Sıla Özeren | 22 MIN READ

CREATED ON May 20, 2025

PupkinStealer .NET Infostealer Using Telegram for Data Theft

PupkinStealer is a newly identified .NET-based information-stealing malware that specializes in extracting sensitive data (like web browser passwords and app session tokens) and exfiltrating it via Telegram.

In this blog, we will explore PupkinStealer’s origin and history, its tactics and techniques (mapped to the MITRE ATT&CK framework), indicators of compromise (IOCs) and code snippets, defense strategies against it, and any known attributions or campaigns involving this threat.

History, Origin, and Victimology

File Name: PupkinStealer.exe (sometimes PlutoniumLoader.exe)
File Type: .NET Executable (Windows PE, Win32 EXE)
File Size: 6.21MB
SHA-256: 9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f
Sandbox Report: Report 1
Yara Rules: Report 2

PupkinStealer (also referred to as PumpkinStealer in some reports) was first observed in the wild around April 2025 [1]. Despite being publicly disclosed in 2025, evidence suggests it may have been quietly developed or tested earlier, leveraging code from existing open-source stealers.

The malware appears to have originated from Russian-speaking cybercrime circles; the Telegram bot it uses for exfiltration has a Russian name, and an embedded code string “Coded by Ardent” points to a developer alias “Ardent” operating in that milieu. The attacker’s Telegram profile even contained Russian text in the bio, reinforcing this origin. PupkinStealer’s design mirrors the open-source StormKitty stealer (a .NET infostealer that also uses Telegram), suggesting the author built on or drew inspiration from that codebase [2].

Victimology

In terms of victimology, PupkinStealer does not target a specific industry or region, but rather any Windows user whose device can be infected. It has been described as a low-complexity, high-impact infostealer that is widely available and easily customizable, making it attractive to cybercriminals seeking quick profits.

Thus far it has been used opportunistically by likely low-skilled actors to harvest credentials and data for financial gain. Victims can range from individual home users to enterprise employees, since the malware simply hunts for stored passwords, personal files, and messaging accounts on an infected system. In one recent example of the damage infostealers can do, researchers found over 31,000 banking passwords belonging to Australian customers being traded on Telegram and the dark web; all stolen directly from malware-infected PCs [3]. This underscores that anyone with valuable credentials stored on their machine is a potential target.

Tactics, Techniques, and Procedures (TTPs) of PupkinStealer Malware

Initial Access (TA0001)

Phishing and Social Engineering (T1566)

PupkinStealer is typically introduced onto victim machines through social engineering, such as trojanized downloads. While the exact distribution vectors were not confirmed by researchers, it’s likely distributed through phishing attachments or cracked software packages. In other words, attackers may trick users into executing the malware by masquerading it as a legitimate file (for example, bundling it with pirated software or disguising it as a document).

In underground communities, unsophisticated criminals can easily obtain PupkinStealer and deploy it in spam campaigns or malvertising, given its ready-to-use nature [4]. Once a user is convinced to run the PupkinStealer executable, the malware gains its initial foothold on the system.

Execution (TA0002) – Deploying Malware in Memory

User Execution of Malicious Binary (T1204.002)

PupkinStealer requires the victim to execute a malicious .exe file on their Windows system. The malware comes as a 32-bit .NET compiled binary (often named PupkinStealer.exe* or sometimes seen as PlutoniumLoader.exe*) that runs on both 32-bit and 64-bit Windows due to its AnyCPU configuration.

When launched, the binary is loaded by the .NET Common Language Runtime and immediately invokes its Main() method, which orchestrates the stealers’ activities. Notably, PupkinStealer’s implementation uses asynchronous tasks to run multiple routines in parallel. Upon execution, it simultaneously starts five tasks:

one to steal browser passwords,
one to grab desktop files,
one to hijack Telegram sessions,
one to steal Discord tokens, and
one to capture a screenshot.

