Ddos 
CYFIRMA researchers have revealed a new .NET-based information stealer called PupkinStealer, a lightweight but highly targeted malware that harvests browser credentials, messaging session data, and sensitive desktop files before quietly transmitting them via the Telegram Bot API. First observed in April 2025, this malware reflects a growing trend in the use of legitimate cloud services for malicious exfiltration.
Unlike bulkier stealers that gather every bit of data they can find, PupkinStealer maintains a clear focus—stealing:
- Browser passwords from Chromium-based browsers (Chrome, Edge, Opera, Vivaldi)
- Session files from Telegram and Discord
- Common file formats from the victim’s desktop (.pdf, .txt, .jpg, etc.)
- A screenshot of the desktop
These items are archived, tagged with system metadata (like username and IP), and sent directly to an attacker-controlled Telegram bot.
“All collected data is then compressed into a ZIP archive and exfiltrated to a remote server via the Telegram Bot API, minimizing traceability and enhancing stealth,” CYFIRMA reports.
PupkinStealer’s ability to bypass login credentials is particularly concerning. It targets:
- Telegram’s tdata folder: allowing attackers to fully restore the session without needing user credentials.
- Discord’s leveldb storage: extracting OAuth, MFA, and session tokens using regex patterns.
“By stealing the entire tdata directory, the malware enables an attacker to potentially restore the victim’s Telegram session on another system, gaining full access,” CYFIRMA warns.
The malware uses two key components:
- FunctionsForStealer: to extract browser-specific encrypted keys from the Local State file.
- FunctionsForDecrypt: to decrypt saved passwords using AES-GCM.
“These decryption keys are then used to access and decrypt the stored passwords from the browser’s Login Data SQLite database,” the report notes.
Each major Chromium browser is handled individually with tailored methods like GetKeyChrome() or GetKeyVivaldi().
PupkinStealer silently:
- Captures the victim’s primary screen at 1920×1080 resolution.
- Scans the desktop for high-value files like .sql, .jpg, .png, etc.
- Avoids alerting the user by suppressing error messages during file collection.
Once all data is collected, PupkinStealer:
- Compresses it into a ZIP archive named [Username]@ardent.zip.
- Embeds metadata in the archive comment section (e.g., victim’s IP, SID).
- Sends it using a custom Telegram Bot URL.
Telegram usage for exfiltration has grown popular due to its encryption, reliability, and anonymity—benefits that threat actors are now fully exploiting.
The malware author is believed to use the alias Ardent, as embedded strings suggest. The Telegram bot used, botkanalchik_bot, appears to have Russian origins, referencing “канал” (channel).
Donate