Triton RAT: A Sophisticated Telegram-Based Cyber Threat

By /

Listen to this Post

A New Malware Threat Emerging from GitHub

Cado Security Labs has identified a new and highly sophisticated Python-based Remote Access Tool (RAT) named Triton RAT, which uses Telegram as its command-and-control (C2) infrastructure. This open-source malware, hosted on GitHub, enables attackers to remotely control infected systems, putting user privacy and security at serious risk.

Triton RAT is particularly concerning because it comes with a wide range of capabilities, including keylogging, password theft, webcam recording, and even the ability to extract security cookies from Roblox accounts. The malware has advanced persistence mechanisms that allow it to remain undetected, making it a formidable tool for cybercriminals.

How Triton RAT Works

Stealing Credentials via Telegram

Triton RAT starts by retrieving Telegram Bot tokens and chat IDs from Pastebin, encoded in Base64. These credentials allow the malware to communicate with its operator via Telegram, sending stolen data and receiving commands remotely.

Key Features of Triton RAT

The malware comes with a wide range of malicious capabilities, including:

  • Keylogging – Records keystrokes to steal login credentials.
  • Browser Password Theft – Extracts saved passwords from Chrome, Firefox, Edge, and Brave.
  • Roblox Security Cookie Theft – Steals .ROBLOSECURITY cookies, bypassing two-factor authentication (2FA).
  • Screen & Webcam Recording – Captures user activity and can spy through the webcam.
  • Clipboard Data Theft – Copies sensitive data from the clipboard.
  • File Upload & Download – Transfers files between the infected system and the attacker.
  • Shell Command Execution – Runs commands remotely on the victim’s system.
  • System Information Gathering – Collects details about the infected machine.

Persistence and Evasion Techniques

To maintain access and evade detection, Triton RAT uses various persistence techniques:

  • VBScript & BAT Scripts – Runs updateagent.vbs and check.bat via PowerShell.
  • Windows Defender Disabling – Ensures the malware isn’t removed by antivirus software.
  • Task Scheduling – Creates scheduled tasks for continued execution.
  • Anti-Analysis Mechanisms – Detects and avoids debugging tools like xdbg and OllyDbg.
  • File Resizing for Antivirus Evasion – Increases its file size beyond the scanning limits of certain antivirus solutions.

Exploitation via Telegram

All stolen data is sent to the attacker’s Telegram bot, which also serves as a remote control panel for infected devices. At the time of analysis, the associated Telegram channel had over 4,500 messages, suggesting a widespread infection campaign.

Cybercriminals are increasingly using platforms like Telegram due to end-to-end encryption and ease of access, making traditional security solutions less effective against such threats.

What Undercode Say:

1. Triton RAT’s Impact on Cybersecurity

Triton RAT represents a shift in malware tactics, where legitimate communication platforms like Telegram are exploited for cybercrime. This makes it harder for security tools to detect and block malicious activity.

2. The Threat to Roblox Users and Beyond

The malware’s ability to steal Roblox security cookies is particularly alarming. Since these cookies allow access to accounts without requiring passwords, attackers can bypass 2FA and hijack accounts effortlessly. While the primary target appears to be Roblox users, the technique could be adapted for other platforms as well.

3. Why Open-Source Malware is a Growing Concern

Triton RAT is hosted on GitHub, meaning anyone can access and modify the source code. This raises concerns about the accessibility of advanced malware, allowing even low-skilled attackers to deploy it. The trend of open-source cybercrime makes malware more widespread and harder to control.

4. The Role of Telegram in Modern Cybercrime

Cybercriminals increasingly use Telegram as a C2 infrastructure due to:

– End-to-End Encryption – Protects attacker communication.

– Easy Accessibility – No complex setup needed.

  • Anonymity – Harder to trace than traditional C2 servers.
    While Telegram has legitimate uses, its misuse in cybercrime is growing rapidly.

5. Evasion Techniques Are Becoming More Advanced

Triton RAT’s ability to disable Windows Defender, resize files, and avoid debugging tools makes it a stealthy threat. Traditional antivirus solutions may not be enough, emphasizing the need for behavioral analysis-based security instead of just signature-based detection.

6. Why This Malware is a Serious Risk

Triton RAT isn’t just another RAT—it’s a highly versatile tool that combines data theft, persistence, and evasion in one package. The fact that it can operate through Telegram makes it even more dangerous, as it blends legitimate and malicious activity seamlessly.

7. How to Protect Yourself

Security professionals and users should take these steps to defend against Triton RAT:

– Monitor Indicators of Compromise (IOCs) like ProtonDrive.exe.

– Disable unnecessary scripting features (PowerShell, VBScript).

– Use endpoint protection that detects behavioral anomalies.

– Avoid downloading files from unknown sources.

  • Be cautious with Telegram bots requesting sensitive information.

Fact Checker Results

  1. Triton RAT’s existence and functionality have been confirmed by Cado Security Labs.
  2. Telegram is increasingly being used in cybercrime due to its encrypted communication.
  3. Open-source malware is a growing concern, as evidenced by GitHub-hosted threats.

References:

Reported By: https://cyberpress.org/triton-rat-exploits-telegram-to-remotely-access/
Extra Source Hub:
https://www.reddit.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: