Telegram is a popular, cross-platform cloud messaging service supporting text, file transfer, voice, video, and bot automation. While Telegram provides legitimate privacy and developer features, threat actors exploit the platform’s ecosystem for malware delivery, resilient command-and-control (C2), and private coordination.
The most common use for Telegram by threat actors is simply communication. One can communicate via Telegram using secret chats, channels, or group chats. Secret chats are more secure as they use end-to-end encryption methods. This allows only the user sending the message and the one receiving the message to be able to see the communication. Threat actors can go a step further than private messaging with end-to-end encrypted voice chats and livestreams. Creating a chat bot allows users to perform commands such as “remove, ban, or mute” as person via a public channel or secret chat. Cross Device Synchronization allows users to be able to communicate from their phone, laptop or any other device that supports Telegram.
One recent example was a prominent threat collective using Telegram as a primary public and private coordination channel; such groups announce operations, distribute stolen data, and migrate between channels when moderated or shut down. The case shows Telegram’s role as a staging environment and coordination platform for high-profile campaigns. “Scattered Lapsus$ Hunters" announced it was ceasing operations and shutting down its public Telegram channels in mid-September 2025.
Telegram is an effective communication application that allows companies and its users to communicate instantaneously. Being aware of how spyware can be delivered, command and control tactics used by hackers, and how different communication methods provide different levels of security measures is important.
Beyond effective communication, Telegram can also be used to control malware on an infected endpoint. Threat intelligence indicates that stealers such as the Raven Stealer are leveraging Telegram as part of its command-and-control infrastructure. Telegram Bot API or channels can be used to host C2 endpoints (HTTP-based) and to receive exfiltrated data.
Attackers can leverage the Telegram Bot API interface which serves as a place for developers to create and manage bots. Bot API allows external applications to interact with Telegram users via automation. During the creation of the bots, developers or hackers can essentially design what applications they want their bots to address. These applications can consist of sending messages in many forms. Links, photos, data files and mimicked applications are just a few methods of message delivery these bots can produce.
Commands are needed for the bots. For example, custom commands for the bots could involve self-destruction of the bot itself. All these commands derive from the C2 Server connection via Telegram. Bots are an effective way to distribute spyware, malicious data, and can infiltrate and exfiltrate information quickly and effectively. For example, the Raven Stealer makes an HTTPS POST to hxxps://api.telegram[.]org/bot<token>/sendMessage (or /sendDocument) with chat_id=<id> and the stolen data in the text field (or as an attached file), allowing near-real-time exfiltration to the adversary’s Telegram account. Once the malware is installed, the bot now has control over the data that the attacker wishes to exfiltrate. This typically goes unnoticed due to the bot being able to establish a stronghold within the already trusted and encrypted channel that it already infiltrated.
In addition to leveraging Telegram for communications and command and control, attackers are also using the platform to spread malware to other Telegram users. Attackers often get spyware onto people’s devices through Telegram in a few straightforward ways. Sometimes they trick users into installing fake “upgraded” versions of Telegram from outside the official app store. The apps look useful to the intended victim but secretly install spyware when installed. More commonly, they use social engineering tactics such as pretending to be a friend who needs help, posing as tech support and asking for your password, or sending urgent-sounding messages that push you to click a link. They also use Telegram bots to automatically send phishing links or pretend to be someone you trust. All of these tactics are designed to get you to run a file or give up credentials so malware can be installed.
Overall, the clear message to companies is that if you do not require Telegram for business operations, it should not be allowed anywhere on the network. Companies can use search for activity across their organization using the CIDR ranges and domains associated with Telegram. A KQL rule is also available below for those searching for this activity in Microsoft Defender for Endpoint.
