New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations

Cybersecurity researchers have uncovered a dangerous new Golang-based backdoor that leverages the Telegram Bot API for its Command-and-Control (C2) communications. By using a legitimate cloud application like Telegram, this malware easily bypasses traditional security firewalls that often overlook traffic from trusted apps.

Technical Analysis: How the Malware Operates According to Netskope Threat Labs, the malware is highly evasive. Once executed, it performs a series of environment checks to ensure it is running from a specific system path: C:\Windows\Temp\svchost.exe. If it is not in the correct location, it automatically:

• Reads its own binary content.
• Copies itself to the Windows Temp folder.
• Launches a new process and terminates the original one to hide its tracks.

Russian Origins Suspected Security researcher Leandro Fróes noted that while the malware is still under development, it is fully functional. The Russian connection was identified because the malware sends an "Enter the command" prompt in the Russian language to the attacker-controlled Telegram chat.

Supported Commands via Telegram Bot: The backdoor uses an open-source library to interact with Telegram. Currently, it supports the following commands:

• /cmd: Allows the attacker to execute remote commands via PowerShell.
• /persist: Forces the malware to relaunch itself to maintain a permanent presence on the victim's machine.
• /selfdestruct: Deletes the malicious file from the system and stops all processes to avoid forensic detection.
• /screenshot: (In development) Designed to capture the victim's screen.

The Challenge for Defenders The use of cloud apps like Telegram presents a complex challenge for SOC Analysts. Because these apps are used by millions for legitimate work, blocking them is often not an option for organizations, giving attackers a perfect "stealth" channel for data exfiltration and control.

Become a Malware Analysis Expert As hackers switch to modern languages like Golang to build evasive tools, the industry needs experts who can deconstruct and stop these threats. Join the Best Ethical Hacking Institute in Bhilai & Raipur: Learn Malware Analysis, Reverse Engineering, and Advanced Threat Hunting. Enroll now to start your journey in Cybersecurity!