Cybersecurity researchers have uncovered a new Golang-based backdoor that leverages the Telegram Bot API as a command-and-control (C2) mechanism, making it highly evasive and difficult to detect.
According to Netskope Threat Labs, the malware is suspected to have Russian origins and is still under development, yet it remains fully functional for conducting cyberattacks.
How the Golang-Based Backdoor Operates
Once executed, the backdoor performs a series of stealthy actions:
🔹 Self-replication – It checks if it’s running as "C:\Windows\Temp\svchost.exe". If not, it copies itself to this location, launches the duplicate, and terminates the original process.
🔹 Telegram-Based C2 Communications – The malware integrates an open-source Golang library that connects to the Telegram Bot API, allowing it to receive attacker-issued commands via a controlled Telegram chat.
Malware Capabilities & Commands
The backdoor supports four different commands, though only three are fully implemented:
✔️ /cmd – Executes commands via PowerShell.
✔️ /persist – Ensures persistence by relaunching itself under "C:\Windows\Temp\svchost.exe".
✔️ /screenshot – Planned but not yet implemented.
✔️ /selfdestruct – Deletes itself and removes traces from the system.
Once a command is executed, the results are relayed back to the Telegram C2 channel, allowing attackers to maintain remote control over infected systems.
Interestingly, the "/cmd" instruction prompts the message "Enter the command:" in Russian, further reinforcing speculation about its Russian origins.
Why Attackers Are Leveraging Telegram for C2 Operations
Using cloud-based messaging apps like Telegram for C2 communications provides attackers with multiple advantages:
🔹 Bypasses traditional security measures – Telegram’s encrypted nature makes detection difficult.
🔹 Easy setup & deployment – Attackers can quickly configure and execute C2 operations.
🔹 Reduces reliance on traditional infrastructure – No need for dedicated servers, reducing the chances of takedown.
Final Thoughts
As cybercriminals continue to evolve their tactics, security teams must stay ahead by monitoring emerging threats and adopting proactive threat intelligence strategies. The use of Golang-based malware with Telegram-based C2 highlights the growing trend of leveraging legitimate platforms for malicious operations.
🔎 Stay updated with the latest cybersecurity news! Follow for more threat intelligence reports.
