A newly discovered backdoor malware, developed using the Go programming language, has been observed utilizing the Telegram Bot API to conduct covert command-and-control (C2) operations.
The malware, believed to be of Russian origin, is currently in active development but already features a range of functional capabilities. Upon execution, it attempts to run from a specific path — C:\Windows\Temp\svchost.exe. If not already located there, it replicates itself to the designated path, launches the copied instance, and terminates the original process.
What sets this backdoor apart is its use of an open-source Golang wrapper for the Telegram Bot API, enabling it to receive attacker instructions through a private Telegram chat. The malware supports several commands:
-
/cmd: Executes PowerShell commands -
/persist: Re-establishes persistence by relaunching from the target path -
/screenshot: Placeholder functionality; sends a “Screenshot captured” message without actual implementation -
/selfdestruct: Deletes its executable and terminates the process
Command outputs are exfiltrated to the associated Telegram chat, allowing the operator to maintain communication without relying on traditional infrastructure that might trigger security alerts.
Interestingly, the malware hints at its Russian ties via a localized response string in the /cmd functionality, which prompts users in Russian to “Enter the command:”.
The use of cloud-based messaging platforms for malware communication presents a growing challenge for security defenders, as attackers continue to exploit easily accessible and trusted services to conceal their operations.
