Researchers have identified a new backdoor malware, written in Go programming language, that leverages Telegram as its command-and-control (C2) channel.
While the malware appears to still be under development, it is already fully functional and capable of executing various malicious activities.
This innovative use of cloud-based applications like Telegram for C2 communication poses significant challenges for cybersecurity defenders.
- A newly discovered Go-based backdoor, potentially of Russian origin, has been identified.
- The malware uses Telegram as its primary C2 communication channel.
- Despite being under development, the malware is operational and includes several implemented commands.
Technical Analysis
The malware is compiled in Golang and functions as a backdoor once executed. Upon launch, it performs an initial self-installation process by checking if it is running from a specific file path: C:WindowsTempsvchost.exe.
If not, it copies itself to this location, relaunches the new instance, and terminates the original process. This self-installation step is executed through an initialization function before the main function of the malware is called.
Interaction with Telegram
The malware employs an open-source Go package to interact with Telegram. It uses the NewBotAPIWithClient function to create a bot instance using a token generated via Telegram’s BotFather feature.
The analyzed sample contained the token 8069094157:AAEyzkW_3R3C-tshfLwgdTYHEluwBxQnBuk. Through the GetUpdatesChan function, the malware continuously monitors a channel for incoming commands from its operators.
The backdoor currently supports four commands, three of which are fully implemented:
- /cmd: Executes PowerShell commands received via Telegram.
- /persist: Relaunches itself in the specified directory (
C:WindowsTempsvchost.exe). - /screenshot: Not yet fully implemented but sends a placeholder message indicating a screenshot was captured.
- /selfdestruct: Deletes itself and terminates its process.
Command outputs are sent back to the Telegram channel using an encrypted send function. For example, when executing /cmd, the malware prompts the attacker (in Russian) to enter a PowerShell command, which it then executes in hidden mode.
The use of cloud-based applications like Telegram as C2 channels complicates detection efforts. These platforms provide attackers with an easy-to-use infrastructure while blending malicious activity with legitimate API usage.
Other cloud apps such as OneDrive, GitHub, and Dropbox could similarly be exploited in this way, making it increasingly difficult for defenders to differentiate between benign and malicious traffic.
Netskope Advanced Threat Protection proactively detects this threat under the identifier “Trojan.Generic.37477095.” The company emphasized the importance of monitoring such evolving threats and adapting defenses accordingly.
This Go-based malware highlights how attackers are leveraging cloud applications to bypass traditional detection mechanisms. By exploiting platforms like Telegram for C2 communication, attackers simplify their operations while complicating defensive measures.
Netskope Threat Labs reported that they will continue monitoring this backdoor’s development and its associated tactics, techniques, and procedures (TTPs).
For additional technical details and indicators of compromise (IOCs), Netskope has made relevant data available in their GitHub repository.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates