Although Discord and Telegram are some of the most popular communication channels today, they aren’t just used for chatting and messaging. It’s becoming increasingly common for cyber attackers to exploit these platforms as part of their malicious activities.
These services, originally designed for gamers, communities, and secure communication, have unfortunately attracted the attention of cybercriminals due to their widespread use, anonymity features, and the ease with which they can be integrated into malicious operations.
Attackers now routinely use Discord and Telegram as command and control (C2) infrastructure to manage malware, distribute malicious payloads, and exfiltrate sensitive data from compromised systems.
Why Cyber Attackers Use Discord and Telegram
Attackers increasingly use Discord and Telegram in their attacks because these platforms offer features that are ideal for malicious activities.
- Widespread use: These platforms are popular, so malicious activities can easily blend in with normal traffic.
- Encryption and anonymity: Both offer strong privacy features, making it difficult to trace or intercept attacks.
- Ease of use: Discord’s webhooks and Telegram’s bots allow for simple command and control (C2) operations.
- Integration capabilities: These platforms can be integrated into malware campaigns for efficient management and execution.
However, it is now easier for malware hunters to identify threats originating from Discord and Telegram with the help of cybersecurity tools like interactive sandboxes. These tools allow them to observe the behavior of each link or file in a controlled environment, making it possible to develop effective solutions to stop the threat from spreading.
Try ANY.RUN’s Sandbox for Free
How Discord and Telegram Can be Used by Malware
Attackers and malware can exploit Discord and Telegram in various ways to carry out their malicious activities:
1.Command and Control (C2) Infrastructure
Attackers can use Discord’s webhooks to send commands to infected devices and receive stolen data. This method allows them to control malware remotely, using Discord channels as a communication hub that is difficult to detect because it blends with legitimate traffic.
Like Discord, Telegram bots can manage and control malware. Attackers set up bots that interact with infected devices, sending commands and receiving data, all under the cover of Telegram’s encrypted messaging service.
For instance, X-files stealer uses Telegram as a communication platform to exfiltrate stolen data.
You can explore similar cases by using TI Lookup, which allows you to find instances where malware uses platforms like Telegram or Discord to exfiltrate data. This will allow you to observe how similar threats use these communication channels, helping you stay ahead of potential risks.
2. Malware Distribution
Discord’s file-sharing feature is also used to distribute malicious files. These files are hosted on Discord’s Content Delivery Network (CDN), making them appear legitimate and bypassing many security filters.
Malware can also be spread through Telegram channels or groups, where attackers share infected files or links. Telegram’s widespread use and perceived security can trick users into downloading malicious content.
Suspicious files and links can be easily analyzed by uploading them to the ANY.RUN sandbox, where you can observe how they behave in an isolated environment.
This allows you to see firsthand how malware might exploit platforms like Discord or Telegram to distribute malicious files, helping you identify which channels within these platforms should be avoided.
Sign up for free with ANY.RUN to analyze unlimited malware
3. Phishing Attacks
Attackers can use Discord to send phishing links to users, often disguised as messages from trusted contacts or channels. These links can lead to malicious sites designed to steal credentials or distribute malware.
Phishing links are also shared via Telegram, often through bots or within groups. These links might redirect users to fake login pages or download malware directly onto their devices.
For instance, the trojan Xworm possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking Telegram accounts, and tracking user activity.
When running the threat inside an interactive sandbox, such as ANY.RUN, we can see how it uses Telegram to steal credentials.
By examining the Threats section, we can quickly identify suspicious or malicious network activities flagged by Suricata IDS rules.
One of the activities listed includes the malware’s attempt to exfiltrate data via Telegram.
4.Exploitation of APIs
Attackers have found ways to exploit both Telegram’s and Discord’s APIs to further their malicious activities. By abusing these APIs, they can create harmful bots or automate a range of attacks.
The powerful automation capabilities provided by these platforms’ APIs can be misused to carry out actions such as spamming, flooding channels with unwanted messages, or even coordinating complex cyberattacks.
These APIs, designed to enhance user experience and functionality, unfortunately also provide a toolkit that, in the wrong hands, can facilitate various forms of malicious behavior.
14 Days of Top Interactive Analysis Features
Experience the full potential of ANY.RUN’s sandbox and discover how interactive malware analysis can elevate your cybersecurity efforts.
- Receive a clear verdict on a file or URL in under 40 seconds.
- Complete the analysis in 3 simple steps: upload the sample, observe malicious behavior, and download the report.
- Engage directly with the sample: solve CAPTCHAs, download and open attachments, or even reboot the system.
- Monitor network activity, process details, registry modifications, and file system changes in real time.
- Gather IOCs from over 79 malware families, including detailed configuration data.
Get a 14-day of free trial with ANY.RUN to explore its advanced features