Telegram-as-a-C2 or a Fourfold Tale of Bad OPSEC

Botconf 2024
2024-04-25 | 15:40 – 16:10

Pol Thill 🗣

In recent times, Telegram Bots have emerged as a prominent Command and Control (C2) mechanism, gaining popularity among threat actors for their resilience against takedowns, user-friendly setup, and versatile configuration options. Both Advanced Persistent Threats (APTs) and cybercrime actors have started incorporating Telegram-as-a-C2 into their arsenal, deploying it in innovative and distinctive ways.

From DarkPink to Neo_Net, YoroTrooper to DuckTail, threat actors across the spectrum have embraced Telegram-as-a-C2, often at the expense of sound operational security (OPSEC) practices. Unique characteristics in the functioning of Telegram Bots combined with weak threat actor OPSEC provides cybersecurity researchers with a unique opportunity to gain insights into malicious operations and the individuals orchestrating them.

This talk aims to delve deeper into the inner workings of the Telegram-as-a-C2 mechanism, shedding light on its functionalities and its use in current malware ecosystems. Moreover, we will explore how researchers can leverage Telegram Bots to acquire valuable intelligence on victim targeting, Tactics, Techniques, and Procedures (TTPs), and the identities of threat actors. Join me in uncovering the hidden facets of Telegram-as-a-C2 and harnessing this knowledge to bolster cybersecurity defenses against this emerging threat landscape.

Scroll to Top