Adversaries are increasingly abusing Telegram as a “C2C” system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems.

“Even when Telegram is not installed or being used, the system allows hackers to send malicious commands and operations remotely via the instant messaging app,” New multi-functional RAT called “ToxicEye.” make use of Telegram

Telegram is not only not blocked by enterprise antivirus engines, the messaging app also allows attackers to remain anonymous, given the registration process requires only a mobile number, thereby giving them access to infected devices from virtually any location across the world.

The latest campaign spread via phishing emails embedded with a malicious Windows executable file, ToxicEye uses Telegram to communicate with the C2 server and upload data to it. The malware also sports a range of exploits that allows it to steal data, transfer and delete files, terminate processes, deploy a keylogger, hijack the computer’s microphone and camera to record audio and video, and even encrypt files for a ransom.

The attack chain commences with the creation of a Telegram bot by the attacker, which is then embedded into the RAT’s configuration file, before compiling it into an executable. This .EXE file is then injected into a decoy Word document (“solution.doc”) that, when opened, downloads and runs the Telegram RAT (“C:\Users\ToxicEye\rat.exe”).

A growing trend where malware authors are using the Telegram platform as an out-of-the-box command-and-control system for malware distribution into organizations.