CyberSecurityBoard
Sponsor Register Login

"PupkinStealer" A New .NET-Based Malware Steals Browser Credentials & Exfiltrate via Telegram

According to a CYFIRMA detailed analysis shared with Cyber Security News, PupkinStealer leverages Telegram’s Bot API for stealthy data exfiltration, underscoring the growing trend of exploiting legitimate platforms for malicious purposes. “The malware’s attribution string, “Coded by Ardent,” suggests a developer operating under this alias, with additional clues pointing to a possible Russian origin based on Russian-language text in related Telegram metadata.” Cyfirma said to Cyber Security News. A newly identified information-stealing malware, dubbed PupkinStealer, Developed in C# using the .NET framework, this lightweight yet effective malware targets sensitive user data, including browser credentials, desktop files, messaging app sessions, and screenshots. First observed in April 2025, PupkinStealer is a straightforward infostealer that targets a curated set of data, distinguishing it from more indiscriminate malware. All stolen data is compressed into a ZIP archive with embedded metadata (username, public IP, and Windows Security Identifier) and sent to an attacker-controlled Telegram bot via a crafted API URL. PupkinStealer exfiltrates data to a Telegram bot named botKanal (username: botkanalchik_bot), likely derived from the Russian word “kanal” (channel). PupkinStealer is designed for rapid data harvesting and operates with minimal obfuscation or persistence mechanisms, prioritizing quick execution over long-term stealth. It retrieves decryption keys from the browsers’ Local State files and uses the Windows Data Protection API to decrypt passwords stored in SQLite-based Login Data databases. The malware targets Telegram by copying the tdata folder, which contains session files that enable account access without credentials. It fits into a broader trend of modular, low-complexity infostealers available through malware-as-a-service models, enabling rapid monetization via credential theft, session hijacking, and data resale on dark web marketplaces.

This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 10 May 2025 12:05:02 +0000


Cyber News related to "PupkinStealer" A New .NET-Based Malware Steals Browser Credentials & Exfiltrate via Telegram

"PupkinStealer" A New .NET-Based Malware Steals Browser Credentials & Exfiltrate via Telegram - According to a CYFIRMA detailed analysis shared with Cyber Security News, PupkinStealer leverages Telegram’s Bot API for stealthy data exfiltration, underscoring the growing trend of exploiting legitimate platforms for malicious purposes. ...
3 weeks ago Cybersecuritynews.com
Ukraine-Russia Cyber Battles Have Real-World Impact - "The evolution of cyberattacks and malware, particularly those that have an intersection with the use of generative AI, have lowered the barrier for entry for threat actors, leading to more threats and a greater volume of attacks," he says. ...
7 months ago Darkreading.com
CVE-2023-53109 - In the Linux kernel, the following vulnerability has been resolved: ...
4 weeks ago
CVE-2024-26633 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
CVE-2025-21707 - In the Linux kernel, the following vulnerability has been resolved: ...
3 months ago
CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
11 months ago
New Variant of macOS Threat XCSSET Spotted in the Wild - To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware. ...
3 months ago Darkreading.com
CVE-2024-26857 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
Unix Printing Vulnerabilities Enable Easy DDoS Attacks - "For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target." Akamai found that all it takes for someone to launch an attack is to send a ...
7 months ago Darkreading.com CVE-2024-47176 CVE-2024-47076 CVE-2024-47175 CVE-2024-47177
CVE-2024-35893 - In the Linux kernel, the following vulnerability has been resolved: ...
11 months ago
CVE-2024-47685 - In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th->res1) Use ...
7 months ago Tenable.com
CVE-2024-58071 - In the Linux kernel, the following vulnerability has been resolved: ...
2 months ago
CVE-2024-42106 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago
CVE-2025-37961 - In the Linux kernel, the following vulnerability has been resolved: ...
1 week ago
Telegram has disclosed criminal data to authorities for years, Durov says - Last week, Durov said Telegram would provide the IP addresses and phone numbers of rule violators to relevant authorities in an effort to discourage "bad actors" from "jeopardizing the integrity" of the platform. In recent weeks, ...
7 months ago Therecord.media
Overtaxed State CISOs Struggle with Budgeting, Staffing - Though the number of scarily understaffed offices has dropped — just two respondents reported having one to five full-time employees, down from six in 2022 — more than half of state CISOs report that their staff lack the competencies necessary to ...
8 months ago Darkreading.com
CVE-2025-21959 - In the Linux kernel, the following vulnerability has been resolved: ...
1 month ago
CVE-2021-36845 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions < 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. ...
3 years ago
CVE-2024-50083 - In the Linux kernel, the following vulnerability has been resolved: tcp: fix mptcp DSS corruption due to large pmtu xmit Syzkaller was able to trigger a DSS corruption: TCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending ...
7 months ago Tenable.com
Attackers Targeting Recruiters With More_Eggs Backdoor - FIN6 has been known in the past to pose as recruitment officers to target job seekers, but it appears to be "moving from posing as fake recruiters to now masquerading as fake job applicants" in a shift in tactics, Trend Micro researchers ...
7 months ago Darkreading.com FIN6
CVE-2024-26781 - In the Linux kernel, the following vulnerability has been resolved: mptcp: fix possible deadlock in subflow diag Syzbot and Eric reported a lockdep splat in the subflow diag: WARNING: possible circular locking dependency detected ...
1 year ago Tenable.com
CVE-2023-52784 - In the Linux kernel, the following vulnerability has been resolved: bonding: stop the device in bond_setup_by_slave() Commit 9eed321cde22 ("net: lapbether: only support ethernet devices") has been able to keep syzbot away from net/lapb, until today. ...
1 year ago Tenable.com
New Go-Based Malware Exploits Telegram and Use It as C2 Channel - Researchers have identified a new backdoor malware, written in Go programming language, that leverages Telegram as its command-and-control (C2) channel. Netskope Advanced Threat Protection proactively detects this threat under the identifier ...
3 months ago Cybersecuritynews.com
CVE-2024-57802 - In the Linux kernel, the following vulnerability has been resolved: netrom: check buffer length before accessing it Syzkaller reports an uninit value read from ax25cmp when sending raw message through ieee802154 implementation. ...
4 months ago Tenable.com
CVE-2025-21858 - In the Linux kernel, the following vulnerability has been resolved: ...
2 months ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)