{
  "name": "PupkinStealer .NET Infostealer Using Telegram for Data Theft",
  "slug": "pupkinstealer-net-infostealer-using-telegram-for-data-theft",
  "description": "PupkinStealer is a newly identified .NET-based information-stealing malware that extracts sensitive data like web browser passwords and app session tokens, exfiltrating it via Telegram. It targets Chromium-based browsers, Telegram, and Discord, focusing on credential theft and session hijacking. The malware performs minimal system discovery, collects files from the desktop, and captures a screenshot. It packages stolen data into a ZIP archive and sends it to the attacker through Telegram's Bot API. PupkinStealer doesn't employ persistence mechanisms, relying on quick execution and low-profile behavior. Its primary evasion technique is leveraging legitimate Telegram infrastructure for communication.",
  "published": "2025-05-22T11:09:11+00:00",
  "created_at": "2025-05-22T11:09:11+00:00",
  "modified_at": "2025-05-22T12:59:56+00:00",
  "created_at_opencti": "2025-05-22T11:09:11+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-22",
    "credential-theft",
    "infostealer",
    "pupkinstealer",
    "session hijacking"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "9309003c245f94ba4ee52098dadbaa0d0a4d83b423d76c1bfc082a1c29e0b95f"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:d8cbba00e08996eb",
        "name": "PupkinStealer",
        "slug": "pupkinstealer"
      }
    ],
    "attack_patterns": [
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "d9f271ed-7685-4362-b90d-f16a14102f39",
        "name": "T1489"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ]
  },
  "external_refs": [
    "https://www.picussecurity.com/resource/blog/pupkinstealer-net-infostealer-using-telegram-for-data-theft",
    "https://otx.alienvault.com/pulse/682f21f740ee536b48e48783"
  ]
}