Listen to this Post
Cybercriminals Are Turning Telegram Into a Weapon with the Rise of PupkinStealer
In April 2025, a new and sophisticated piece of malware named PupkinStealer emerged, setting off alarms in cybersecurity circles due to its targeted attacks on Windows systems. What makes this threat particularly concerning is its stealthy use of Telegram’s Bot API to exfiltrate stolen data ā a method that cleverly bypasses traditional security filters by exploiting a trusted platform.
Written in C and operating through the .NET framework, PupkinStealer doesnāt rely on persistent infection or sophisticated evasion tactics. Instead, it uses simple yet effective techniques to steal sensitive user data in a single burst of activity. It is primarily distributed through phishing emails, deceptive downloads, and malicious instant messages, requiring manual execution by the victim.
Once activated, the malware silently collects credentials from Chromium-based browsers, seizes Discord and Telegram sessions, harvests documents from the desktop, and takes full-screen screenshots. All of this stolen data is bundled into a ZIP archive and discreetly sent to attackers via Telegram, avoiding detection from most corporate firewalls and antivirus tools.
Everything You Need to Know About PupkinStealer (30-line Digest)
Name: PupkinStealer
Discovered: April 2025
Target OS: Windows
Written In: C with .NET Framework
Main Focus: Credential theft and session hijacking
Exfiltration Method: Telegram Bot API via HTTPS POST
Distribution Vectors: Phishing emails, IM lures, deceptive downloads
Execution Type: Manual launch required
Persistence: None ā operates during a single user session
What It Steals:
Browser credentials (Chrome, Edge, Opera, Vivaldi)
Discord tokens via LevelDB extraction
Telegram sessions via `tdata` folder
Desktop documents (.pdf, .txt, .sql, .jpg, .png)
Full-screen screenshots
Technical Tactics:
Uses Windows DPAPI to decrypt browser login data
Employs `Costura.Fody` for code obfuscation and embedding libraries
Packages data into `[Username]@ardent.zip` before exfiltration
Sends data to Telegram using a hardcoded bot token
Storage Paths Before Exfiltration:
`%APPDATA%Temp$$Username]GrabbersBrowserpasswords.txt`
`%APPDATA%Temp$$Username]GrabbersDiscordTokens.txt`
`%APPDATA%Temp$$Username]GrabbersScreenshotScreen.jpg`
`%APPDATA%Temp$$Username]GrabbersTelegramSession`
`%APPDATA%Temp$$Username]DesktopFiles`
Notable Observations:
No advanced anti-analysis or sandbox evasion methods
Telegram infrastructure makes blocking and tracing more difficult
No use of known vulnerabilities ā entirely dependent on user interaction
Attribution linked to an actor using the alias Ardent
Recommended Defensive Actions:
Employee training against phishing
Enforce two-factor authentication on comms platforms
Monitor ZIP activity in temp directories
Create YARA rules and monitor for Telegram API traffic
Keep EDR and antivirus tools updated
What Undercode Say: (40-Line Analysis)
PupkinStealer represents a classic case of simplicity paired with precision. Its creators didnāt aim to build a deeply rooted, complex system of persistence or lateral movement. Instead, they built a highly targeted smash-and-grab malware tool ā one that thrives in environments where end-user security awareness is low and endpoint monitoring is minimal.
The choice of Telegramās Bot API for data exfiltration is particularly clever. Since Telegram is widely trusted, most organizations don’t flag outgoing HTTPS connections to its servers. This gives PupkinStealer an ideal blind spot through which it can deliver stolen data. By using HTTPS and avoiding suspicious domain names or newly registered URLs, it remains off the radar of many traditional detection tools.
Another reason why PupkinStealer poses a real risk is its lack of persistence. While some may see this as a weakness, it actually plays to the malwareās strengths. Since it doesn’t embed itself deeply into the system, it reduces the digital footprint left behind ā making post-incident forensics harder and raising fewer alarms during execution.
Moreover, the malware doesnāt exploit system vulnerabilities. This means no need for elevated privileges, making it easier to execute on a standard user account. That also makes defense harder because it slips in via social engineering rather than technical weakness.
The use of Costura.Fody for obfuscation adds another layer of difficulty for analysts and antivirus engines. It embeds dependencies directly into the binary, raising the entropy and confusing static analysis.
The role of the identified actor “Ardent” may hint at a single-dev operation or a small group focused on info-stealing toolkits. This isn’t a nation-state tool ā it’s likely part of a growing market for lightweight, functional, and quick-deploy malware. Itās not necessarily custom-built for large-scale corporate espionage, but it can do significant damage if it lands on the wrong machine.
From a threat intelligence perspective, the incorrect attribution to unrelated ConnectWise campaigns underscores the challenge of drawing accurate lines between infrastructure and payloads. Analysts must be careful with IOCs, especially in the age of shared servers and hijacked domains.
In short, PupkinStealer is proof that even basic tools, when used cleverly, can bypass layered defenses. Its method of operation highlights the human factor as the biggest vulnerability. While antivirus engines and behavioral detection will catch some variants, the reliance on user-triggered execution means the initial line of defense must be awareness and caution.
Fact Checker Results
PupkinStealer does not use persistence or exploit system vulnerabilities.
Telegram Bot API is confirmed as the main exfiltration method.
Initial misattribution to ScreenConnect campaigns has been corrected.
Prediction
Given its stealthy approach and effective use of trusted platforms, PupkinStealer may pave the way for similar malware strains in 2025 and beyond. Cybercriminals are likely to continue leveraging cloud-based, encrypted channels like Telegram and Discord for data theft, complicating detection. Expect future variants to incorporate light persistence and anti-analysis techniques while maintaining manual execution to avoid early detection by EDRs. If user awareness doesnāt improve, malware like PupkinStealer could become a leading threat vector in targeted phishing and data breaches.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