This multi-threaded design allows it to harvest data very quickly, often finishing its entire theft routine in just a few seconds. In summary, execution of PupkinStealer on the host is straightforward: the user double-clicks (or otherwise runs) the dropper binary, which then immediately executes its payload code within the .NET runtime environment.

SHA256*: B9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f

Persistence (TA0003)

No Persistence Mechanism

Interestingly, PupkinStealer does not employ any persistence on the infected system. Unlike many malware families that create autorun registry keys or schedule tasks to survive reboots, PupkinStealer is a “smash-and-grab” tool. It focuses on one-time data theft during the initial run and then exits, without leaving behind a persistent foothold [5].

Analysts noted the malware has “no specific anti-analysis defenses or persistence mechanisms,” instead favoring quick execution and low-profile behavior. This means if the system restarts or the process is killed, PupkinStealer does not automatically restart. The lack of persistence is likely a deliberate design choice to reduce the malware’s footprint and avoid some detection mechanisms; by not modifying autostart settings or dropping obvious traces, it minimizes indicators that might alert a user or defender during its short run time.

Defense Evasion

Process Termination (ATT&CK T1489)

PupkinStealer actively kills processes for certain applications to aid its operation and avoid interference. Before attempting to read browser credential databases or messaging app files, the malware searches for any running processes of those programs and terminates them.

For example, it enumerates processes named after each supported browser (Chrome, Edge, Opera, etc.) and calls Process.Kill() on each one. This is done to unlock the browsers’ SQLite database files that store passwords, which are normally locked while the browser is running.

Similarly, PupkinStealer looks for any running Telegram process and force-kills it to release the tdata session files for copying. By terminating these processes, the malware not only ensures it can access the data it needs, but it may also evade certain detection – for instance, it avoids having to employ code injection or hooking to steal credentials from live memory.

Below is a snippet of PupkinStealer’s code (C#) demonstrating this tactic:

// Terminate any running browser processes (e.g., Chrome) to unlock files
Process[] procs = Process.GetProcessesByName(browserName);
foreach (Process proc in procs) {
proc.Kill();
proc.WaitForExit();
}

The above code illustrates the malware’s straightforward approach to killing target processes (error handling omitted for brevity). This technique can be considered a primitive evasion: it “gets out of the way” any programs that might keep files locked or potentially alert the user (for example, Telegram might show a session active notification if not closed).

Obfuscation and Packing (ATT&CK T1027)

PupkinStealer does not use heavy code obfuscation or packers, but it does exhibit traits that can confuse basic detection. The binary has an extremely high entropy in its .text section (~7.99), which initially suggested to researchers that it might be packed or encrypted.

However, this turned out to be due to the use of Costura.Fody, a tool that embeds and compresses all dependent DLL libraries into the executable itself. In other words, PupkinStealer’s author bundled libraries (like Ionic.Zip for compression and BouncyCastle for cryptography) inside the main EXE. This compression inflates the entropy and can fool simplistic antivirus checks that flag high-entropy sections as “packed”.

Despite this, the malware contains no meaningful runtime obfuscation; analysts were able to decompile the .NET code easily, indicating it wasn’t protected by a strong packer or obfuscator. The malware also does not attempt to disable antivirus or modify the system to hide itself. Its primary means of stealth is leveraging legitimate infrastructure (Telegram) for communication, which helps it blend in with normal traffic. By using a well-known platform’s API over HTTPS (port 443), PupkinStealer’s network activity may not immediately appear suspicious to monitoring tools.

In summary, apart from the slight disguise provided by Costura-packing and using trusted channels, PupkinStealer doesn’t employ sophisticated evasion; its philosophy is to strike fast and leave before it gets noticed.

Credential Access

Stealing Credentials from Web Browsers (ATT&CK T1555.003)

Credential theft is PupkinStealer’s core functionality. It specifically targets Chromium-based web browsers (such as Google Chrome, Microsoft Edge, Opera, OperaGX, Brave, and Vivaldi) to retrieve saved login credentials.

