New Golang Backdoor Uses Telegram API for Covert Command and Control
Telegram as a Malware C2 Channel
Cybersecurity researchers at Netskope have uncovered a new Golang-based backdoor that leverages Telegram’s API for command and control (C2) operations.
This malware, identified as Trojan.Generic.37477095, appears to be of Russian origin and demonstrates how attackers can exploit cloud services for C2 instead of relying on dedicated infrastructure.
How the Malware Works
Installation and Persistence
When executed, the malware first runs an installSelf function to check if it is operating from the designated location:
- Target path:
C:\Windows\Temp\svchost.exe - If not, the malware copies itself to that location, launches the new instance, and terminates the original process.
This initialization process ensures the backdoor always runs from a controlled location before executing commands.
Detect It Easy tool used by researchers shows malware acting like a backdoor upon execution (Screenshot via Netskope)
Command-and-Control via Telegram
The malware uses an open-source Go package to interact with Telegram’s Bot API, avoiding detection by traditional security measures.
- It registers as a bot using a Telegram BotFather token (extracted from the analyzed sample).
- It then monitors a private Telegram chat for commands from the attacker.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Available Commands and Capabilities
The backdoor currently supports four commands, though one remains unimplemented:
| Command | Function |
|---|---|
/cmd | Executes a hidden PowerShell command |
/persist | Ensures the malware remains running |
/screenshot | Not fully implemented but sends a confirmation message |
/selfdestruct | Deletes the malware file and stops execution |
When executing /cmd, the malware first prompts the attacker with a Russian-language request (“Enter the command:”). It then waits for the follow-up message containing a PowerShell command, which it executes in a hidden PowerShell window.
Stealth and Detection Challenges
By leveraging Telegram as a C2 platform, the malware avoids the need for traditional attacker infrastructure. Researchers highlight that this makes detection difficult:
- Cloud-based APIs are widely used for legitimate applications, making it hard to differentiate normal traffic from malicious activity.
- Attackers can easily deploy new Telegram bots if their previous ones are shut down.
Trending: Recon Tool: getJS
Mitigation and Protection
To defend against threats like this, organizations should:
- Monitor outbound Telegram traffic for unusual activity.
- Restrict PowerShell execution via Group Policy or Endpoint Detection and Response (EDR) solutions.
- Deploy behavioral analysis tools that detect unusual process executions.
- Ensure antivirus and anti-malware solutions can detect and block Go-based executables.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: hackread.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
