A critical evolution of the CVE-2024-7014 vulnerability, originally patched in July 2024, has resurfaced with updated tactics to bypass security measures.
Dubbed Evilloader, this new exploit leverages Telegram’s multimedia handling mechanisms to execute malicious JavaScript code by disguising .htm files as video content.
The attack chain, observed in active campaigns, demonstrates how threat actors continue to refine their methods to exploit legacy weaknesses in widely used messaging platforms.
Telegram EvilVideo Vulnerability
The vulnerability stems from improper validation of file formats within Telegram’s Android client.
The vulnerability’s CVSS v4.0: 7.1 (High severity) indicates low attack complexity and high integrity/availability effects.
While the original EvilVideo exploit (CVE-2024-7014) allowed attackers to distribute Android Package Kit (APK) files disguised as video files, the updated attack vector replaces APKs with HTML files containing embedded JavaScript.
When a victim receives a malicious file via Telegram, the platform incorrectly interprets the .htm file as a video due to manipulated metadata headers.
Android’s content:// URI scheme plays a pivotal role in this exploit. When a user attempts to open the disguised file, Telegram generates a URI such as:
This URI directs the system to open the file using the default browser, triggering the execution of JavaScript embedded within the HTML. Attackers exploit this behavior to deploy payloads ranging from IP loggers to droppers that fetch additional malware.
Attack Workflow and Payload Delivery
According to 0x6rss, Malware, and CTI analysts, the Evilloader campaign follows a multi-stage process:
Payload Crafting: Attackers generate an HTML file containing JavaScript designed to harvest device metadata (e.g., IP address, geolocation) or redirect to phishing pages.
Telegram API Abuse: Using Telegram’s bot API, attackers upload the malicious HTML file with spoofed MIME type (video/mp4) and filename extension (testv.mp4).
User Interaction: Recipients see the file as a “30-second video” in chats. Automatic media downloading (enabled by default) or manual downloads retrieve the payload.
Code Execution: Attempting to play the “video” fails, prompting users to open it externally. The HTML file executes in the browser, running malicious scripts.
Platforms: Android devices running Telegram versions ≤10.14.4 (unpatched instances).
Payloads: Data exfiltration, credential theft, and secondary malware downloads (e.g., Banking Trojans, RATs).
Mitigation Recommendations
- Ensure installation of version ≥10.14.5, which enforces stricter file validation.
- Navigate to Settings > Data and Storage > Automatic Media Download and disable all chat types.
- Train users to recognize suspicious files and avoid using external players for Telegram media.
- Deploy mobile threat defense solutions to detect anomalous HTML execution attempts.
The resurgence of CVE-2024-7014 via Evilloader underscores the persistent risks of improper input validation in messaging platforms.
As attackers refine their tactics, organizations must adopt layered defenses combining software updates, user awareness, and endpoint monitoring.
Telegram users should immediately verify their app version and exercise caution with unsolicited media files even those appearing as benign videos.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free