Full Report
Cybersecurity researchers have shed light on a new Golang-based backdoor that uses Telegram as a mechanism for command-and-control (C2) communications. Netskope Threat Labs, which detailed the functions of the malware, described it as possibly of Russian origin. "The malware is compiled in Golang and once executed it acts like a backdoor," security researcher Leandro Fróes said in an analysis
Analysis Summary
# Tool/Technique: Golang-Based Backdoor using Telegram Bot API
## Overview
A newly identified, actively developed, and fully functional backdoor written in Golang that utilizes the Telegram Bot API for Command and Control (C2) communications. This technique leverages a popular cloud application (Telegram) to maintain evasion and persistence, potentially originating from Russian threat actors.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: Windows (Inferred from file paths like `C:\Windows\Temp\`)
- Capabilities: Remote command execution, self-propagation/persistence mechanism, self-destruction.
- First Seen: Analysis published in February 2025.
## MITRE ATT&CK Mapping
Based on described functionality, the following mappings apply:
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol**
- T1071.001 - Web Protocols (Telegram API operates over standard internet protocols)
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (Golang compilation aids obfuscation)
- **TA0003 - Persistence**
- **T1547 - Boot or Logon Autostart Execution** (The persistence mechanism implies establishing a method for re-execution)
## Functionality
### Core Capabilities
- C2 Communication: Interacts with the Telegram Bot API using an open-source Golang library to receive commands from an operator-controlled chat.
- Remote Command Execution (`/cmd`): Executes arbitrary system commands using PowerShell on the compromised host.
- Persistence/Relaunch (`/persist`): If the malware is not running from its designated location (`C:\Windows\Temp\svchost.exe`), it copies its contents to that location and launches the copy while terminating the original process.
- Self-Destruction (`/selfdestruct`): Deletes the persistent file (`C:\Windows\Temp\svchost.exe`) and terminates the running process.
### Advanced Features
- Evasive C2: Uses Telegram, a legitimate, widely used cloud service, as the communication channel, which can challenge traditional network-based detection methods.
- Russian Language Artifacts: The `/cmd` instruction prompts the operator with the message "Enter the command:" in Russian, suggesting a likely origin.
- Screenshot Capability: Includes a placeholder command (`/screenshot`) indicating potential future functionality, though currently only reports "Screenshot captured."
## Indicators of Compromise
- File Hashes: [N/A provided in context]
- File Names: `svchost.exe` (when located in `C:\Windows\Temp\`)
- Registry Keys: [N/A provided in context]
- Network Indicators: Communications via the **Telegram Bot API** (specific API endpoints/servers would need further analysis of network traffic).
- Behavioral Indicators:
- Writing contents of an executable to `C:\Windows\Temp\svchost.exe`.
- Creating a new process to execute the copied content from the temporary path.
- Executing PowerShell commands initiated via API calls directed to a Telegram Chat ID.
## Associated Threat Actors
- Possibly of **Russian origin**, based on the embedded Russian language artifact ("Enter the command:").
## Detection Methods
- Signature-based detection: Signatures could be developed against the known Golang binary structure or specific API calls utilized.
- Behavioral detection: Monitoring for processes writing or executing files with the `.exe` extension into the `C:\Windows\Temp\` directory, especially when named `svchost.exe`. Monitoring for network connections communicating with known Telegram Bot API infrastructure originating from unusual processes.
- YARA rules: Could be developed targeting the unique string used for the Russian prompt or the specific Golang library imported for Telegram API interaction.
## Mitigation Strategies
- Prevention measures: Implement strict application control policies to restrict execution from temporary directories like `%TEMP%`.
- Hardening recommendations: Monitor and restrict outbound traffic to Telegram API endpoints from critical systems if using Telegram for legitimate purposes is discouraged. Implement rigorous monitoring around PowerShell execution initiated by unexpected parent processes.
## Related Tools/Techniques
- Other malware utilizing legitimate messaging applications (e.g., Slack, Discord, established encrypted email services) for C2.
- Other Golang malware variants known for cross-platform compilation and simplicity.