Introduction
Cybersecurity researchers from Netskope Threat Labs have identified a new variant of Golang-based backdoor malware that utilizes Telegram as a command and control (C2) channel. This malware, believed to originate from Russia [5], poses significant challenges for detection due to its ability to blend with regular network traffic.
Description
Threat actors are utilizing Telegram as a command and control (C2) channel for a new variant of Golang-based backdoor malware [5], which is believed to originate from Russia [5], as indicated by cybersecurity researchers from Netskope Threat Labs [4]. This fully functional malware [1] [3], still in active development [1] [6], operates as a backdoor once executed [4]. It checks if it is launched from the designated location “C:\Windows\Temp\svchost.exe.” If it is not [5], the malware relocates itself to that location, initiates a new process [3] [5], and terminates the original instance [3] [6]. The strategic choice of Telegram allows the malware to blend in with regular network traffic [1], complicating detection efforts for defenders by masking malicious activities within legitimate API usage.
The Golang backdoor connects to Telegram through a specific mechanism [5], employing an open-source Go package to facilitate its C2 operations. It creates a bot instance authenticated via a token generated through Telegram’s BotFather feature and continuously polls a channel for incoming commands using the GetUpdatesChan function. The malware supports several operational commands, of which three are implemented:
- /cmd: Executes arbitrary PowerShell commands received via Telegram [2], prompting the attacker (in Russian) to enter the command [2], which it executes in hidden mode [2]. This command requires two messages: the first for the command and the second for the PowerShell command to execute [5].
- /persist: Ensures persistence by relaunching itself under “C:\Windows\Temp\svchost.exe.”
- /selfdestruct: Deletes itself and terminates its process.
- /screenshot: Although included in the code, this command is unimplemented and falsely reports that a screenshot has been captured [3].
Responses to commands are sent back to the Telegram channel using an encrypted send function [2] [5]. The use of Telegram as a C2 channel highlights the challenges for cybersecurity defenders [3], as it allows attackers to leverage a legitimate platform for complex attacks while obscuring their activities within normal traffic [3]. This trend signifies a broader shift in the threat landscape [1], where attackers exploit trusted infrastructures [1], signaling potential future challenges for cybersecurity professionals [1]. Continuous monitoring of this Golang backdoor’s evolution and its tactics [5], techniques [5], and procedures (TTPs) is ongoing [5], particularly given its evasive C2 communications capabilities. Additionally, the report includes indicators of compromise (IoCs) that may assist in identifying this threat, as the emergence of this Go-based malware indicates an increasing adoption of cloud services for C2 communications [1], which may extend to other platforms such as OneDrive [1], GitHub [1], and Dropbox [1].
Conclusion
The emergence of this Golang-based backdoor malware underscores the evolving threat landscape, where attackers increasingly exploit trusted platforms like Telegram for malicious purposes. This trend complicates detection and mitigation efforts for cybersecurity professionals. To counteract these threats, continuous monitoring and analysis of such malware are essential. The inclusion of indicators of compromise (IoCs) in reports can aid in early detection and response. As attackers continue to adopt cloud services for C2 communications, cybersecurity strategies must adapt to address these evolving challenges, potentially extending vigilance to other platforms such as OneDrive, GitHub [1], and Dropbox [1].
References
[1] https://hoploninfosec.com/protect-against-new-go-based-malware/
[2] https://cybersecuritynews.com/new-go-based-malware-exploits-telegram-and-use-it-as-c2-channel/
[3] https://cybermaterial.com/new-golang-malware-uses-telegram-bot-for-c2/
[4] https://news.backbox.org/2025/02/17/new-golang-based-backdoor-uses-telegram-bot-api-for-evasive-c2-operations/
[5] https://www.infosecurity-magazine.com/news/telegram-c2-channel-golang-malware/
[6] https://securityaffairs.com/174306/malware/golang-based-backdoor-uses-telegram-for-c2.html