PupkinStealer locates each browser’s “Login Data” SQLite database (where saved usernames and passwords are stored) and the corresponding “Local State” file (which contains the encryption key). It then uses the Chromium credential API logic to decrypt the passwords. According to analysis, the stealer loads the encrypted passwords from the database and uses the key from Local State together with Windows DPAPI (ProtectedData) calls to decrypt each password entry. This procedure yields plaintext credentials for each stored website account. PupkinStealer outputs the stolen browser passwords into text files (one per browser, e.g. Chrome.txt, Edge.txt) in a temporary directory.

By focusing on browsers, PupkinStealer can collect a trove of account passwords (email, social media, banking, etc.) without needing to perform more advanced techniques like memory scraping.

It is worth noting that PupkinStealer does not perform OS credential dumping (it doesn’t target Windows credentials like hashes or Kerberos tickets, as some malware do).

Instead, it stays user-level, going after the softer target of browser password managers. In one run, the malware reportedly gathered dozens of login credentials from a single machine across multiple browsers. All these credentials are crucial loot, as attackers can later use or sell them for account takeovers.

Stealing Application Tokens and Sessions (ATT&CK T1528)

Beyond browser credentials, PupkinStealer targets authentication tokens and session data from messaging applications, namely Telegram and Discord, to facilitate account hijacking without requiring credentials or bypassing two-factor authentication.

Telegram Session Hijacking

PupkinStealer actively searches for the Telegram Desktop tdata folder, which stores session files that Telegram uses to keep users logged in. The stealer checks the default path at:

%AppData%\Telegram Desktop\tdata

If the directory isn't found, it falls back to resolving a custom installation path by manually parsing the Telegram shortcut (Telegram.lnk) on the Desktop, using a low-level binary reader instead of Windows APIs; an unusual but functional approach.

Once the location is identified, PupkinStealer:

Terminates any running Telegram process to unlock session files (Telegram.exe).
Recursively copies all files and subdirectories within the tdata folder to its working directory at %TEMP%\<username>\Grabbers\TelegramSession.

This copy operation is designed to clone the victim’s session state, allowing the attacker to access the victim’s Telegram account from another device without triggering new login alerts or requiring the password/MFA.

The technique is crude but effective. By stealing the active session cache (rather than credentials), Pupkin sidesteps traditional authentication mechanisms.

Discord Token Theft

For Discord, PupkinStealer uses a different approach. It searches for authentication tokens stored in the LevelDB database files under:

%AppData%\Discord\Local Storage\leveldb
%AppData%\Discord PTB\Local Storage\leveldb
%AppData%\Discord Canary\leveldb

It copies these folders to a temporary location, scans .log and .ldb files using multiple regex patterns to identify valid tokens, including both standard and MFA formats. Example regex used:

[\w-]{24,26}\.[\w-]{6}\.[\w-]{25,110}
mfa\.[a-zA-Z0-9_\-]{84}

Once extracted, the tokens are saved to Tokens.txt under %TEMP%\<username>\Grabbers\Discord. With a stolen token, an attacker can authenticate as the victim without triggering login notifications or being challenged by MFA.

Discovery

System Information Discovery (ATT&CK T1082)

PupkinStealer performs minimal but purposeful host discovery by collecting basic system-level identifiers to contextualize the stolen data and help the attacker attribute each dataset to a specific victim.

Upon execution, the malware captures the following attributes:

Username of the logged-in user via WindowsIdentity.GetCurrent().Name
Windows Security Identifier (SID) via WindowsIdentity.GetCurrent().User.Value
Hostname using Dns.GetHostName()
Public IP address via Dns.GetHostByName(host).AddressList[0]

These details are not just used internally; they are:

Embedded in the ZIP archive’s comment field, which is created during the ZipCompression() phase.
Included in the caption of the Telegram Bot message (sendDocument) that delivers the stolen archive to the attacker.

Here’s an example of what PupkinStealer’s caption might contain during exfiltration:

🔺 New LOG! <3

🔸 PC: WIN-USER
🔸 IP: 203.0.113.56
🔸 SID: S-1-5-21-3623811015-3361044348-30300820-1013

...
🔸 Coded by Ardent

This lightweight discovery routine provides attackers with just enough metadata to:

De-duplicate victims and correlate logs to machines or user profiles.
Geo-locate victims based on IP to prioritize targets.
Profile stolen credentials (e.g., matching accounts to users or machines for resale).

Importantly, PupkinStealer does not attempt deeper reconnaissance such as process enumeration, software inventory, or domain membership checks. This simplicity keeps execution fast and avoids drawing unnecessary attention from behavioral detection tools.

The use of native .NET APIs to retrieve this information also means no suspicious PowerShell or WMI queries are involved; another subtle evasion benefit.

Collection

Local File Collection (ATT&CK T1005)

PupkinStealer includes a dedicated module called GrabberDesktop to harvest potentially sensitive documents from the victim’s Desktop. The routine systematically scans the Desktop directory for files with the following extensions:

.pdf, .txt, .sql, .jpg, .png

These formats are targeted for their likelihood of containing personal, financial, or credential-related information. PDF and text files may store scanned IDs, invoices, or saved passwords; SQL files could expose local databases or configuration dumps; and image files might include screenshots of documents or photos of sensitive data.

The collection process follows these steps:

Scans %UserProfile%\Desktop and filters files by extension.
Increments a counter (Variables.foundFilesFromDesktop) for each matched file.
Copies matching files to a structured staging directory:

%TEMP%\<username>\Grabbers\DesktopFiles\
Overwrites duplicates if a file with the same name already exists.

The grabber uses silent exception handling, allowing it to continue operation even if access is denied to a specific file. This method balances speed with efficiency: rather than grabbing entire folders, Pupkin selectively lifts only files with high signal value, keeping its footprint and exfil payload small.

By default, no obfuscation or encryption is applied during this stage—files are transferred in raw form, ready for compression and dispatch.

Screen Capture (ATT&CK T1113)

To complement static data collection, PupkinStealer also captures a screenshot of the user’s primary monitor. The image is saved at 1920×1080 resolution (or the system’s actual resolution) in JPEG format, under:

%TEMP%\<username>\Grabbers\Screenshot\Screen.jpg

This screenshot provides attackers with a real-time visual snapshot of the user’s desktop, potentially exposing:

Open documents (e.g., banking, legal, or corporate files)
Browser tabs with session info or email inboxes
Password managers or administrative tools in use
Visible device names or IPs

This “one-shot reconnaissance” is a common trick among modern infostealers. Rather than implementing complex monitoring or keyloggers, a single screenshot gives context and amplifies the value of the stolen credentials—especially if the image shows the victim logged into a high-value service.

In Pupkin’s implementation, the screenshot is captured using basic .NET libraries and stored in the working directory for inclusion in the final archive. Status flags like Variables.isScreenshotSuccess track whether this operation completed successfully, and the result is also reported in the Telegram exfil caption.

Data Staging and Archiving (ATT&CK T1560 & T1074.001)

Once all data is collected—credentials, desktop files, session tokens, and the screenshot—PupkinStealer packages everything into a ZIP archive for efficient exfiltration.

The compression process is handled by the Ionic.Zip library, a well-known .NET ZIP utility. Ionic.Zip is embedded within the stealer using Costura.Fody, which bundles all dependencies into a single executable.

Key details about the staging process:

The archive is saved as:

%TEMP%\<username>@ardent.zip

Here, @ardent is a consistent signature left by the malware author (alias Ardent), useful as an indicator of compromise.

The ZIP file includes all browser credential text files (e.g., Chrome.txt, Edge.txt), grabbed Telegram and Discord session data, collected Desktop files, captured screenshot, comment metadata with victim fingerprinting (username, SID, IP).

