Hackers have recently been observed testing a novel Telegram-focused session stealer, which is embedded within a PowerShell script and hosted on Pastebin. This script masquerades as a Windows telemetry update, presenting a unique and rare opportunity for cybersecurity professionals to gain insights into the development and testing processes of such malicious tools.
### Understanding the Functionality of the Script
The initial focus of this scripting tool is not on harvesting passwords or browser credentials. Instead, it zeroes in exclusively on data associated with Telegram’s desktop client. This is achieved using Telegram’s Bot API to exfiltrate stolen session information, marking a specific and targeted approach to data theft. The simplicity of the tool not only reveals its operator’s infrastructure but also provides a glimpse into their development process. Additionally, a parallel web-based Telegram stealer linked to the same bot channel further underscores their operational methodologies.
A PowerShell script titled “Windows Telemetry Update – Fixed version” has been flagged as a significant security threat. Its analysis has confirmed that it is designed to extract session data from Telegram Desktop, thus making it a focal point for cybersecurity experts.
### Operation of the PowerShell Stealer
Examining how the PowerShell stealer operates reveals its underlying mechanics and potential implications. The script starts by embedding hardcoded Telegram bot credentials alongside a chat ID, directly communicating any activity back to the operator’s bot account, which is humorously named “afhbhfsdvfh_bot” and identifies itself as a “Telegram attacker.” This critical aspect of the script indicates the operator’s intent to streamline their operations and gather session data with minimal effort.
The script collects basic host metadata such as the user’s name, hostname, and public IP address through the service api.ipify[.]org. This information is then incorporated as a caption for the stolen data, allowing the attacker instantaneous profiling of their victims.
Next, it delves into the user’s AppData directory, specifically seeking out folders related to Telegram Desktop and Telegram Desktop Beta. These folders contain long-lived MTProto authorization keys, which are vital for hijacking sessions without necessitating passwords or SMS codes. Upon discovering such folders, the script executes commands to terminate any running Telegram processes, freeing file locks, and compresses the identified folders into a diag.zip archive, preparing it for exfiltration.
The process then involves the calculated construction of a Telegram Bot API request to transmit the diag.zip file to the operator’s specified chat. If the main upload method fails, a fallback WebClient mechanism allows for the transmission to continue, albeit without the victim’s metadata in the caption. In instances where no Telegram installation is detected, the script provides a notification, thus acting as a “reachability probe,” indicating a potential next target.
Cybersecurity analysts have identified two distinct variants of this Pastebin script: an initial version with a broken upload routine and a “fixed” version that refines the multipart sendDocument implementation and incorporates basic error handling. The lack of obfuscation and clear-text credentials suggests that the tool remains in a validation phase rather than being fully operational, indicating the importance of detecting such tools at early developmental stages.
### Linked Capabilities: The Web-Based Telegram Stealer
Parallel to the PowerShell tool, a second web-based Telegram stealer has emerged, utilizing the same Telegram bot channel to carry notifications. This web-focused tool targets Telegram Web, emphasizing how the infrastructure can facilitate multiple avenues of attack. It has been observed sending JSON previews that contain authentication keys, indicative of user sessions being extracted for malicious purposes.
Data from these tools confirms that they were operating within a controlled environment, minimizing exposure to outside threats. The consistent use of standard user-agent strings, repetitive auth key prefixes, and a singular LAN setup denotes that the operators are conducting tests with a restricted set of accounts rather than engaging with organic victim activity.
### Conclusion: Implications and Awareness
While the sophistication of these tools may not be advanced, their existence highlights a growing trend among infostealers leveraging Telegram’s Bot API and functionality to facilitate data theft. Addressing this risk requires vigilant monitoring of paste sites and Telegram infrastructure to capture early indicators such as bot tokens and chat IDs. By doing so, defenders can establish proactive measures and detect emerging threats prior to their larger deployment into the wild.
In summary, the point of concern lies in the evolving landscape of cyber threats, emphasizing the necessity for ongoing vigilance within both individual and organizational cybersecurity practices to effectively counteract these malicious tools.