Cybersecurity researchers have uncovered a new Golang-based backdoor that leverages Telegram as its primary command-and-control (C2) channel
allowing threat actors to issue commands and control infected systems remotely.
According to Netskope Threat Labs, which analyzed the malware's capabilities, this backdoor is believed to be of Russian origin. Security researcher Leandro Fróes stated in a report published last week that while the malware appears to be a work in progress, it is already fully functional and capable of executing remote commands.
Once executed, the malware first checks whether it is running from a specific directory and under a designated name—"C:\Windows\Temp\svchost.exe". If it is not already in that location, it copies itself to that directory, executes the new instance, and then terminates the original process to avoid detection. This self-replication mechanism helps it maintain persistence on the infected machine.
A key characteristic of this malware is its reliance on an open-source Golang library that provides bindings for the Telegram Bot API. This integration enables the malware to receive commands from an actor-controlled Telegram chat, allowing attackers to operate it remotely. Netskope identified four available commands within the malware’s code, though only three are currently functional:
- /cmd – Executes system commands via PowerShell and sends the output back to the attacker.
- /persist – Ensures persistence by relaunching itself under the specified directory.
- /screenshot – This feature is not yet implemented, but when triggered, it falsely displays a message stating "Screenshot captured."
- /selfdestruct – Deletes the malware file from the system and terminates its own process, effectively erasing evidence of its presence.
The Russian connection is evident in the "/cmd" command, which prompts the user with "Enter the command:" in Russian when interacting with the Telegram-based C2 server. This linguistic indicator, combined with the malware’s tactics, suggests possible Russian threat actor involvement.
Fróes also pointed out that cloud-based communication platforms like Telegram pose unique challenges for cybersecurity defenses, as attackers exploit their accessibility and ease of use for stealthy operations. The ability to integrate C2 functionality within a widely used messaging app makes it more difficult for security teams to detect and block malicious activity.
As cloud-based attacks continue to evolve, security professionals must remain vigilant and adopt proactive measures to mitigate threats that use legitimate applications for malicious purposes.
