Pastebin-Hosted PowerShell Script Targets Telegram Sessions

Overview Researchers have uncovered a malicious PowerShell script hosted on Pastebin that masquerades as a Windows Telemetry Update. The script is designed to silently steal Telegram session data from both desktop and web clients, exfiltrating it via the Telegram Bot API.

Key Highlights

  • Disguise: Script presented as a routine Windows update.
  • Metadata Collection: Captures username, computer name, and public IP via api.ipify[.]org.
  • Targeted Paths: %APPDATA%\Telegram Desktop and %APPDATA%\Telegram Desktop Beta.
  • Exfiltration: Compresses session files into diag.zip, uploads via Telegram Bot API sendDocument.
  • Versions:
    • v1: Broken multipart upload implementation.
    • v2: Fixed with proper Invoke-RestMethod-Form encoding, fully functional.
  • Web Component: Separate stealer captures Telegram Web localStorage session state (MTProto keys, session structures).

Attack Mechanics

  1. Victim manually runs disguised PowerShell script.
  2. Script terminates Telegram process to release file locks.
  3. Compresses session data into diag.zip.
  4. Uploads archive to attacker’s Telegram bot channel.
  5. Deletes diag.zip to erase forensic traces.
  6. Web-based stealer captures active session tokens from browser storage.

Risks to Users

  • Account Hijacking: Stolen session files allow attackers to reconstruct authenticated sessions without passwords or SMS codes.
  • Data Exposure: Sensitive messages, files, and account settings compromised.
  • Operational Readiness: Script shows active debugging and development, indicating imminent deployment at scale.

Defensive Guidance

  • Terminate Sessions: In Telegram → Settings → Privacy & Security → Active Sessions → Terminate All Other Sessions.
  • Change Credentials: Reset Telegram password and enable two-factor authentication.
  • Audit Activity: Check for unauthorized messages or account changes.
  • Network Controls:
    • Block api.telegram.org and web.telegram.org where Telegram is not permitted.
    • Monitor for suspicious API calls (sendDocument, sendMessage) originating from PowerShell or scripting environments.
  • User Awareness: Educate users about scripts disguised as system updates.

Final Thought

This case illustrates how attackers exploit legitimate platforms like Pastebin to stage malware and abuse Telegram’s own API for exfiltration. The debugging trail visible in public posts shows how quickly such tools evolve from broken prototypes to fully functional stealers. For defenders, the lesson is clear: monitor scripting environments for unusual API calls and enforce strict controls on session management.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.