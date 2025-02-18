Russian hackers hide malware control center in Telegram chat service

Written by Michael Anthony Bitoon
Michael Anthony Bitoon

Michael Anthony Bitoon is a news writer and software developer who loves technology, data, and video games. A recent graduate of the University of the Philippines Visayas, where he earned his Compu...

All Articles by Michael Anthony Bitoon

Published 18 Feb 2025

Fact checked by Sophia Feona Cantiller
Sophia Feona Cantiller

Sophia Feona Cantiller, a cum laude graduate in Computer Science from the University of the Philippines, swapped coding bugs for content buzz.

Her true love? Writing stories.

Aside f...

All Articles by Sophia Feona Cantiller

NSFW AI Why trust Greenbot

We maintain a strict editorial policy dedicated to factual accuracy, relevance, and impartiality. Our content is written and edited by top industry professionals with first-hand experience. The content undergoes thorough review by experienced editors to guarantee and adherence to the highest standards of reporting and publishing.

Disclosure

Free malicious code virus hacker illustration

A new malware strain discovered by Netskope Threat Labs uses Telegram’s messaging platform to send commands to infected computers.

The team’s February 14, 2025 report revealed a sophisticated Golang-based malware using Telegram as its command-and-control (C2) channel.

    “The malware is compiled in Golang and once executed it acts like a backdoor,” said Leandro Fróes, a security researcher at Netskope. “Although the malware seems to still be under development it is completely functional.”

    Under the name “svchost.exe“, the malware operates by copying itself to the Windows temporary folder. It then establishes a connection with its controllers through Telegram’s Bot API, allowing attackers to send commands without maintaining their own server infrastructure.

    Russian language prompts in the malware’s command interface point to its likely origin. The program accepts four basic commands. The “/cmd” instruction prompts attackers in Russian before executing hidden PowerShell commands. A “/persist” command reinstalls the malware for system restart survival, while “/selfdestruct” removes all traces. The “/screenshot” command exists but only sends fake confirmation messages.

    The attackers’ use of Telegram represents a growing trend. “The use of cloud apps presents a complex challenge to defenders and attackers are aware of it,” Fróes explained. “Other aspects such as how easy it is to set and start the use of the app are examples of why attackers use applications like that in different phases of an attack.”

    Security experts warn this technique could spread to other cloud platforms. Services like OneDrive, GitHub, and Dropbox face similar risks as attackers seek new ways to hide their activities. Telegram’s Bot API, for instance, allows automated control, making it easy to issue commands remotely.

    Netskope has labeled the threat “Trojan.Generic.37477095” and published technical details in their GitHub repository. This information helps organizations defend against the new attack method.

    The discovery reveals how cybercriminals adapt their tactics to exploit trusted services. As more businesses rely on cloud applications, distinguishing between legitimate and malicious traffic becomes increasingly difficult for security teams.

    To defend against this threat, users are advised to install up-to-date antivirus software from established security companies. These programs can detect and stop malicious programs, even ones written in Go programming language.

    NSFW AI Why trust Greenbot

    We maintain a strict editorial policy dedicated to factual accuracy, relevance, and impartiality. Our content is written and edited by top industry professionals with first-hand experience. The content undergoes thorough review by experienced editors to guarantee and adherence to the highest standards of reporting and publishing.
    Disclosure

    Related Articles

    AI cybersecurity

    AI in Cybersecurity: Transforming Digital Security Strategies

    Jonalyn Dionio
    philippines becomes biometric test market

    Philippines becomes test market for World Network’s biometric identity system

    Michael Anthony Bitoon
    AI attacks

    AI Attacks: How Artificial Intelligence is Changing Cyber Threats

    Jonalyn Dionio
    stolen openai accounts

    Stolen OpenAI accounts traced to malware, not security breach

    Michael Anthony Bitoon

    Featured Stories

    Latest Posts

    Reviews

    Follow Android Beat