Telegram 2FA Not Cracked, Attackers Hijack Logged-In Sessions
Key Takeaways A new macOS info-stealing malware circumvents Telegram’s 2FA by directly hijacking active user sessions. The threat extracts local session files, enabling attackers to resume...
Key Takeaways
- A new macOS info-stealing malware circumvents Telegram’s 2FA by directly hijacking active user sessions.
- The threat extracts local session files, enabling attackers to resume authenticated Telegram sessions without needing passwords or 2FA codes.
- Beyond Telegram, the malware targets a wide array of sensitive data, including macOS Keychain, browser credentials, Apple Notes, and 16 cryptocurrency wallet applications.
- Attackers use fake password prompts and malicious app replacements to steal system passwords and cryptocurrency recovery phrases.
- Users are advised to regularly review active Telegram sessions, secure their Desktop app with a passcode, and exercise extreme caution with unexpected software updates or prompts, especially concerning crypto wallets.
Sophisticated macOS Malware Bypasses Telegram 2FA by Hijacking Sessions
A recently discovered macOS information-stealing malware is actively exploiting logged-in Telegram Desktop sessions, providing attackers with immediate, unauthorized access to user accounts. This method cleverly sidesteps traditional two-factor authentication (2FA) by copying existing session data rather than attempting to crack credentials or authentication codes.
Table Of Content
Upon successful execution, the malware extracts specific local files that signify an authenticated Telegram session. When these files are subsequently deployed on another macOS device, the Telegram client can initiate and synchronize user chats without triggering the usual login process, effectively bypassing any password or 2FA prompts.
The scope of this malware extends far beyond Telegram. It systematically gathers sensitive data from various macOS components, including Keychain entries, browser credentials and cookies, Apple Notes, and databases associated with cryptocurrency wallets. Furthermore, it employs deceptive password prompts to trick users into revealing their system passwords, broadening the attacker’s access to valuable information.
This comprehensive data exfiltration strategy aligns with a growing trend among macOS-specific threats that prioritize the theft of browser data and Keychain information before transmitting the collected intelligence to command-and-control servers.
SlowMist said in a report that its security analysts successfully replicated this attack vector within a controlled environment. Their findings indicated that an active Telegram session could be seamlessly transferred to a different compatible Mac, even when Telegram’s Two-Step Verification was enabled. This bypass was effective as long as the victim had not configured a separate Telegram Desktop passcode.
Hackers Don’t Crack Telegram 2FA; They Copy Your Session
The malware specifically targets the Telegram Desktop’s tdata directory, located within the victim’s Library folder. It meticulously copies essential session-related files, including key_datas, maps, and corresponding s files. These stolen files are then temporarily stored, compressed, and uploaded alongside other pilfered data.
During testing, researchers successfully restored these extracted files on a macOS 12.7 system running Telegram Desktop version 4.16. The replicated client did not prompt for a phone number, SMS verification code, or the Telegram two-step verification password. Instead, it immediately re-established the authenticated session and began downloading chat history. This vulnerability adds a critical layer of context to recent Telegram phishing campaigns.
It is crucial to understand that this attack leverages session reuse, not a crack of Telegram’s robust 2FA mechanism. While two-step verification safeguards new login attempts, copied local session data circumvents this protection because the client interprets it as an already authorized session. SlowMist also identified the potential for attackers to convert the stolen tdata into a programmable API session, granting them extensive access to messages and chat history.
Detecting such a compromise can be challenging. In intermittent tests, the replicated session did not consistently appear as a distinct device in Telegram’s active device list. Furthermore, Telegram for macOS proved susceptible to local-session restoration, allowing cached conversations to remain accessible even if suspicious activity led to restrictions on new message exchanges.
Wallet Theft Expands the Damage
Beyond Telegram data, the malware actively seeks out databases from 16 different cryptocurrency wallet applications. It also scans Chromium browser profiles for any stored wallet extension data. This allows the threat actors to combine stolen encrypted wallet information with passwords obtained through fake prompts, Keychain records, browser data, and notes, facilitating repeated decryption attempts offline, away from the compromised Mac.
This pattern of targeting credentials and wallet data through deceptive files and social engineering tactics is increasingly common among macOS malware variants.
The malware also employs a sophisticated tactic of replacing legitimate wallet applications with malicious lookalikes. These fraudulent desktop programs, which mimic the original applications’ names and icons, instead load attacker-controlled web pages. This creates a convincing phishing scenario where users might unknowingly enter their recovery phrases into what appears to be a trusted desktop application, rather than a malicious browser page.
Users must remain vigilant for any unexpected alterations to their wallet applications. This warning is echoed in broader advisories regarding macOS wallet-stealing malware. A recovery phrase entered into a suspicious application should be immediately considered compromised, as merely changing an application password will not revoke private keys or phrases already exfiltrated by an attacker.
What You Should Do
- Review Active Sessions: Regularly check your “Active Sessions” in Telegram settings from a trusted device (e.g., your mobile phone) and terminate any unfamiliar or suspicious sessions.
- Enable Telegram Desktop Passcode: Set a strong, unique passcode specifically for your Telegram Desktop application. This adds an additional layer of local protection beyond the main 2FA.
- Update Passwords: Change your Telegram two-step verification password immediately. Also, rotate any passwords stored or reused in your macOS Keychain, web browsers, and Apple Notes, especially if you suspect compromise.
- Secure Cryptocurrency Wallets: If your cryptocurrency wallet data might be exposed, transfer all assets to new wallet addresses generated with fresh recovery phrases on a clean, secure device.
- Verify Application Integrity: If any wallet application on your Mac appears altered or behaves unexpectedly, remove it immediately. Scrutinize your system for any persistence mechanisms the malware may have installed. Always verify the installation source and digital signatures of applications, reinstalling only from official and trusted sources.
- Assume Compromise for Recovery Phrases: Any cryptocurrency recovery phrase entered into an application that is later found to be suspicious or malicious must be treated as compromised. Changing your application password will not protect private keys or phrases already stolen.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.