deliberate code protection.
PupkinStealer forgoes deeper anti-analysis or AV evasion measures, instead favoring speed and minimal system modification to avoid drawing attention.
Token Theft Mechanism
The stealer’s primary target is browser-stored credentials. By copying and decrypting “Login Data” SQLite databases and browser “Local State” files, PupkinStealer brute-decrypts all saved passwords using native Windows APIs and outputs them in plaintext the method applies equally to all supported browsers.
For messaging platforms, the malware locates and clones Telegram session files and sweeps Discord’s LevelDB for authentication tokens, enabling attackers to hijack accounts directly without the need for passwords or bypassing MFA mechanisms.
In parallel, the malware systematically scours the user’s Desktop for files with extensions likely to store personal or financial data, including .pdf, .txt, .sql, .jpg, and .png, while also capturing a one-time screenshot for contextual intelligence.
All harvested data is staged in a “Grabbers” working directory under the system’s %TEMP% path and is then compressed into a ZIP archive named following the format [Username]@ardent.zip the “ardent” moniker attributes authorship to a Russian-speaking developer identified by the alias “Ardent.”
According to PicusSecurity Report, PupkinStealer’s exfiltration method is notable for its abuse of Telegram infrastructure.
The ZIP archive containing all stolen data is sent as a document via Telegram’s Bot API, using a hard-coded bot token and attacker-controlled chat ID.
The Telegram caption includes metadata such as victim username, IP address, and specific log details, further reinforcing attribution.
Analysis of campaign telemetry links the Telegram bot handle “@botkanalchik_bot,” bot token 8013735771:AAE_UrTgQsAmiAsXeDN6mehD_fo3vEg-kCM, and chat ID 7613862165 directly to the malware’s exfiltration backend.
This exfiltration approach, leveraging HTTPS traffic to api.telegram.org, enables the attacker to blend stolen data exfiltration with legitimate encrypted web traffic—a tactic increasingly common among malware authors seeking to evade network-based anomaly detection.
PupkinStealer’s reliance on user execution and rapid, visible credential scraping provides multiple detection and prevention opportunities.
Security teams are urged to:
- Harden endpoints using application allowlisting and restrict execution from user directories.
- Monitor for anomalous process termination or unauthorized access to browser credential files.
- Flag outbound communications to Telegram’s API, especially those using /bot<token>/sendDocument endpoints.
- Deploy file and IOC-based detection for artifacts such as Grabbers folder structures and @ardent.zip files.
- Instruct users to report sudden application crashes or mysterious ZIP files appearing on their systems.
If a PupkinStealer infection is suspected, immediate isolation, credential reset (including session invalidation for Telegram and Discord), forensic review, and user education are necessary to prevent further compromise.
Indicators of Compromise (IoC)
| Type | Value | Description |
|---|---|---|
| SHA-256 | 9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f | PupkinStealer malware sample |
| MD5 | fc99a7ef8d7a2028ce73bf42d3a95bce | PupkinStealer malware sample |
| File Name | PupkinStealer.exe / PlutoniumLoader.exe | Common malware binaries |
| File Artifact | %TEMP%\Grabbers*; %TEMP%$$username]@ardent.zip | Staging/exfil directories & filename signature |
| Network Indicator | api.telegram.org/bot8013735771:AAE_UrTgQsAmiAsXeDN6mehD_fo3vEg-kCM/sendDocument | Malicious Telegram Bot API exfil node |
| Chat ID | 7613862165 | Telegram chat receiving exfiltrated data |
| String/Tag | “Coded by Ardent”, “@botkanalchik_bot” | Authorship and bot references in malware |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
