A newly recognized .NET-based information-stealing malware, dubbed PupkinStealer (also called PumpkinStealer in some studies), has surfaced as a big cyber risk, concentrating on delicate information akin to net browser passwords and utility session tokens.
First noticed within the wild round April 2025, this malware is believed to have roots in Russian-speaking cybercrime communities, with indicators like a Telegram bot bearing a Russian title and embedded strings referencing a developer alias “Ardent.”
Drawing inspiration from open-source stealers like StormKitty, PupkinStealer is designed for fast, high-impact information theft, primarily exfiltrating stolen info through Telegram’s Bot API.
Its ease of customization and availability make it a well-liked software amongst low-skilled cybercriminals looking for monetary achieve by harvesting credentials from a broad vary of victims, from particular person customers to enterprise workers.
Rising Risk Targets Delicate Person Knowledge
PupkinStealer employs a variety of ways mapped to the MITRE ATT&CK framework, starting with preliminary entry by phishing and social engineering, usually disguised as respectable recordsdata in trojanized downloads or cracked software program.
As soon as executed, the .NET executable (usually named PupkinStealer.exe or PlutoniumLoader.exe) leverages asynchronous duties to steal information quickly, concentrating on Chromium-based browsers like Chrome and Edge for saved credentials, hijacking Telegram and Discord session tokens, and capturing desktop recordsdata and screenshots.
Notably, it lacks persistence mechanisms, choosing a “smash-and-grab” method that minimizes its footprint by avoiding registry modifications or scheduled duties.
To evade detection, it terminates processes like browsers and Telegram to entry locked recordsdata and makes use of Costura.Fody to embed dependencies, inflating binary entropy and doubtlessly bypassing simplistic antivirus checks.
Subtle Techniques for Stealthy Exfiltration
Its exfiltration methodology is especially stealthy, using Telegram’s API over HTTPS to add a compressed ZIP archive containing stolen information to an attacker-controlled chat, mixing into respectable visitors on port 443.
In line with PicusSecuirty Report, this abuse of a trusted platform for command-and-control and information supply highlights a rising pattern amongst malware authors to leverage widespread providers for anonymity and operational simplicity.
The influence of PupkinStealer is underscored by its potential to extract a wealth of delicate info in seconds, together with plaintext passwords decrypted utilizing Home windows DPAPI, session recordsdata that bypass multi-factor authentication, and contextual metadata like usernames and IP addresses embedded in exfiltrated archives.
Defenders are urged to implement multi-layered methods, together with person consciousness coaching to stop execution, behavioral monitoring to detect anomalous course of terminations, and community visitors evaluation for outbound connections to api.telegram.org.
Indicators of compromise (IOCs) akin to particular file hashes, non permanent listing buildings like GrabbersBrowserpasswords.txt, and hardcoded Telegram bot tokens present crucial signatures for figuring out infections.
Swift incident response, together with host isolation and credential resets, is important to mitigate injury post-detection.
Indicators of Compromise (IOCs)
| Indicator Sort | Particulars |
|---|---|
| SHA-256 Hash | 9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f |
| MD5 Hash | fc99a7ef8d7a2028ce73bf42d3a95bce |
| File Names | PupkinStealer.exe, PlutoniumLoader.exe |
| Filesystem Artifacts | GrabbersBrowserpasswords.txt, GrabbersTelegramSession*, [Username]@ardent.zip in %TEMP% |
| Community Indicator | Site visitors to api.telegram.org/bot8013735771:AAE_UrTgQs…/sendDocument?chat_id=7613862165 |
| Notable Strings | “Coded by Ardent”, botkanalchik_bot |
Discover this Information Fascinating! Comply with us on Google Information, LinkedIn, & X to Get Prompt Updates!