The archive’s comment field and filename serve dual purposes. One is to help the attacker identify victims at a glance. The second is to provide visual indicators in the Telegram delivery, such as:

🖥️ PC: <username>
🌐 IP: <public_ip>
🆔 SID: <Windows SID>
🔐 Found passwords: 53
📷 Screenshot: success
📂 Desktop files: 12
🔧 Coded by Ardent

This strategy offers both operational and evasive advantages:

Efficiency: All stolen data is exfiltrated in a single POST request.
Stealth: A single ZIP file may evade network anomaly detection better than multiple uploads.
Attribution: Embedded developer tag “Coded by Ardent” is present in both filename and message.

The ZIP archive is not encrypted or password-protected, but the compression reduces its size and transmission time; critical for short-lived malware like PupkinStealer that completes its entire operation within seconds.

Exfiltration

Exfiltration via Telegram Bot API (ATT&CK T1041 / T1567.002)

PupkinStealer’s most distinctive feature is its exfiltration method: it sends the stolen data to the attacker via Telegram. Specifically, it uses Telegram’s Bot API over HTTPS to deliver the ZIP archive to a private Telegram chat controlled by the attacker. The malware contains a hard-coded bot token and a chat ID, which it uses to construct an HTTP POST request to the Telegram API endpoint.

After data collection, PupkinStealer builds a URL like https://api.telegram.org/bot<BotToken>/sendDocument with the chat ID and a caption in the parameters. It then uploads the ZIP file through this request, effectively sending the stolen data as a document to the attacker’s Telegram bot. The caption of the Telegram message (as noted earlier) contains metadata about the victim (username, IP, etc.) and a summary of what was stolen. Using Telegram’s API for exfiltration offers the attackers several advantages:

Anonymity & OPSEC: Telegram is an end-to-end service; the data goes to Telegram’s cloud and then to the attacker’s chat, without needing a bespoke malware server. This makes takedowns or tracing more difficult, since the C2 infrastructure is essentially Telegram’s servers (a legitimate platform).
Encryption & Evasion: Communication with api.telegram.org is over HTTPS (port 443), blending in with normal web traffic. Security appliances might not flag it, as Telegram is commonly used and the traffic is encrypted (cannot be inspected without TLS break-and-inspect).
Ease of Use: The attacker can receive stolen data in real-time on their Telegram app. They don’t need a complex setup – once the bot is configured, they get a message with the loot for each infected victim.

Open-source reports note that PupkinStealer’s stolen data was indeed sent to a Telegram bot with the handle @botkanalchik_bot, which had a unique bot ID (8013735771) and an associated chat ID for the attacker. The bot token (hardcoded in the malware) was also found, which would allow anyone with it to interact with the bot (the token was 8013735771:AAE...-kCM). This is a clear indicator of compromise; any network logs or host artifacts showing traffic to Telegram’s API with that token or chat ID would definitively signal a PupkinStealer infection.

Overall, the exfiltration tactic via Telegram exemplifies the growing trend of hackers abusing popular messaging platforms as their data theft channels.

Command and Control

C2 over Legitimate Platform (Telegram) – (ATT&CK T1071.001)

PupkinStealer does not use a traditional interactive Command-and-Control (C2) channel; it doesn’t await further commands once running. However, its exfiltration mechanism doubles as its C2 communication, in that it contacts an external server under attacker control (Telegram) to deliver results. This falls under the use of an Application Layer Protocol for C2 – the malware uses a web API (HTTPS requests to Telegram) for communication. From the defender’s view, PupkinStealer’s only network beacon is the HTTPS POST to Telegram’s API.

There is no back-and-forth shell or instructions from the attacker (pump-and-dump malware like this often don’t need follow-up commands). That said, the reliance on Telegram effectively means the malware authors are leveraging Telegram as their C2 infrastructure. Telegram is popular among cybercriminals for this purpose because it provides a convenient and reliable cloud service with anonymity.

