PupkinStealer Malware Loots Logins, Sends Data via Telegram

A new information-stealing malware written in .NET, dubbed PupkinStealer, has emerged, targeting browser credentials and user data with exfiltration conducted via Telegram, cybersecurity firm CYFIRMA said. Detected in April 2025, the malware is attributed to a developer using the alias “Ardent” and reflects a growing trend of threat actors abusing legitimate platforms for command-and-control operations.

PupkinStealer extracts passwords from Chromium-based browsers, scans desktops for sensitive files, hijacks session data from Telegram and Discord, and captures screenshots. The collected data is bundled into a ZIP archive, tagged with user metadata, and sent to a Telegram bot using the Bot API.

The malware lacks sophisticated evasion techniques, relying instead on speed and simplicity. It uses embedded .NET libraries and the Costura framework to remain compact. CYFIRMA noted Russian-language indicators in the Telegram metadata, suggesting a possible regional origin. The tool underscores the rising accessibility of infostealers available through malware-as-a-service models.