PupkinStealer is a recently identified .NET-based information-stealing malware designed to covertly extract sensitive user data from infected systems. It primarily targets Chromium-based web browsers, Telegram, and Discord applications to harvest credentials such as saved passwords and session tokens. The malware's capabilities enable attackers to hijack user sessions and gain unauthorized access to victim accounts. PupkinStealer performs minimal system reconnaissance, focusing on rapid data collection and exfiltration to reduce the risk of detection. It collects files from the desktop and captures screenshots, packaging all stolen data into a ZIP archive. This archive is then exfiltrated to the attacker via Telegram's Bot API, which serves as the command and control (C2) communication channel. Notably, PupkinStealer does not implement persistence mechanisms, indicating it relies on quick execution and stealth rather than maintaining long-term presence on infected hosts. Its primary evasion technique is the use of Telegram’s legitimate infrastructure for communication, allowing it to bypass traditional network security filters and blend malicious traffic with normal application communications. The malware does not exploit specific vulnerabilities but likely relies on social engineering or other infection vectors to execute. No known exploits in the wild have been reported yet, but the malware’s use of common applications and communication channels makes it a credible threat, especially in environments where Chromium browsers and Telegram/Discord are widely used.

For European organizations, PupkinStealer presents a significant risk through credential theft and session hijacking, potentially leading to unauthorized access to corporate and personal accounts. Given the widespread adoption of Chromium-based browsers and messaging platforms like Telegram and Discord across Europe, the malware can facilitate lateral movement within networks if stolen credentials grant access to internal systems or cloud services. The theft of session tokens is particularly concerning as it may bypass multi-factor authentication mechanisms, enabling attackers to impersonate users without triggering standard security alerts. The malware’s capability to collect desktop files and screenshots further increases the risk of sensitive data exposure, including intellectual property and confidential communications. Although PupkinStealer lacks persistence, its quick execution and stealthy communication via Telegram’s infrastructure make detection challenging, potentially allowing attackers to exfiltrate valuable data before remediation. Organizations with remote or hybrid workforces relying on these applications are especially vulnerable. Sectors with high-value targets such as finance, government, and critical infrastructure could face targeted attacks leveraging this malware to gain initial footholds or escalate privileges. The medium severity rating reflects that while the malware is not causing widespread disruption currently, its capabilities warrant proactive defense measures to prevent credential compromise and data leakage.

To effectively mitigate PupkinStealer, European organizations should implement targeted and practical controls beyond standard cybersecurity hygiene. First, enforce strict credential management policies including regular password changes and the use of password managers to minimize credential reuse and theft risk. Deploy advanced endpoint detection and response (EDR) solutions capable of monitoring process behaviors, specifically looking for unusual use of Telegram’s Bot API or unexpected creation and transmission of ZIP archives. Network monitoring should incorporate anomaly detection focused on Telegram traffic patterns, especially outbound connections to Telegram Bot endpoints that deviate from normal user activity profiles. Implement application whitelisting to restrict execution of unauthorized .NET binaries and scripts, reducing the attack surface. User education campaigns should emphasize the risks of downloading and executing unknown files, particularly those masquerading as messaging or browser extensions. Employ multi-factor authentication (MFA) with adaptive risk-based policies to detect and block suspicious session hijacking attempts. Regularly audit desktop file shares and restrict access to sensitive files to minimize data exposure. Finally, maintain updated threat intelligence feeds and integrate provided indicators of compromise (IOCs), such as the known file hashes, into security tools to enable rapid detection and response to PupkinStealer infections.