A new and highly aggressive information-stealing malware called “PupkinStealer” has surfaced, posing a serious threat to Windows users since its discovery in April 2025. This .NET-based malware operates with rapid precision, quickly extracting stored credentials from web browsers and authentication tokens from widely used messaging apps before vanishing without a trace.

Unlike many persistent malware strains, PupkinStealer completes its malicious activity within seconds, emphasizing swift data theft without creating any persistent presence on the infected system. It primarily targets sensitive information from Chromium-based browsers, including Google Chrome, Microsoft Edge, Opera, Brave, and Vivaldi.

Once gathered, the stolen data is compressed into an archive and covertly transmitted to the attackers using Telegram’s Bot API. This advanced exfiltration technique enables the attackers to obtain the stolen information instantly, exploiting legitimate infrastructure to evade conventional network detection methods. Indicators suggest that Russian-speaking cybercrime groups are behind PupkinStealer, as evidenced by the Russian name of the Telegram bot used for data transfer and embedded code references to “Coded by Ardent,” a recognized alias within Russian cybercriminal circles.

The malware’s design closely mirrors the open-source StormKitty stealer, indicating that its creators likely built upon or drew inspiration from established information stealer frameworks. Picus Security researchers, who discovered PupkinStealer by analyzing its distinctive exfiltration patterns and code architecture, observed that the malware does not employ advanced anti-analysis techniques. Nevertheless, its rapid execution and low-profile activity during its short operational period allow it to avoid detection.

Telegram-Based Exfiltration: A Covert Channel

What sets PupkinStealer apart from traditional info-stealers is its remarkably efficient data exfiltration technique using Telegram’s Bot API. Rather than depending on dedicated command-and-control (C2) servers, the malware embeds a Telegram bot token and chat ID directly within its binary. Once it collects victim data, the malware sends an HTTP POST request to Telegram’s API endpoint to transmit the stolen information.

The exfiltration process involves compressing all stolen data into a ZIP archive, typically named [Username]@ardent.zip, within the victim’s temporary directory. It then sends this archive through a request to the Telegram API: https://api.telegram.org/bot<TOKEN>/sendDocument?chat_id=<CHAT_ID>&caption=<CAPTION>.

This approach offers significant advantages to attackers:

• Anonymity: By utilizing Telegram’s legitimate infrastructure, attackers remain anonymous and avoid the need for malicious servers.
• Encryption: The communication is encrypted via standard HTTPS traffic on port 443, blending with normal web traffic and bypassing many traditional network security controls.
• Real-time Notifications: Attackers receive immediate notifications with organized victim data directly within their Telegram app.

Beyond stealing web browser credentials, PupkinStealer’s data collection process aggressively targets additional sensitive information. Specifically, when it detects Telegram Desktop, the malware forcibly closes the application and copies the entire “tdata” folder, which holds vital session data. This method enables attackers to fully bypass multi-factor authentication (MFA) and login notifications, allowing them to seamlessly import the victim’s session onto another device.

Defending Against PupkinStealer

For defenders, identifying PupkinStealer involves monitoring for specific indicators of compromise (IoCs):

• File Hash: The distinctive SHA-256 hash: 9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f.
• Directory Creation: The creation of specific directories under %TEMP% containing stolen data.
• Network Connections: Connections to api.telegram.org that include the exfiltration bot’s token and chat ID.

Organizations must strengthen their defenses by deploying endpoint protection solutions featuring advanced behavioral detection capabilities. Continuous monitoring for unusual process termination patterns, especially those affecting web browsers and widely used messaging apps, is essential. Providing Security Operations Center (SOC) teams with comprehensive threat analysis tools will also accelerate response times to swiftly evolving threats.