In essence, PupkinStealer’s command-and-control consists of quietly embedding itself in normal Telegram traffic. Unless an organization specifically blocks Telegram or inspects its traffic patterns, the C2 communication may go unnoticed. This tactic highlights a broader shift in malware trends: abusing legitimate services (like cloud storage, social media, or messaging APIs) as covert channels for data exfiltration and control.

How Does Picus Help Defend Against the PupkinStealer Attacks?

We strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform.

The Picus Threat Library includes the following PupkinStealer threat, replicating TTPs observed in the wild.

Threat ID	Threat Name	Attack Module
69683	Pupkin Infostealer Download Threat	Network Infiltration
70585	Pupkin Infostealer Email Threat	Email Infiltration

Defense Strategies Against the PupkinStealer Exfiltration Campaigns

Given PupkinStealer’s tactics, organizations, especially those in retail and critical infrastructure, should adopt a multi-layered defense. Below are five tailored mitigation and remediation steps to counter PupkinStealer malware’s known behaviors:

Prevention

Preventing PupkinStealer execution is the most effective defense. Since it relies on user interaction (e.g., launching a malicious .exe), focus on hardening endpoints and user behavior:

User Awareness: Train users to avoid unknown attachments, cracked software, and suspicious downloads. Stress caution with .exe and .zip files.
Email & Web Filtering: Block phishing emails and restrict access to high-risk sites like warez and software piracy portals.
Endpoint Protection: Use EDR/AV tools with behavioral detection. Watch for unusual actions like process termination and browser credential access.
Application Control: Enforce allowlists via AppLocker or equivalent. Prevent execution from %Temp%, %AppData%, and Downloads folders.
Credential Hygiene: Encourage use of password managers and MFA. Warn users not to store sensitive logins in browsers.

Detection

PupkinStealer is noisy; its speed is a weakness. Leverage that:

Behavioral Monitoring: Flag unknown processes killing Telegram or browser processes and accessing login databases.
Network Monitoring: Watch for outbound traffic to api.telegram.org, especially POSTs to /sendDocument.
File System Scans: Detect artifacts like Grabbers\Browser\passwords.txt or @ardent.zip in temp directories.
YARA/IOC Scanning: Deploy known signatures for binary hashes and ZIP structures.
User Feedback: Train users to report sudden app crashes (e.g., Chrome or Telegram) which may indicate malicious interference.

Response & Mitigation

If PupkinStealer is detected:

Isolate the Host: Disconnect from the network immediately.
Terminate and Remove: Kill the malicious process, delete its directory and ZIP payload.
Reset Credentials: Assume all locally stored credentials are compromised. Invalidate tokens (Telegram/Discord), rotate corporate secrets.
Monitor for Abuse: Watch affected accounts for unauthorized access or leaks.
Conduct Forensics: Scan for additional payloads, persistence, or rootkits.
Patch & Educate: Address the root cause (e.g., phishing, cracked software) and reinforce policies.
Wipe if Needed: If compromise scope is uncertain, reimage the device and restore clean data.

Indicators of Compromise (IOCs)

Security defenders should look for the following indicators associated with PupkinStealer infections. These IOCs have been compiled from open-source intelligence reports and can help identify the malware on systems or networks:

Malicious Executable Hash:

The known sample of PupkinStealer has the

SHA-256 hash: 9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f.
Its MD5 hash is fc99a7ef8d7a2028ce73bf42d3a95bce.

Any file with these hashes (or slight variants, if recompiled) should be treated as malicious. The file is a 6.21 MB .NET PE32 executable.

File Names:

The malware binary may be named PupkinStealer.exe. In at least one instance it was found under the name PlutoniumLoader.exe. Of course, attackers can rename it arbitrarily, but the presence of an unknown .NET executable in user temp folders or email attachments with names referring to Pupkin or loader could be suspicious.

