Insights, news, education and announcements from PolySwarm

PupkinStealer Leverages Telegram for Data Exfiltration

Written by The Hivemind | May 16, 2025 6:16:41 PM

Verticals Targeted: E-commerce
Regions Targeted: Not specified
Related Families: None identified

Executive Summary

PupkinStealer, a .NET-based infostealer written in C#, targets sensitive data such as browser credentials and desktop files, exfiltrating it via Telegram’s Bot API. First observed in April 2025, its simplicity and reliance on legitimate platforms make it a notable threat.

Key Takeaways

  • PupkinStealer was developed in C# using the .NET framework and is a lightweight 32-bit executable with a file size of 6.21 MB.
  • It leverages Telegram’s Bot API for command-and-control and data exfiltration, targeting browser credentials, messaging app sessions, and desktop files.
  • The malware lacks advanced anti-analysis or persistence mechanisms, relying on straightforward execution to evade detection.
  • PupkinStealer has been attributed to a developer named “Ardent,” with potential Russian origins based on Telegram metadata.

What is PupkinStealer?

PupkinStealer is a new infostealer crafted in C# on the .NET framework. This lightweight yet effective 32-bit executable, with a file size of 6.21 MB, targets sensitive user data, including browser credentials, desktop files, messaging app sessions, and screenshots. Unlike more complex malware, PupkinStealer prioritizes simplicity, forgoing advanced anti-analysis or persistence mechanisms to maintain a low profile. Its reliance on Telegram’s Bot API for command-and-control (C2) and data exfiltration follows the growing trend of exploiting legitimate platforms for malicious purposes. CYFIRMA reported on PupkinStealer. 

PupkinStealer operates as a straightforward infostealer, distinguishing itself from more indiscriminate malware by targeting a curated set of data. Written in C# and compiled with AnyCPU architecture, it is compatible with both x86 and x64 environments. The malware uses the Costura library to embed compressed DLLs, resulting in a high entropy value in its .text section, despite lacking traditional packing. Upon execution, the .NET runtime initializes the Common Language Runtime (CLR) and invokes the Main() method, which orchestrates asynchronous tasks for data harvesting.

PupkinStealer captures sensitive information, including the following:

  • Browser Credentials: Extracts saved passwords, cookies, and autofill data from web browsers.
  • Messaging App Sessions: Targets session data from platforms like Telegram and Discord.
  • Desktop Files: Collects files with specific extensions.
  • Screenshots: Captures a 1920×1080 .jpg screenshot of the victim’s desktop.

All stolen data is compressed into a ZIP archive, enriched with metadata such as the victim’s username, public IP address, and Windows Security Identifier (SID). The archive is exfiltrated to a Telegram bot via a crafted API URL. The bot receives the ZIP file with captions detailing victim information, including module success flags, enhancing the attacker’s ability to process stolen data efficiently.

CYFIRMA attributes PupkinStealer to a developer known as “Ardent,” based on embedded code strings. Russian-language text in the Telegram bot’s metadata, including the term “kanal” (Russian for “channel”), suggests a possible Russian origin, though no definitive geographic targeting is confirmed. The malware’s simplicity and lack of sophisticated defenses indicate it is designed for less-sophisticated threat actors, likely distributed through malware-as-a-service (MaaS) models. This accessibility enables rapid monetization via credential theft, session hijacking, and data resale on dark web marketplaces.

PupkinStealer’s use of Telegram for C2 aligns with a broader trend of cybercriminals leveraging legitimate platforms to blend malicious traffic with benign activity, complicating detection efforts. Its focus on e-commerce related data, such as browser credentials and financial platform sessions, poses significant risks to online retailers and their customers. The absence of persistence mechanisms suggests a hit-and-run approach, prioritizing rapid data theft over long-term system compromise. This strategy reduces the malware’s footprint, making it challenging for traditional security solutions to detect during its brief operational window.

PupkinStealer exemplifies the evolving landscape of infostealer, combining simplicity with effective data exfiltration via Telegram. Its lightweight design and reliance on legitimate platforms make it a stealthy threat, particularly for e-commerce entities. PolySwarm analysts consider PupkinStealer to be an emerging threat.  

IOCs

PolySwarm has a sample of PupkinStealer.

 

9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f

 

You can use the following CLI command to search for all PupkinStealer samples in our portal:

$ polyswarm link list -f PupkinStealer

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post