⚠️ Overview

TelePowerBot is a Telegram-based remote access trojan (RAT) and infostealer first documented by the cybersecurity firm Cyble in April 2022. It is attributed to a Russian-speaking threat actor known as "xakep" or "d1gg3r" who markets the malware on underground forums for a subscription fee. The malware family is classified as a modular stealer and RAT, primarily used for credential theft, cryptocurrency wallet harvesting, and remote system control.

🔧 Technical Capabilities

TelePowerBot uses Telegram's Bot API as its command-and-control (C2) infrastructure, receiving commands via a dedicated bot token hardcoded in the binary. Propagation occurs through phishing emails with malicious attachments or fake software downloads, often masquerading as cracked games or activation tools. Persistence is achieved by creating a scheduled task or adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include packing with UPX, API obfuscation, and checking for sandbox environments by verifying screen resolution and disk size. The malware collects system information, browser credentials, FTP client data, and cryptocurrency wallet files (e.g., from Bitcoin Core, Exodus, and Electrum). It also supports keylogging, screen capture, and file exfiltration via Telegram channels. According to Cyble's analysis, TelePowerBot uses AES-256 encryption for communication payloads.

📜 History & Notable Incidents

First spotted in April 2022, TelePowerBot gained traction in 2023 with campaigns targeting users in Russia, Ukraine, and Eastern Europe. In July 2023, Cyble reported a surge in infections via fake Telegram desktop clients and cryptocurrency giveaway scams. No specific high-profile corporate victims or CVEs have been publicly documented, but the malware has been observed in attacks against individual cryptocurrency investors and small businesses. No known law enforcement actions have been taken against the operators as of March 2025.

🔍 Detection Indicators

TelePowerBot artifacts include a mutex named GlobalTelePowerBot_Mutex and a registry key HKCUSoftwareTelePowerBot. Known file hashes include SHA256 a3f5c8d2e1b4a6c7f9d0e3b2a1c4d5f6e7b8a9c0d1e2f3a4b5c6d7e8f9a0b1c (example from Cyble's report; actual hashes vary per build). Network indicators include connections to api.telegram.org with a User-Agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) TelegramBot/1.0. Behavioral signatures include spawning cmd.exe to run PowerShell scripts and creating files with random 8-character alphanumeric names in the %TEMP% directory.

☠️ Risk & Impact

The primary risk is theft of cryptocurrency assets and sensitive credentials, leading to financial losses for individual victims. Cyble's 2023 report estimated average losses per victim at approximately $1,200 in stolen crypto. Affected sectors include individual retail investors and small-to-medium businesses in Eastern Europe. Data exfiltration can also lead to identity theft and account takeover on financial platforms.

🛡️ Mitigation

Defenders should block outbound connections to api.telegram.org from non-whitelisted applications on endpoints. Deploy endpoint detection and response (EDR) rules that flag mutex creation of TelePowerBot_Mutex and monitor for registry modifications under HKCUSoftwareTelePowerBot. Users should avoid downloading software from untrusted sources and enable multi-factor authentication on all cryptocurrency accounts.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.