Ethical Hacking News
A new Golang-based backdoor has been discovered that leverages the Telegram Bot API for command-and-control (C2) communications. Believed to have originated from Russian hackers, this malware showcases the increasing sophistication of threat actors in exploiting vulnerabilities and leveraging open-source libraries. With its use of cloud apps and Telegram's vast user base, this attack highlights the importance of staying vigilant and proactive in securing systems against evolving threats.
A novel Golang-based backdoor has been discovered that leverages the Telegram Bot API for command-and-control (C2) communications. The malware is designed to check if it's running under a specific location and using a specific name, and if not, it writes its own contents to that location and creates a new process to launch the copied version. The backdoor allows hackers to remotely access compromised systems via the Telegram Bot API. The malware uses an open-source library for Golang bindings of the Telegram Bot API, providing stealth and evasion from detection. The malware supports four different commands: /cmd, /persist, /screenshot, and /selfdestruct. The use of cloud apps poses a complex challenge to defenders, while attackers are well aware of its potential.
In a recent development that has sent shockwaves through the cybersecurity community, researchers at Netskope Threat Labs have shed light on a novel Golang-based backdoor that leverages the Telegram Bot API for command-and-control (C2) communications. This malware, which is believed to have originated from Russian hackers, showcases the increasing sophistication of threat actors in exploiting vulnerabilities and leveraging open-source libraries to further their malicious goals.
The malware, compiled in Golang, is designed to check if it's running under a specific location and using a specific name – "C:\Windows\Temp\svchost.exe" – and if not, it reads its own contents, writes them to that location, and creates a new process to launch the copied version and terminate itself. This behavior is indicative of a backdoor, which allows hackers to remotely access compromised systems.
What sets this malware apart from others is its use of an open-source library that offers Golang bindings for the Telegram Bot API. By interacting with the Telegram Bot API, the malware can receive new commands originating from an actor-controlled chat and execute them on the compromised system. This approach provides a high degree of stealth and evasion, as it leverages a widely used communication platform to avoid detection.
The malware supports four different commands: /cmd, which executes commands via PowerShell; /persist, which relaunches itself under "C:\Windows\Temp\svchost.exe"; /screenshot, which sends the message "Screenshot captured" (despite being partially implemented); and /selfdestruct, which deletes the "C:\Windows\Temp\svchost.exe" file and terminates itself. The output of these commands is sent back to the Telegram channel, further concealing the malware's activities.
According to Leandro Fróes, a security researcher at Netskope Threat Labs, the use of cloud apps presents a complex challenge to defenders, while attackers are well aware of its potential. "Other aspects such as how easy it is to set and start the use of the app are examples of why attackers use applications like that in different phases of an attack," Fróes noted.
The Russian roots of the malware are evident in the fact that the /cmd instruction sends the message "Enter the command:" in Russian to the chat. This subtle detail highlights the human element involved in many cyberattacks, as hackers often rely on cultural and linguistic nuances to evade detection.
The emergence of this Golang-based backdoor underscores the ongoing cat-and-mouse game between threat actors and cybersecurity professionals. As attackers become increasingly adept at exploiting vulnerabilities and leveraging open-source libraries, defenders must adapt their strategies to stay one step ahead.
In response to this evolving threat landscape, it is essential for organizations to remain vigilant and proactive in securing their systems against such malicious activities. By implementing robust security measures and staying informed about emerging threats, individuals and enterprises can reduce the risk of falling prey to sophisticated attacks like this Golang-based backdoor.
Related Information:
https://thehackernews.com/2025/02/new-golang-based-backdoor-uses-telegram.html
https://healsecurity.com/new-golang-based-backdoor-uses-telegram-bot-api-for-evasive-c2-operations/
Published: Mon Feb 17 05:06:34 2025 by llama3.2 3B Q4_K_M
