A Golang-based backdoor is leveraging Telegram for command-and-control (C2) communications, making it harder to detect and mitigate. Cybersecurity researchers at Netskope Threat Labs have analyzed the malware, suggesting it may have Russian origins.
How the Golang Backdoor Works
According to security researcher Leandro Fróes, the malware is fully functional despite appearing to be under development. Once executed, it operates as a backdoor, allowing remote attackers to execute commands stealthily.
Upon launch, the malware checks if it is running from a specific location and filename: “C:\Windows\Temp\svchost.exe.” If not, it copies itself to that directory and restarts the new instance, terminating the original process. This self-replication technique ensures persistence and evasion from security scans.
Telegram Bot API Used for C2 Operations
What makes this malware particularly stealthy is its use of the Telegram Bot API for C2 communications. Attackers exploit an open-source Golang library to interact with Telegram, enabling remote command execution via a bot-controlled chat.
The malware currently supports four different commands, although one remains unimplemented:
/cmd – Executes system commands via PowerShell.
/persist – Ensures persistence by relaunching itself under “C:\Windows\Temp\svchost.exe.”
/screenshot – Placeholder command, not yet implemented.
/selfdestruct – Deletes itself from the system and terminates operations.
Each command’s output is relayed back to the attacker-controlled Telegram chat. Notably, the /screenshot command returns a message stating, “Screenshot captured,” despite lacking functionality.
Indicators of Russian Origin
One of the key signs pointing to the malware’s Russian connection is its use of the Russian language. The /cmd command prompts the user with “Enter the command:” in Russian, indicating that its authors or primary users might be Russian-speaking threat actors.
Why Attackers Use Telegram for Cyber Threats
Using cloud-based applications like Telegram provides cybercriminals with multiple advantages:
Evasion of traditional security tools – Since Telegram is a legitimate messaging platform, many security solutions fail to flag its usage.
Ease of setup – Attackers can quickly create and control bot accounts without requiring sophisticated infrastructure.
Global accessibility – Telegram works across multiple devices and locations, making it a reliable tool for cyber threats.
Mitigation
Given the growing trend of using cloud apps for cyberattacks, organizations must take proactive measures:
Monitor Network Traffic – Detect unusual outbound connections to Telegram API endpoints.
Restrict Telegram in Corporate Environments – If Telegram is not required, blocking access to it can reduce risks.
Endpoint Protection – Use advanced behavioral analysis tools to detect suspicious activities like unauthorized process creation and persistence mechanisms.
Educate Employees – Train staff on identifying phishing attempts and unauthorized software downloads.
Conclusion
The discovery of this Golang-based backdoor highlights how cybercriminals are evolving their tactics by leveraging mainstream applications like Telegram. As security defenses improve, attackers continue to exploit legitimate cloud services to evade detection. Organizations should remain vigilant, adopt strong cybersecurity practices, and implement strict access controls to counteract such emerging threats.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : AWS Users at Risk, whoAMI Attack Enables Remote Code Execution