New Golang-Based Backdoor Uses Telegram for Command and Control

By /

Listen to this Post

Cybersecurity experts have recently discovered a sophisticated Golang-based backdoor that uses Telegram as a command-and-control (C2) mechanism, potentially originating from Russia. This backdoor, still under development, leverages Telegram’s popular Bot API to receive commands from an actor-controlled chat, making it an innovative tool for attackers. Security firm Netskope Threat Labs uncovered its key functionalities and behaviors, which highlight the complexity and evolving nature of modern cyberattacks.

Summary

The new malware discovered by Netskope Threat Labs operates as a Golang-based backdoor, with significant use of Telegram for C2 communications. Once executed, the malware checks for its specific location and filename, copying itself to “C:\Windows\Temp\svchost.exe” if necessary and then launching the copied version. The malware employs an open-source library for Golang that allows it to interface with Telegram’s Bot API. This provides attackers with four potential commands, although only three are currently implemented:

– /cmd: Executes commands through PowerShell.

  • /persist: Forces the malware to relaunch itself under a specific filename.
  • /screenshot: This command is not fully functional but attempts to capture screenshots.
  • /selfdestruct: Deletes the malware and terminates its process.

Interestingly, the

What Undercode Says:

This newly discovered Golang-based backdoor opens a window into the evolving tactics employed by cybercriminals. The malware’s reliance on Telegram, a popular and legitimate communication tool, for its command-and-control (C2) communications makes it highly evasive and difficult to detect by traditional security defenses. The use of Golang is also significant because it’s a modern, efficient language that compiles into binaries that are hard to reverse engineer, which further complicates efforts to detect or mitigate the malware.

Telegram’s role in this attack is particularly noteworthy. As a cloud-based messaging platform, it is trusted by many users, which gives attackers an edge in avoiding detection. Telegram’s Bot API allows for easy automation and remote communication, enabling the backdoor to receive commands seamlessly without raising suspicion. This presents an evolving challenge for cybersecurity professionals, who must not only focus on traditional attack vectors but also the growing use of legitimate cloud services by attackers.

The fact that the malware supports PowerShell execution with the /cmd command is another red flag. PowerShell is a legitimate tool widely used by administrators, but it’s also a common feature in modern cyberattacks, especially for lateral movement within compromised networks. Attackers can leverage it to execute commands, run scripts, and gain further access within a target system without triggering alarms in conventional security setups.

The /persist command suggests that the attackers have designed the backdoor to maintain long-term access, even after system reboots. This persistence mechanism ensures that the malware can survive attempts to manually remove or disable it, which increases the chances of success for the attackers. Similarly, the self-destruct feature allows the malware to cover its tracks by erasing itself and making the investigation more challenging.

One curious aspect is the incomplete implementation of the /screenshot command. While it doesn’t fully work yet, the command still sends a “Screenshot captured” message to the attacker’s chat. This could indicate that the malware is still under active development, with more features potentially being added in the future. This unfinished functionality raises concerns about the evolving nature of the malware, as it could become even more powerful once fully implemented.

The Russian linguistic clues within the malware suggest a regional attribution. While this isn’t definitive proof of its origin, it does hint at the possibility that the attackers have a Russian background or that it was designed for operations within Russian-speaking regions. Given the geopolitical context and the increasing sophistication of Russian cyber operations, this finding is in line with previous incidents involving state-sponsored groups.

The increasing complexity of cloud-based attacks is a significant challenge for defenders. As this research shows, attackers are becoming more adept at using everyday tools and services like Telegram, PowerShell, and cloud platforms to conduct cyberattacks. This shift in tactics forces cybersecurity experts to rethink their defense strategies, moving beyond traditional methods to include monitoring and analyzing cloud services and other less obvious attack vectors.

In conclusion, this Golang-based backdoor is a reminder of the ever-evolving threat landscape in cybersecurity. The use of Telegram as a command-and-control channel highlights the need for defenders to stay ahead of the curve, anticipating future attacks that may leverage legitimate, trusted services to evade detection. As attackers continue to innovate, the cybersecurity community must adapt quickly to safeguard systems and data from increasingly sophisticated threats.

References:

Reported By: https://thehackernews.com/2025/02/new-golang-based-backdoor-uses-telegram.html
https://www.pinterest.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Explore More: