PupkinStealer Malware Hijacks Browser Login Credentials from Windows Users

A newly identified information-stealer, dubbed PupkinStealer, has surfaced in April 2025, targeting Windows users with a focus on browser credentials, messaging sessions, desktop documents, and screenshots.

Written in C# leveraging the .NET framework, PupkinStealer is raising alarm in the cybersecurity community for its efficient exfiltration of sensitive data through the widely trusted and encrypted infrastructure of Telegram’s Bot API.

Cloud-Based C2 Channels Attack Mechanism

PupkinStealer is typically delivered as an unsigned .NET executable requiring manual execution, often introduced via phishing emails, deceptive downloads, or lures sent over instant messaging.

According to Cybersec Sentinel Report, once launched, it asynchronosly deploys a range of data-harvesting routines.

The malware decrypts and recovers login credentials from Chromium-based browsers-such as Chrome, Edge, Opera, and Vivaldi-by utilizing the Local State encryption keys with Windows DPAPI.

Beyond browser data, PupkinStealer scours the user’s desktop for documents with .pdf, .txt, .sql, .jpg, and .png extensions, captures a full-screen JPEG screenshot, and extracts authentication tokens from Discord clients by pilfering LevelDB files.

It also hijacks Telegram sessions by exfiltrating the tdata folder, enabling attackers to bypass multi-factor authentication and seize the victim’s account.

For obfuscation, PupkinStealer leverages the Costura.Fody library to embed its dependencies, increasing the entropy in its executable and thwarting some detection heuristics.

All collected data is staged in the victim’s %APPDATA%\Temp$$Username] directory, organized into subfolders according to data type-such as browser passwords, tokens, and screenshots-before being zipped into a uniquely named archive following the format [Username]@ardent.zip.

The ZIP archive, along with metadata including the victim’s IP, username, and security identifier, is exfiltrated via HTTPS POST requests to a hardcoded Telegram bot.

Stealthy Threat Lacks Persistence

Despite the breadth of data it targets, PupkinStealer does not employ persistence or advanced anti-analysis techniques, significantly limiting its operational window to the duration of user interaction.

However, its use of Telegram’s Bot API for exfiltration presents a challenge for defenders, as it circumvents conventional domain-based filtering and exploits Telegram’s legitimate cloud infrastructure.

Analysts attribute this malware to a developer identified as “Ardent,” based on embedded code strings and distinctive file-naming conventions.

Correction of previous analysis reveals that prior associations with the domain instance-i4zsy0relay[.]screenconnect.com are incorrect-this infrastructure pertains to unrelated ConnectWise ScreenConnect campaigns and not to PupkinStealer’s operations.

The primary vector for PupkinStealer remains user execution, with no exploitation of system vulnerabilities involved.

Mitigation strategies should include robust user-awareness training to recognize phishing and suspicious attachments, enforcing two-factor authentication on messaging and admin accounts, and monitoring endpoint activity for anomalous ZIP creation in temporary directories.

Updated antivirus and EDR solutions with behavioral detection, alongside custom YARA rules tailored for this malware, are essential. Organizations are also advised to monitor for unauthorized HTTPS connections to Telegram’s API from unknown processes.

While PupkinStealer’s lack of persistence and requirement for manual execution reduce its long-term foothold, its adept use of Telegram for exfiltration and focused credential theft can result in serious breaches, session hijacking, and reputational damage for both individuals and enterprises.

This case also underscores the importance of validating threat intelligence to prevent attribution errors.

Indicators of Compromise (IoCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates