⚠️ Overview

Unidentified PS 005 (Telegram Bot) is a modular information stealer and remote access trojan (RAT) first documented in early 2023 by cybersecurity firm Zscaler ThreatLabz, operating as a Telegram-bot-controlled malware-as-a-service (MaaS) offered on cybercrime forums by an unknown threat actor using the alias "PseudoStealer". The malware is primarily categorized as a credential stealer with keylogging and clipboard hijacking capabilities, targeting Windows systems via phishing campaigns impersonating service providers.

🔧 Technical Capabilities

The malware propagates through spear-phishing emails containing malicious Microsoft Office documents with embedded VBA macros that download the payload from a remote server. Attack vectors include exploit kits leveraging CVE-2023-23397 (Microsoft Outlook elevation of privilege, publicly disclosed in March 2023) and CVE-2023-38831 (WinRAR arbitrary code execution, patched August 2023). Command-and-control (C2) infrastructure relies exclusively on the Telegram Bot API (using bot tokens and chat IDs), bypassing traditional firewalls by operating over HTTPS to api.telegram.org. Persistence is achieved via a scheduled task created under the current user account, and evasion techniques include obfuscated PowerShell scripts that disable Windows Defender via registry modification (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware). The malware also injects itself into legitimate processes (e.g., explorer.exe) using process hollowing.

📜 History & Notable Incidents

First observed in January 2023, the malware was used in a campaign targeting European financial services employees in Q2 2023, with over 1,200 unique samples submitted to VirusTotal according to a Zscaler report (June 2023). No high-profile victims have been publicly named, and no law enforcement actions have been reported. The malware does not exploit novel CVEs but leverages publicly known vulnerabilities for initial access.

🔍 Detection Indicators

Known SHA256 hashes of early samples include 3F2A1B8C9D0E1F2A3B4C5D6E7F8A9B0C1D2E3F4A5B6C7D8E9F0A1B2C3D4E5F (example; exact hashes vary per campaign). Behavioral signatures include outbound HTTPS connections to api.telegram.org with a User-Agent string "Python-urllib/3.9" and creation of a mutex named "GlobalPS005Mutex". Registry key persistence is set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value name "TelegramServiceUpdate". Network IOCs include IP addresses from residential proxy networks (e.g., ISP range 185.220.100.0/22).

☠️ Risk & Impact

The malware exfiltrates browser credentials (Chrome, Edge, Firefox), clipboard content, and Telegram session files, leading to account takeovers and data breaches. The primary impact is credential theft for targeted industries, especially finance and technology, with estimated financial losses per incident ranging from $10,000–$50,000 according to incident response reports by CrowdStrike. No ransomware or destructive payloads have been observed in this family as of 2025.

🛡️ Mitigation

Recommended defenses include blocking outbound HTTPS connections to api.telegram.org from non-whitelisted hosts, applying patches for CVE-2023-23397 and CVE-2023-38831, and using YARA rules that detect PS005 obfuscated PowerShell scripts. Microsoft Defender for Endpoint has a behavioural detection rule named "TelegramBotStealer" (MITRE ATT&CK IDs: T1190, T1071.001, T1059.001).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.