Installed Artifacts (Filesystem):

PupkinStealer creates a specific working directory structure in the user’s TEMP or AppData directory. It creates a Grabbers folder tree to store stolen data:

Grabbers\Browser\passwords.txt – text files containing stolen browser credentials.
Grabbers\TelegramSession\* – a folder containing copied Telegram tdata files.
Grabbers\Discord\Tokens.txt – file where Discord tokens are saved.
Grabbers\Screenshot\Screen.jpg – the screenshot image file.
DesktopFiles\* – a folder where collected desktop files are gathered (often under the same Temp path).
A ZIP archive named [Username]@ardent.zip in the Temp directory. For example, if the Windows username is John, it might be John@ardent.zip. The inclusion of “ardent” in the filename is a strong IoC, as it’s the malware author’s signature. This ZIP is the payload prepared for exfiltration and might remain on disk if the exfiltration failed or wasn’t cleaned up.

Network Indicators:

Any outbound network connection to api.telegram.org that includes the URI path /bot<token>/sendDocument with a bot token and chat_id is highly indicative of PupkinStealer (or a similar Telegram-based stealer). Specifically, PupkinStealer was observed using a bot token 8013735771:AAE_UrTgQsAmiAsXeDN6mehD_fo3vEg-kCM and sending to chat ID 7613862165. In URL-encoded form, the request looks like:

https://api.telegram.org/bot8013735771:AAE_UrTgQs.../sendDocument?chat_id=7613862165&caption=<...>

(The caption parameter contains the system info and “Coded by Ardent” text.) Presence of this specific token or chat ID in network logs or telemetry is a confirmed indicator of PupkinStealer exfiltration. Even without exact tokens, any unexpected traffic from a workstation to Telegram’s API could be worth investigating if your organization doesn’t normally use Telegram.

Notable Strings:

The string “Coded by Ardent” is used by the malware (included in the exfiltration caption and possibly within the ZIP or binary). Scanning for “Ardent” or this phrase in memory, logs, or file contents may catch an infection. Additionally, the bot username botkanalchik_bot might appear in the binary or in memory if the malware constructs any debug strings or JSON (the bot’s handle was derived from Russian “kanalchik”).

Note: If any of these indicators are detected in your environment, it is crucial to initiate incident response promptly – by that point, sensitive data may have already been stolen, but swift action can contain further damage (see Defense Strategies below for mitigation steps).

References

[1] A. Mishra, “‘PupkinStealer’ – .NET Malware Steals Browser Data and Exfiltrates via Telegram,” GBHackers Security | #1 Globally Trusted Cyber Security News Platform, May 12, 2025. Available: https://gbhackers.com/pupkinstealer-net-malware-steals-browser-data/. [Accessed: May 14, 2025]

[2] Navneet, “Pupkin: A Simple .NET Info-Stealer Exfiltrating Data via Telegram,” Home, Apr. 29, 2025. Available: https://muff-in.github.io/blog/pupkin-info-stealer-analysis/. [Accessed: May 14, 2025]

[3] A. Lavoipierre, “Banking passwords stolen from Australians are being traded online by cybercriminals,” ABC News, ABC News, Apr. 28, 2025. Available: https://www.abc.net.au/news/2025-04-29/australian-bank-customers-passwords-stolen-by-malware-hackers/105196976. [Accessed: May 14, 2025]

[4] “PupkinStealer : A .NET-Based Info-Stealer,” CYFIRMA. Available: https://www.cyfirma.com/research/pupkinstealer-a-net-based-info-stealer/. [Accessed: May 14, 2025]

[5] N. Balaji, “‘PupkinStealer’ A New .NET-Based Malware Steals Browser Credentials & Exfiltrate via Telegram,” Cyber Security News, May 10, 2025. Available: https://cybersecuritynews.com/pupkinstealer-a-new-net-based-malware-steals-browser-credentials-exfiltrate-via-telegram/. [Accessed: May 14, 2025]