Weaponizing Telegram Bots: How Threat Actors Exfiltrate Credentials
Threat actors are increasingly weaponizing the legitimate Telegram Bot API to establish Command and Control (C2) channels and exfiltrate stolen data. This technique is widely adopted across credential phishing campaigns and malware families like Agent Tesla and Pure Logs Stealer, allowing attackers to bypass traditional network defenses by blending malicious traffic with legitimate Telegram communications.
Authors: Kahng An, Cofense Intelligence Team
Source:
Cofense
- urlhxxps://api[.]telegram[.]org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocumentTelegram Bot API URL used by Agent Tesla Keylogger for file exfiltration.
- urlhxxps://api[.]telegram[.]org/bot7004434365:AAGMJLpdyYvb4CDZLQ47zbh0pRB_CC-Hwro/sendMessageTelegram Bot API URL used by WSH RAT to exfiltrate infected host information.
- urlhxxps://api[.]telegram[.]org/bot8164995813:AAH85N7GqLCmFV8QF5STNJv92Cv2ZQKpPGk/sendMessageTelegram Bot API URL used in a credential phishing campaign to exfiltrate stolen credentials.
- urlhxxps://paste[.]rs/qDTxASecond-stage payload URL used by Pure Logs Stealer (Lone None threat actor), constructed from a string hidden in a Telegram bot profile.
Key Takeaways
- Threat actors heavily abuse the Telegram Bot API as a Command and Control (C2) channel for data exfiltration via text messages and arbitrary file uploads.
- Agent Tesla Keylogger is the most prominent malware family using Telegram C2s, accounting for 77.7% of all such Active Threat Reports in 2024.
- Telegram bots are also frequently used in credential phishing campaigns to silently exfiltrate submitted form data.
- Threat actors like 'Lone None' use Telegram bot profile pages to host secondary payload URL paths (e.g., for Pure Logs Stealer).
- Security analysts can leverage the Telegram API (using getMe, getUpdates, and forwardMessage) to investigate threat actor infrastructure if the bot token and chat ID are recovered.
Affected Systems
- Windows
- Web Browsers
Attack Chain
Victims are initially compromised via credential phishing pages or malicious payloads (such as Agent Tesla or WSH RAT). Once executed, the malware or phishing script harvests sensitive data, including credentials, session cookies, and host information. The stolen data is then exfiltrated to a threat actor-controlled Telegram chat room via HTTPS POST requests to the Telegram Bot API (using methods like sendMessage or sendDocument). In some advanced campaigns, threat actors also use Telegram bot profile pages to host secondary payload paths, which are fetched to download further malicious scripts.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide explicit detection rules, but recommends monitoring or blocking network traffic directed at the 'api.telegram.org/bot*' endpoint.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can observe the network connections made by malicious processes to Telegram's API, but the payload content is encrypted via HTTPS. Network Visibility: High — Network proxies and firewalls can easily identify connections to the specific 'api.telegram.org/bot' URI paths, even if the exact payload is encrypted. Detection Difficulty: Moderate — While the network indicators are clear, Telegram is a legitimate application. Blanket blocking or alerting on the API may cause false positives in environments where Telegram bots are used for business purposes.
Required Log Sources
- Web Proxy Logs
- DNS Logs
- Firewall Logs
- EDR Network Connection Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for non-browser processes (e.g., powershell.exe, wscript.exe, or unknown executables) making outbound HTTPS connections to api.telegram.org. | EDR Network Connection Logs | Command and Control | Low |
| Monitor web proxy logs for high volumes of POST requests to api.telegram.org/bot*/sendMessage or sendDocument originating from internal endpoints. | Web Proxy Logs | Exfiltration | Medium |
Control Gaps
- Lack of SSL/TLS inspection to view specific URI paths
- Permissive outbound web filtering allowing access to unapproved messaging platforms
Key Behavioral Indicators
- Outbound network connections to api.telegram.org from unusual processes
- POST requests containing Telegram bot tokens in the URI path
False Positive Assessment
- Medium, as legitimate enterprise applications or developers may use the Telegram Bot API for alerting and automation, which could trigger network-based detections.
Recommendations
Immediate Mitigation
- Block access to the 'api.telegram.org/bot*' endpoint at the network perimeter if Telegram bots are not legitimately used within the environment.
Infrastructure Hardening
- Implement SSL/TLS inspection to gain visibility into specific URL paths and API methods being accessed.
- Restrict outbound network access to known-good services and block unauthorized messaging platforms.
User Protection
- Deploy endpoint protection platforms (EPP/EDR) configured to detect and block known infostealers like Agent Tesla and Pure Logs Stealer.
Security Awareness
- Train users to identify and report credential phishing attempts, suspicious messages, and unexpected file downloads.
MITRE ATT&CK Mapping
- T1071.001 - Application Layer Protocol: Web Protocols
- T1102.002 - Web Service: Bidirectional Communication
- T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
- T1056.001 - Input Capture: Keylogging
Additional IOCs
- Domains:
api[.]telegram[.]org- Legitimate Telegram API domain abused for C2 and exfiltration.paste[.]rs- Online pastebin service used to host malicious Python scripts for Pure Logs Stealer.
- Other:
8164995813- Telegram Bot ID used in credential phishing campaign.6322326407- Telegram Chat ID used in credential phishing campaign.7004434365- Telegram Bot ID used by WSH RAT.7183381859- Telegram Chat ID used by WSH RAT.@DA_NEW_VER_BOT- Telegram Bot username used by Lone None to host payload paths in its profile.