PumpkinStealer Malware Detailed out

---

A newly discovered information-stealing malware, known as PumpkinStealer, has surfaced as a significant cybersecurity threat, specifically targeting Windows users. Written in C# using the .NET framework, this malware is designed to harvest sensitive user data, including browser credentials, desktop files, messaging app sessions, and screenshots, and exfiltrate them via Telegram’s Bot API.

PumpkinStealer is particularly dangerous due to its ability to hijack messaging accounts, steal saved login credentials, and exfiltrate sensitive files, making it a high-risk malware for individuals and businesses alike.

1. Overview of PumpkinStealer

Key Characteristics

• First Observed: April 2025
• Programming Language: C# (.NET framework)
• Targeted Data:
• Browser credentials (Google Chrome, Microsoft Edge, Opera, Vivaldi)
• Desktop files (.pdf, .txt, .sql, .jpg, .png)
• Messaging app sessions (Telegram, Discord)
• Screenshots of the victim’s desktop

How It Works

PumpkinStealer operates by extracting and decrypting saved login credentials from Chromium-based browsers using Windows Data Protection API. It also copies Telegram’s tdata folder, allowing attackers to hijack accounts without needing credentials. Additionally, it harvests Discord authentication tokens from leveldb directories, enabling unauthorized access.

Once executed, the malware:

1. Captures a full-screen screenshot and saves it as a .jpg file.
2. Compresses all stolen data into a ZIP archive.
3. Transmits the ZIP file to an attacker-controlled Telegram bot via a crafted API URL.

2. Exploitation & Attack Methods

Active Exploitation

• PumpkinStealer spreads through social engineering tactics, tricking users into downloading malicious files disguised as legitimate software.
• Once activated, it silently extracts sensitive data and transmits it to attackers using Telegram’s Bot API, making detection difficult.
• The malware lacks persistence mechanisms, meaning it does not automatically restart after system reboots, but it remains a major privacy risk.

Technical Analysis

• PumpkinStealer is a 32-bit GUI-based Windows executable with a file size of 6.21 MB.
• It uses the Costura library to embed compressed DLLs, contributing to a high entropy value (7.998) in its .text section.
• Upon execution, the .NET runtime initializes the Common Language Runtime (CLR) and calls the malware’s Main() method, which orchestrates asynchronous tasks for data harvesting.

Observed Attack Techniques

• Credential Harvesting – Extracts saved passwords from browsers and messaging apps.
• Session Hijacking – Copies Telegram’s tdata folder to allow unauthorized access.
• Data Exfiltration – Compresses stolen data into a ZIP file and sends it via Telegram.
• Screenshot Capture – Takes a full-screen snapshot of the victim’s desktop.

3. Impact & Risks

Who Is at Risk?

PumpkinStealer primarily targets:

• Individual users who store sensitive credentials in browsers.
• Businesses using Telegram or Discord for communication.
• Developers who store API keys or database credentials in local files.

Potential Consequences

🚨 Identity Theft – Stolen credentials can be used for fraudulent activities.
🚨 Account Hijacking – Telegram and Discord sessions can be taken over remotely.
🚨 Financial Loss – Banking credentials stored in browsers may be compromised.
🚨 Corporate Espionage – Sensitive business files can be exfiltrated and sold.

4. Mitigation Strategies

A. Prevent Infection

✅ Avoid downloading unknown files from untrusted sources.
✅ Enable multi-factor authentication (MFA) for Telegram and Discord accounts.
✅ Use endpoint security solutions to detect suspicious activity.

B. Detect & Remove PumpkinStealer

🔹 Scan for unauthorized Telegram bot activity in network logs.
🔹 Check for unusual ZIP file creation in system directories.
🔹 Monitor browser credential storage locations for unauthorized access attempts.

C. Secure Messaging & Browser Accounts

🔸 Change passwords immediately if suspicious activity is detected.
🔸 Clear saved credentials from browsers to prevent unauthorized access.
🔸 Restrict access to sensitive files using encryption and secure storage solutions.

5. Future Implications & Cybersecurity Trends

Growing Use of Telegram for Cybercrime

PumpkinStealer highlights a growing trend where cybercriminals use Telegram bots for data exfiltration. Telegram’s encrypted messaging and API flexibility make it an attractive tool for stealthy malware operations.

Evolution of .NET-Based Malware

• PumpkinStealer is part of a new wave of .NET-based malware, leveraging C# for rapid development and obfuscation.
• Future variants may include persistence mechanisms, making them harder to remove.
• Security researchers expect more malware families to adopt Telegram-based exfiltration due to its ease of use.

6. Conclusion

PumpkinStealer represents a growing trend in cybercrime, where attackers leverage legitimate platforms like Telegram for stealthy data exfiltration. While it lacks advanced persistence mechanisms, its ability to harvest credentials, hijack messaging sessions, and steal sensitive files makes it a serious threat to individuals and businesses.