Overview Researchers have uncovered a malicious PowerShell script hosted on Pastebin that masquerades as a Windows Telemetry Update. The script is designed to silently steal Telegram session data from both desktop and web clients, exfiltrating it via the Telegram Bot API.
Key Highlights
- Disguise: Script presented as a routine Windows update.
- Metadata Collection: Captures username, computer name, and public IP via
api.ipify[.]org. - Targeted Paths:
%APPDATA%\Telegram Desktopand%APPDATA%\Telegram Desktop Beta. - Exfiltration: Compresses session files into
diag.zip, uploads via Telegram Bot APIsendDocument. - Versions:
- v1: Broken multipart upload implementation.
- v2: Fixed with proper
Invoke-RestMethod-Formencoding, fully functional.
- Web Component: Separate stealer captures Telegram Web localStorage session state (MTProto keys, session structures).
Attack Mechanics
- Victim manually runs disguised PowerShell script.
- Script terminates Telegram process to release file locks.
- Compresses session data into
diag.zip. - Uploads archive to attacker’s Telegram bot channel.
- Deletes
diag.zipto erase forensic traces. - Web-based stealer captures active session tokens from browser storage.
Risks to Users
- Account Hijacking: Stolen session files allow attackers to reconstruct authenticated sessions without passwords or SMS codes.
- Data Exposure: Sensitive messages, files, and account settings compromised.
- Operational Readiness: Script shows active debugging and development, indicating imminent deployment at scale.
Defensive Guidance
- Terminate Sessions: In Telegram → Settings → Privacy & Security → Active Sessions → Terminate All Other Sessions.
- Change Credentials: Reset Telegram password and enable two-factor authentication.
- Audit Activity: Check for unauthorized messages or account changes.
- Network Controls:
- Block
api.telegram.organdweb.telegram.orgwhere Telegram is not permitted. - Monitor for suspicious API calls (
sendDocument,sendMessage) originating from PowerShell or scripting environments.
- Block
- User Awareness: Educate users about scripts disguised as system updates.
Final Thought
This case illustrates how attackers exploit legitimate platforms like Pastebin to stage malware and abuse Telegram’s own API for exfiltration. The debugging trail visible in public posts shows how quickly such tools evolve from broken prototypes to fully functional stealers. For defenders, the lesson is clear: monitor scripting environments for unusual API calls and enforce strict controls on session management.
Leave a Reply