New Different Hacking Attack Vectors Against Telegram Channels

6 min readOct 10, 2022

During the last weeks, I became a target of different hacking attacks as an admin of a Telegram channel (If you don`t know, Telegram is not only a messenger but a kind of social media with public channels. It`s very popular in Russia, Belarus, Ukraine, Iran. Now it is also popular in Armenia).

We at CyberHUB analyzed different attacks. We can state that it is a well-organized and sometimes sophisticated hacking attempts.

Most likely all attacks were conducted by one hacking group.

We think, that the hacking group is most likely based in Russia. (we have some proofs, see below) . But possibly this group in this case works as a mercenary group.

We think it is most likely that the hackers are working by order of masterminds from Azerbaijan. Because we know about minimum 3 attacks (one was successful) against Armenian Telegram channels. And attacks started in the period when the Azerbaijan army attacked the sovereign territory of Armenia.

We think that it is important to show the vectors because these tactics can be used not only against Armenian channels. We have cases when the same hacking group operated as a mercenary against Armenian organizations and state-sponsored against Russian opposition. So it is most likely that the same or similar scenarios can be used against Russian or Belarusian opposition channels or activists, Ukrainian media, etc.

So, let's see how they work:

Attack #1. Megavirus

A few weeks ago a nice lady contacted me on Telegram (the conversation was in Russian). She told me that representing a startup that produces video editor application. And she would like to order a paid promotion of that video editor on my Telegram channel.

The interesting part was that — according to her — the video editor should be a mobile application in the near future. But right now there is only a Chrome extension. And I need to install it from the file.

I`ve got a .rar compressed file. Very tiny file smaller than 200 KB:

The strange things started after decompression. The file extended to more than 700 MB:

The file was full of 0s, to make it extra-large after decompression.

The main reason is obfuscation, but another possible reason is to make it impossible to upload the file to Virustotal — because of the limits of 600 MB. At the moment of the attack, only 2 security systems recognized the file as a threat. It is still recognized by most security systems as a safe file. Here is a link to the trojan on Virustotal. However, analysis shows that it`s a credential stealer trojan, with a C2 server in Russia.

Attack #2. Megavirus returns

The second lady came with another advertisement proposal. This time it was a new VPN (since the war in Ukraine VPNs became a trendy topic in Russia blocking a lot of platforms like Instagram)

The second trojan was again obfuscated small .rar file which after unpacking grow to the 750MB giant. This time it was not so smart trojan and was detected by most of the security vendors as malware. Here is a link to the file data on Virustotal.

For those who are interested, I am posting screenshots of my conversation with the hacker (in Russian)

Attack #3. Phishing payment site

Few days after the next pretty lady contacted me with a proposal for an advertisement. This time it was an English language course (again something popular in Russia after the war in Ukraine started and a lot of people migrated to other countries). Hacker started this conversation on behalf of a normal company providing trainings.

Haker suggested registering on a special platform to receive payments. The first link she sent me was already blocked. The second was working on that moment. It was registered 2–3 weeks before our conversion:

The site asked me to register as a Telegram user (Telegram allows do it like Facebook or Google). After providing my phone number it sending a code to me, the site is asking about code. And voila they are stealing my account.

Here are screenshots of the conversation:

Attack #4. The burglar bot

After a few days, the next lady came. This time the conversation was in English (maybe they decided that it will make it more serious)

This time she asked about demographic stats of my channel (Telegram is not a Facebook, they do not provide such information). According to the lady special bot could gather this info, and I just need to allow it to gather that information.

What this means — I am granting the bot privileges to become an admin of my channel. And the bot is throwing me away and becoming the one and only admin.