PupkinStealer .NET Infostealer Using Telegram for Data Theft

May 22, 2025, 2:59 p.m.

Description

PupkinStealer is a newly identified .NET-based information-stealing malware that extracts sensitive data like web browser passwords and app session tokens, exfiltrating it via Telegram. It targets Chromium-based browsers, Telegram, and Discord, focusing on credential theft and session hijacking. The malware performs minimal system discovery, collects files from the desktop, and captures a screenshot. It packages stolen data into a ZIP archive and sends it to the attacker through Telegram's Bot API. PupkinStealer doesn't employ persistence mechanisms, relying on quick execution and low-profile behavior. Its primary evasion technique is leveraging legitimate Telegram infrastructure for communication.

External References

https://www.picussecurity.com/resource/blog/pupkinstealer-net-infostealer-using-telegram-for-data-theft
https://otx.alienvault.com/pulse/682f21f740ee536b48e48783
Tags
infostealer
credential theft
2025-05-22
session hijacking
pupkinstealer

Date

  • Created: May 22, 2025, 1:09 p.m.
  • Published: May 22, 2025, 1:09 p.m.
  • Modified: May 22, 2025, 2:59 p.m.

Indicators

  • 9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f
Download all indicators here!

Attack Patterns

  • PupkinStealer