Analysis Summary

PupkinStealer, a newly identified information-stealing malware, was first observed in April 2025. This lightweight malware is designed to steal sensitive user data, including browser credentials, desktop files, messaging app sessions, and screenshots. Unlike other malware that indiscriminately steals data, PupkinStealer targets specific file types and credentials, including those from popular browsers like Google Chrome, Microsoft Edge, and Discord, making it more focused in its data-harvesting capabilities.

The malware operates with minimal obfuscation or persistence mechanisms, emphasizing rapid data exfiltration. Upon execution, it extracts saved login credentials from Chromium-based browsers by leveraging the Windows Data Protection API and decrypting passwords stored in SQLite databases. PupkinStealer also scans the victim’s desktop for files with specific extensions (e.g., .pdf, .txt, .jpg) and copies them for later exfiltration. Additionally, it steals session files from Telegram and Discord, allowing attackers to impersonate victims and hijack their accounts.

According to the Researcher, PupkinStealer’s key feature is its use of Telegram's Bot API for data exfiltration. The stolen data, including usernames, IP addresses, and Windows Security Identifiers, is packaged into a ZIP archive and sent to an attacker-controlled Telegram bot. This choice of Telegram aligns with a growing trend of cybercriminals exploiting legitimate platforms for malicious activities due to their anonymity and ease of use. The malware’s reliance on Telegram’s infrastructure underscores the increasing sophistication of cybercriminals using common communication channels for covert exfiltration.

Despite its simplicity and lack of advanced anti-analysis techniques, PupkinStealer fits into the broader trend of low-complexity infostealers available through malware-as-a-service models. Its ease of use and effectiveness make it accessible to less-sophisticated threat actors, enabling quick monetization through credential theft, session hijacking, and the sale of stolen data on dark web marketplaces. This highlights the evolving landscape of cybercrime, where modular malware is increasingly leveraged for targeted attacks and fast financial gain.

Impact

• Data Exfiltration
• Gain Access

Indicators of Compromise

SHA1

• 84dd5bc96170c98ad1d1ec90e8f09ec99e6dc9db

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement threat intelligence to proactively counter the threats associated with the PupkinStealer.
• To protect the endpoints, use robust endpoint security solutions for real-time monitoring and threat detection such as Antimalware security suit and host-based intrusion prevention system.
• Continuous monitoring of the network activity with NIDS/NIPS and using the web application firewall to filter/block the suspicious activity provides comprehensive protection from compromise due to encrypted payloads.
• Configure firewalls to block outbound communication to known malicious IP addresses and domains associated with PupkinStealer command and control servers.
• Implement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes attempting to make unauthorized network connections.
• Employ application whitelisting to allow only approved applications to run on endpoints, preventing the execution of unauthorized or malicious executables.
• Conducting vulnerability assessment and penetration testing on the environment periodically helps in hardening the security by finding the security loopholes followed by remediation process.
• Use of security benchmarks to create baseline security procedures and organizational security policies is also recommended.
• Develop a comprehensive incident response plan that outlines steps to take in case of a malware infection, including isolating affected systems and notifying relevant stakeholders.
• Security awareness and training programs help to protect from security incidents such as social engineering attacks. Organizations should remain vigilant and continuously adapt their defenses to mitigate the evolving threats posed by the PupkinStealer malware.
• Update security patches that can reduce the risk for potential compromise.