New Golang-Primarily based Backdoor Makes use of Telegram Bot API for Evasive C2 Operations

February 17, 2025

Cybersecurity researchers have make clear a brand new Golang-based backdoor that makes use of Telegram as a mechanism for command-and-control (C2) communications.

Netskope Menace Labs, which detailed the features of the malware, described it as probably of Russian origin.

“The malware is compiled in Golang and as soon as executed it acts like a backdoor,” security researcher Leandro Fróes mentioned in an evaluation revealed final week. “Though the malware appears to nonetheless be below growth it’s utterly purposeful.”

As soon as launched, the backdoor is designed to test if it is working below a particular location and utilizing a particular identify – “C:WindowsTempsvchost.exe” – and if not, it reads its personal contents, writes them to that location, and creates a brand new course of to launch the copied model and terminate itself.

A notable side of the malware is that it makes use of an open-source library that provides Golang bindings for the Telegram Bot API for C2 functions.

See also The Hidden Safety Gaps in Your SaaS Apps: Are You Doing Due Diligence?Aug 16, 2024SaaS Safety / Menace Detection SaaS functions have turn into indispensable for organizations aiming to boost productiveness and streamline operations. Nonetheless, the comfort and effectivity these functions provide include inherent security dangers, typically leaving hidden gaps that may be exploited. Conducting thorough due diligence on SaaS apps is crucial to determine and mitigate these dangers, making certain the safety of your group's delicate knowledge. Understanding the Significance of Due Diligence Due diligence is a essential step in evaluating the security capabilities of SaaS functions. It includes a complete evaluation of the app's audit log occasions, system and exercise audits, and integration capabilities to make sure correct logging and monitoring, serving to to forestall pricey incidents. Listed here are a number of explanation why due diligence is non-negotiable: Figuring out Important Audit Log Gaps: A radical evaluation helps be sure that important occasions, comparable to logins, MFA verifications, and person adjustments, are lo

This includes interacting with the Telegram Bot API to obtain new instructions originating from an actor-controlled chat. It helps 4 completely different instructions, though solely three of them are at the moment applied –

/cmd – Execute instructions through PowerShell
/persist – Relaunch itself below “C:WindowsTempsvchost.exe”
/screenshot – Not applied
/selfdestruct – Delete the “C:WindowsTempsvchost.exe” file and terminate itself

The output of those instructions is distributed again to the Telegram channel. Netskope mentioned that the “/screenshot” command sends the message “Screenshot captured” regardless of it not being totally fleshed out.

The Russian roots of the malware are defined by the truth that the “/cmd” instruction sends the message “Enter the command:” in Russian to the chat.

“The usage of cloud apps presents a fancy problem to defenders and attackers comprehend it,” Fróes mentioned. “Different features resembling how straightforward it’s to set and begin the usage of the app are examples of why attackers use functions like that in numerous phases of an assault.”

See also Gainsight Expands Impacted Buyer Checklist Following Salesforce Safety Alert

- Advertisment -

New Golang-Primarily based Backdoor Makes use of Telegram Bot API for Evasive C2 Operations

VoidStealer Malware Exploits Chrome Reminiscence to Extract Encryption Keys

Bearlyfy Hits 70+ Russian Companies with Customized GenieLocker Ransomware

Malicious VPN Extension Stole ChatGPT and Google Gemini Conversations From Thousands and thousands

LEAVE A REPLY Cancel reply

Most Popular

Angriffe auf npm-Lieferkette gefährden Entwicklungsumgebungen

PixieFail flaws affect PXE community boot in enterprise techniques

PixieFail UEFI Flaws Expose Tens of millions of Computer systems to RCE, DoS, and Data Theft

New Marvin assault revives 25-year-old decryption flaw in RSA

1000’s of Juniper gadgets susceptible to unauthenticated RCE flaw

Why Instagram Threads is a hotbed of dangers for companies

Phishing Campaigns Ship New SideTwist Backdoor and Agent Tesla Variant

EDITOR PICKS

Nvidia NemoClaw guarantees to run OpenClaw brokers securely

NetApp SnapCenter Flaw Might Let Customers Acquire Distant Admin Entry on Plug-In Programs

HR big Workday says hackers stole private knowledge in current breach

POPULAR News

Angriffe auf npm-Lieferkette gefährden Entwicklungsumgebungen

PixieFail flaws affect PXE community boot in enterprise techniques

PixieFail UEFI Flaws Expose Tens of millions of Computer systems to RCE, DoS, and Data Theft

POPULAR TAGS

POPULAR Tags

POPULAR Tags

ABOUT US

FOLLOW US