PupkinStealer Malware Hits Windows to Grab Logins, Files

A newly identified malware dubbed PupkinStealer is targeting Windows systems to harvest sensitive user data, cybersecurity researchers say. First detected in April 2025, the .NET-based malware, written in C#, focuses on stealing browser credentials, messaging app sessions, and desktop files. It exfiltrates data through Telegram’s Bot API, a tactic increasingly used by threat actors to conceal malicious activity within legitimate traffic.

PupkinStealer operates as a lightweight 32-bit executable, just over 6 MB in size, and lacks sophisticated evasion techniques. Instead, it compresses stolen data into a ZIP archive, including system metadata such as public IP address and user identifiers, and sends it via a crafted Telegram URL.

Researchers attribute the malware to a developer using the alias “Ardent,” with clues suggesting Russian origins. Though technically simple, PupkinStealer’s effective use of common platforms and tools signals a trend toward accessible, high-impact threats. Experts recommend stronger endpoint defenses and multi-factor authentication to mitigate risks.