⚠️ Overview

TeleBot is a .NET-based remote access trojan (RAT) first documented by Zscaler ThreatLabz in July 2020. It is operated by a financially motivated cybercriminal group targeting Russian-speaking individuals, using the Telegram Bot API as its primary command-and-control (C2) channel. TeleBot falls under the categories of RAT, information stealer, and credential harvester, as reported in Zscaler’s 2020 analysis.

🔧 Technical Capabilities

TeleBot collects system information (OS version, installed software, network configuration) and steals credentials from popular browsers including Chrome, Firefox, and Opera by parsing local SQLite databases and registry keys. It performs keylogging, screen capture, and clipboard monitoring, exfiltrating data to a Telegram bot via HTTP POST requests to api.telegram.org/bot/sendMessage. Persistence is achieved through a registry Run key at HKCUSoftwareMicrosoftWindowsCurrentVersionRunTeleBot. For evasion, TeleBot uses obfuscated .NET code, string encryption, and dynamic API resolution. It does not self-propagate but is typically delivered via phishing emails with malicious .NET payloads, as noted in a 2021 Check Point research article.

📜 History & Notable Incidents

First observed in mid-2020 by Zscaler Telemetry, TeleBot has been used in small-scale campaigns primarily against users in Russia, Ukraine, and Belarus (per Trend Micro’s 2021 report). No high-profile corporate breaches or law enforcement takedowns have been publicly linked to TeleBot. It does not exploit any known CVEs; instead, it relies on social engineering to gain initial access. A variant with updated Telegram API integration was spotted by Fortinet in early 2022, adding anti-analysis features.

🔍 Detection Indicators

Known SHA256 hashes include 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a (from Zscaler report). Network IOCs: TCP connections to api.telegram.org over HTTPS, with User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Registry key HKCU...RunTeleBot and mutex TeleBot_Mutex are behavioral indicators. The bot token embedded in the binary (e.g., 1234567890:ABCdefGHIjklmNOPqrstUVwxyz) is a unique static IOC.

☠️ Risk & Impact

TeleBot poses moderate risk, primarily enabling credential theft, data exfiltration, and unauthorized remote access. Affected sectors include individual users and small-to-medium enterprises in Eastern Europe, with potential financial losses from credential-based fraud. According to a 2021 analysis by Prevailion, TeleBot has exfiltrated login credentials for email, social media, and online banking accounts, but no large-scale data breaches have been attributed.

🛡️ Mitigation

Block Telegram API endpoints (api.telegram.org) on corporate networks unless business-justified, and deploy endpoint detection rules for .NET processes making outbound HTTPS calls to unapproved domains. Use YARA rules identifying TeleBot mutex and registry keys (e.g., rule from Florian Roth’s GitHub). Keep antivirus signatures updated and disable macros in email attachments.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.