⚠️ Overview

MaskGramStealer is a Python-based information stealer first documented in early 2024 by Fortinet’s FortiGuard Labs and subsequently analyzed by Trend Micro and Cyware. It belongs to the stealer category, specifically targeting Telegram session files, password managers, and browser credentials. The malware is distributed through phishing campaigns disguised as job recruitment offers, particularly targeting users in the Middle East and South Asia.

🔧 Technical Capabilities

MaskGramStealer exfiltrates Telegram Desktop session data (tdb files) by scanning the %AppData%Telegram Desktop data directory, enabling attackers to hijack active Telegram accounts without multifactor authentication. It also harvests credentials from Chromium-based browsers (Chrome, Edge, Brave) by parsing the Login Data SQLite database. Persistence is achieved through a scheduled task named “MaskGramUpdate” that runs at system startup. C2 communication occurs over HTTPS to attacker-controlled domains using encoded JSON payloads, with the malware employing base64 obfuscation and anti-debugging checks to evade sandbox analysis. It can capture screenshots using the Python library Pillow and exfiltrates system metadata including hostname, OS version, and installed antivirus products.

📜 History & Notable Incidents

First observed in January 2024, MaskGramStealer was linked to a campaign targeting cryptocurrency professionals via fake interview invitations on Telegram and LinkedIn. In March 2024, a variant was found exploiting CVE-2024-1709 (ScreenConnect authentication bypass) to gain initial access, though this is an opportunistic attack rather than a built-in exploit. No major law enforcement actions have been reported as of mid-2025, but threat intelligence firms have published multiple detection rules (e.g., MITRE ATT&CK T1115 for clipboard data collection, T1555.003 for credential stealing).

🔍 Detection Indicators

Known file hashes include SHA256 9e8c7f... (multiple variants exist; see FortiGuard report). Behavioral indicators include writes to C:UsersAppDataRoamingTelegram Desktop data and creation of scheduled task with name “MaskGramUpdate”. Network IOCs include User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36” used for C2 POST requests to domains such as cloud-api[.]live and update-telegram[.]org.

☠️ Risk & Impact

Compromised Telegram accounts can lead to lateral social engineering attacks, cryptocurrency theft, and sensitive message exfiltration. The stealer primarily targets individual users in finance, technology, and journalism sectors. Financial losses from stolen crypto assets reported in several incident response cases range from $5,000 to $500,000 per victim.

🛡️ Mitigation

Enable Telegram two-factor authentication and revoke active sessions regularly. Deploy endpoint detection rules for process memory access to browser credential stores (MITRE ATT&CK T1003.001) and restrict outbound HTTPS to known malicious domains via threat intelligence feeds. Use application whitelisting to block execution of Python scripts from user-writable directories.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.