Golang Malware Uses Telegram as Command and Control Channel

Article Highlights
Off On

Researchers have identified a new variant of Golang malware using Telegram as its command and control (C2) channel. This malware, believed to originate from Russia, is still under development but already possesses significant capabilities that make it a formidable threat. Experts from Netskope uncovered this backdoor, which upon execution, sets the stage for its malicious operations. This approach of using Telegram as a C2 channel highlights the increasing tendency among threat actors to exploit cloud applications due to their ease of setup and the challenges they pose to defenders.

Increasing Use of Cloud Applications for Command and Control

Much of the growing trend among attackers involves leveraging cloud applications as their C2 channels. This tactic not only simplifies the setup process for the malicious actors but also poses significant detection challenges for security teams. Applications such as OneDrive, GitHub, and Dropbox have seen similar exploitation, making it difficult for defenders to differentiate between legitimate user activity and malicious communications. The utilization of these cloud platforms complicates the task for cybersecurity teams, as distinguishing normal traffic from nefarious actions becomes a daunting task due to the encryption and legitimate use of these services.

The newly discovered Golang malware follows this trend, opting for Telegram as its preferred C2 channel. Telegram’s widespread use and encryption features make it an attractive option for threat actors. The malware includes a critical function named “installSelf,” specifically designed to ensure its presence under a designated location and name on the infected system, “C:WindowsTempsvchost.exe.” Once properly installed, the malware turns to an open-source Go package to interact with Telegram, showcasing the sophistication and planning behind its development.

Technical Mechanism of the Golang Malware

The interaction with Telegram relies heavily on several functions, making it capable of responding to its operators’ commands efficiently. To create a bot instance, the malware utilizes the “NewBotAPIWithClient” function, which requires a token obtained from Telegram BotFather. Once the bot is established, it continually checks for new commands via the “GetUpdatesChan” function. This mechanism ensures that the malware remains responsive to commands sent through Telegram, allowing the attacker to maintain control over the infected systems discreetly.

The malware supports four primary commands that enable the attacker to execute specific tasks. These are: execute PowerShell commands, relaunch itself, capture screenshots, and delete itself. The most complex of these commands is the execution of PowerShell scripts, which requires the input of two separate messages: the command prompt and the subsequent PowerShell script. Once the PowerShell command is given, the malware waits for the next input, prompting the user with a message in Russian. The remaining three commands are straightforward, each requiring only a single confirmation message before execution.

Feedback from these commands is securely sent back to the attacker’s Telegram channel using an encrypted function named “sendEncrypted.” This ensures that even if the communications are intercepted, the content remains inaccessible without the decryption key. The approach not only masks the malicious communications but also leverages Telegram’s security features to the attackers’ advantage, thereby making it challenging for cybersecurity experts to detect and mitigate these threats effectively.

What’s Next for Cybersecurity

In a concerning development that underscores the continually advancing tactics of cybercriminals, researchers have discovered a new strain of Golang malware utilizing Telegram as its command and control (C2) channel. This particular malware is believed to have Russian origins and is still in its development stages. However, even in its current form, it possesses substantial capabilities, rendering it a significant threat. Netskope experts identified this backdoor, which, once executed, prepares for its malicious activities. The method of employing Telegram as a C2 channel highlights a growing trend among cybercriminals to leverage cloud-based applications. These applications are appealing due to their simplicity in setup and the considerable difficulties they present for cybersecurity defenders. Cybersecurity professionals must stay aware of such innovations as they pose new challenges in maintaining secure systems and protecting sensitive data from being compromised by increasingly sophisticated attacks.

Explore more

GNOME Extensions Significantly Reduce Linux Battery Life

The long-standing assumption that Linux distributions naturally outperform Windows in power management often crumbles when subjected to rigorous real-world battery testing on modern mobile hardware. While the core Linux kernel remains an engineering marvel of efficiency, the modern software landscape has introduced layers of complexity that frequently negate these inherent advantages. Desktop environments, which serve as the primary interface for

How to Install the macOS 27 Golden Gate Public Beta

The evolution of the Mac operating system reaches a pivotal moment with the release of the macOS 27 Golden Gate Public Beta, offering a glimpse into the next generation of computing. For enthusiasts and early adopters, this release represents more than just a seasonal update; it serves as a foundation for a new era of interaction between humans and hardware.

Is UiPath Stock a Genuine Bargain or a Value Trap?

The rapid evolution of robotic process automation into the sophisticated realm of agentic artificial intelligence has left many investors questioning whether pioneers like UiPath still hold a competitive edge in an increasingly crowded software market. While the company once dominated the landscape by automating repetitive tasks, the current technological shift demands a much deeper integration of cognitive capabilities that can

How Does the ClaudeFix Campaign Exploit Trust in AI?

As artificial intelligence platforms become central to daily productivity, threat actors have shifted their focus toward subverting the inherent credibility of these tools to facilitate sophisticated social engineering schemes. The emergence of the ClaudeFix campaign demonstrates an alarming evolution in cybercrime, where attackers no longer rely solely on poorly designed spoofed websites but instead leverage the legitimate infrastructure of major

Ransomware Costs Rise as Tactics Shift to Identity Theft

The digital extortion landscape has undergone a radical transformation as traditional file encryption loses its efficacy against organizations that have finally mastered the art of robust, offline backup solutions. While the initial ransomware wave relied on locking down systems to demand a fee, modern threat actors like LockBit and BlackCat have pivoted toward a more insidious strategy: stealing the very