Analyzing a New PowerShell-Based Telegram Session Stealer: From Pastebin to Bot API Exfiltration

Threat actors are currently refining a specialized class of infostealers specifically designed to hijack Telegram sessions. Unlike broad-spectrum malware that scrapes general browser credentials or banking passwords, this new toolchain focuses narrowly on exfiltrating Telegram’s proprietary session data.

By leveraging a PowerShell script hosted on Pastebin—disguised under the innocuous guise of a Windows Telemetry Update—attackers are providing defenders with a rare “behind-the-scenes” look at the early-stage development and testing of targeted session-hijacking tools.

While the methodology lacks the complexity of high-end APT frameworks, its surgical focus on the MTProto authorization keys makes it a potent threat for bypassing multi-factor authentication (MFA) and SMS verification.

Technical Breakdown: How the PowerShell Stealer Operates

The lifecycle of this attack begins with social engineering and ends with automated exfiltration via the Telegram Bot API. The script’s lack of significant obfuscation suggests it is currently in a validation or “beta” phase, allowing researchers to map out the attacker’s entire infrastructure with ease.

Telegram application data visualization
Analysis of target Telegram application data structures (Source: flare).

1. Environmental Profiling & Reconnaissance:
Upon execution, the script immediately establishes a connection to the operator’s command-and-control (C2) infrastructure using hardcoded credentials for a bot identified as “afhbhfsdvfh_bot.” To provide context for any stolen data, the script performs local reconnaissance, gathering the victim’s username, hostname, and public IP address via api.ipify.org. This metadata is packaged as a caption for the stolen files, allowing the attacker to instantly profile the victim’s environment.

2. Targeting the TData Directory:
The primary objective is the `tdata` folder located within the user’s AppData directory. This directory is used by the Telegram Desktop client to store long-lived authentication keys. By acquiring these files, an attacker can clone a session onto a different device, bypassing the need for a password or a fresh login code.

3. File Manipulation & Compression:
To avoid file-lock errors, the script actively terminates the Telegram.exe process. Once the process is killed, it locates the Telegram Desktop and Telegram Desktop Beta directories, compresses the sensitive `tdata` folders into a single archive named diag.zip within the user’s TEMP directory, and prepares it for transport.

4. Exfiltration via Multipart/Form-Data:
In the updated “v2” version of the script, the attacker utilizes the sendDocument method of the Telegram Bot API. The PowerShell script uses Invoke-RestMethod to construct a precise multipart/form-data request, sending the diag.zip archive directly to the attacker’s chat ID. Notably, the script includes a WebClient fallback mechanism: if the primary API request fails, it attempts a secondary upload method to ensure the payload reaches its destination, even if metadata is sacrificed.

Original Pastebin post displaying the malicious script
Original Pastebin post masquerading as a system update (Source: flare).

The Parallel Threat: Web-Based Session Hijacking

Forensic analysis revealed that the same bot infrastructure is being used to manage a second, distinct threat: a web-based Telegram session stealer. While the PowerShell script targets desktop clients, this secondary tool targets Telegram Web by scraping browser local storage.

Recovered JSON previews from the attacker’s bot channel showed high-value targets, specifically dc3_auth_key and dc4_auth_key values. These keys are the “holy grail” for hijacking web sessions, as they allow an attacker to reconstruct a fully authenticated session within a browser environment.

Code snippet showing fixed multipart upload logic
The v2 script demonstrates a more stable multipart/form-data implementation (Source: flare).

Data was being routed to a local HTTP collector (located at 192.168.137[.]131:5000), which strongly indicates that the operator is currently testing these tools within a controlled, private laboratory environment. The presence of a private LAN “VPS” and static user-agent strings suggests that we are observing a “dry run” rather than an active, widespread campaign.

Defensive Implications and Conclusion

Although this specific toolset appears to be in the testing phase, it highlights a significant trend: the weaponization of legitimate APIs (like Telegram’s Bot API) to facilitate data exfiltration. This “living off the land” approach via trusted communication channels can often bypass traditional Endpoint Detection and Response (EDR) solutions if they are only looking for known malicious domains.

Key Takeaways for Defenders:

  • Monitor Paste Sites: Continuous monitoring of Pastebin and similar services can provide early warnings of “leaked” or emerging malware stubs.
  • Detect Anomalous PowerShell Activity: Watch for PowerShell scripts making outbound connections to api.telegram.org or attempting to terminate messaging applications.
  • File Integrity Monitoring: Implement alerts for unauthorized access or compression of the AppData\Roaming\Telegram Desktop\tdata directory.

By identifying the bot tokens and chat IDs used in these testing phases, security teams can proactively update their threat intelligence feeds before these tools are integrated into larger, more sophisticated malware campaigns.

Related Articles

Back to top button