{ "id": "abe8218d-b82e-4a7a-af25-2c2f75a9c006", "created_at": "2026-04-06T02:12:44.472185Z", "updated_at": "2026-04-10T13:12:57.049666Z", "deleted_at": null, "sha1_hash": "7b6bf5e0716547e777b3d1dfe5e52fe86b7c5219", "title": "Exfiltration over Telegram Bots: Skidding Infostealer Logs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 711767, "plain_text": "Exfiltration over Telegram Bots: Skidding Infostealer Logs\r\nBy André Tavares\r\nPublished: 2024-10-16 · Archived: 2026-04-06 01:31:06 UTC\r\nTelegram has become a popular platform among cybercriminals, not only for messaging but for a wide\r\nrange of illicit activities, including serving as a data exfiltration server for infostealer malware as well as a\r\nmarketplace of victim data, including user/employee credentials.\r\n \r\nCredentials are increasingly utilized as the initial attack vector to infiltrate corporate environments.\r\nTherefore, companies should monitor underground markets to mitigate potential risks as early as possible.\r\n \r\nBitsight’s visibility over infostealer malware which exfiltrates over Telegram suggests that the most\r\ninfected countries are the USA, Turkey, and Russia, followed by India and Germany.\r\nIn recent years, Telegram has emerged as a popular messaging platform among cybercriminals, driven by its\r\ncombination of simplicity, security, and efficiency. Telegram's encrypted messaging capabilities, real-time\r\ncommunication, and the ability to send large data files make it an ideal platform for cybercriminal activities,\r\nmaking it an attractive alternative to traditional underground forums. Another advantage is the seamless\r\ncommunication across different levels—private messages, groups, and channels—without the delays and security\r\nrisks associated with forum-based messaging.\r\nCurrently, Telegram is leveraged by a wide range of threat actors to conduct a plethora of illicit activities. The\r\nactivity this blog post concerns is related with infostealer malware, where Telegram is used as a data exfiltration\r\nserver and a marketplace for victim data. This type of malware steals all kinds of data from the system it infects,\r\nincluding credentials (passwords and cookies) for VPNs, RDP, business services, banking and social media, stored\r\nby a variety of apps (including popular browsers like Chrome and Firefox). Other kinds of highly sensitive data\r\nthat infostealers often collect are screenshots, keylogs, clipboard, cryptocurrency wallets and autofill data, the\r\nlatter occasionally containing credit card info. All of this data is referred to by cybercriminals as “logs”.\r\nThese logs are then fed into autoshop marketplaces, some of them known as \"clouds of logs\". For a relatively\r\nsmall fee or, in many cases, free of charge (as a sort of promotion), they allow all kinds of threat actors, including\r\nless-skilled ones, to access all of this data. In some of these logs it’s possible to find credentials to corporate\r\nenvironments, allowing threat actors to bypass the typical initial stages of an attack. Even outdated credentials can\r\nbe valuable because they can be used in \"credential stuffing\" attacks, taking advantage of password reuse by the\r\nvictim.\r\nLooking at the bigger picture, Figure 1 provides a great overview on how the infostealer ecosystem works. Let’s\r\nfocus on the three main types of attackers, which often are the most direct threat to companies, by leveraging the\r\nstolen data. First we have script-kiddies, bored young individuals seeking quick cash or simply looking to cause\r\nchaos. Second, there are Initial Access Brokers (IABs), which use stolen credentials to establish footholds in\r\ncorporate networks, and then sell the access to other threat actors, such as ransomware gangs. Third, the highly\r\nhttps://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs\r\nPage 1 of 6\n\nskilled threat actors, including APTs, which also use these credentials for more sophisticated, targeted attacks on\r\norganizations. The infamous Lapsus$ group is a notable example, although not fully fitting one single category,\r\nsince their reasons swing between gaining notoriety, financial gain and in some cases just juvenile amusement.\r\nThey have targeted high-profile companies such as Uber, Okta, and T-Mobile by exploiting compromised\r\ncredentials as their initial attack vector.\r\nFigure 1 - Overview of the Infostealer ecosystem. \r\n(source: https://thehackernews.com/2024/07/10000-victims-day-infostealer-garden-of.html)\r\nThis blog post focuses on analyzing logs exfiltrated by infostealers, specifically to Telegram, through their Bot\r\nAPI. Unlike logs present in \"clouds of logs\", which can come from a variety of different places, the ones we\r\nanalyzed were obtained directly from threat actors' Telegram bots. These logs were uploaded in an automated way\r\nby malware running on infected systems. This means that there’s a higher degree of confidence in the data, in\r\nterms of freshness, and it’s also more unlikely that the data has been modified. We started collection in October\r\n2024 and so far, out of about 1,800 Telegram bots, we could observe a total of 5 million logs containing victim IP\r\naddresses or domain names related to credentials, with timestamps starting from 2020, but mostly from 2022\r\nonwards. For this research, only credentials (passwords and cookies) and basic system information was collected.\r\nFigure 2 shows the logs collected over time by each malware family. It's evident that Telegram usage is showing a\r\nsignificant upward trend, both in terms of volume and also family diversity.\r\nhttps://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs\r\nPage 2 of 6\n\nFigure 2 - Number of logs by malware family over time.\r\nSo far, we’ve parsed logs generated by 27 infostealer families. We’ve also observed some RAT families, such as\r\nXWorm and AsyncRAT, but these are yet to be parsed. Regarding infostealers, the majority of the logs were\r\nuploaded by SnakeKeylogger (pink) and AgentTesla (blue), two very popular infostealer families. Another\r\ninteresting fact is that many of the malware families discovered are actually open source, such as Worldwind,\r\nPrynt and Phemedrone, as well as the mentioned RATs.\r\nFrom July onwards, the chart reveals a shift on the top families, with a sharp decline in AgentTesla and a\r\nsubstantial rise in SnakeKeylogger, which has now clearly taken the lead. Added to that, a new family showed up,\r\nVipKeylogger (orange), which is actually a variant of SnakeKeylogger. On Snake’s telegram channel, they\r\nadvertise both products (Figure 3) and they also have a sales website in the clearweb, at hxxps://snaketools.xyz/.\r\nBoth families account for the majority of logs we’ve observed recently.\r\nThe appearance of VipKeylogger coincides with the major decline of AgentTesla, also known as OriginLogger.\r\nThe threat actors behind OriginLogger posted on their sales Telegram channel explaining that they have lost\r\naccess to their server and backups, which led to their decision to retire (Figure 4).\r\nhttps://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs\r\nPage 3 of 6\n\nFigure 3 - SnakeKeylogger group\r\ninfo with prices for buying access\r\nto the malware.\r\nFigure 4 - AgentTesla/OriginLogger\r\nactors explaining the shutdown of the\r\nservice.\r\nIt’s important to note that the chart in Figure 2 is probably biased in at least three ways. First, by the sources,\r\nwhich are the Telegram bot tokens we could find, extracted from malware samples we’ve collected. Second, the\r\ndata parsers, mainly due to parser completeness but also due to missing parsers for malware families we aren’t\r\ncovering yet or are yet to be discovered. Third, some threat actors might have deleted bot messages, thus making\r\nvisibility gaps in the collection. The absence of popular infostealer families from this dataset, such as StealC,\r\nLumma, Redline, and Vidar, can be explained by the fact that generally the groups behind them use Telegram\r\nmainly for selling the stolen data rather than for exfiltrating it.\r\nFigure 5 illustrates the global distribution of infected systems, based on more than 100,000 system IP addresses\r\nfound in some of the logs. It’s worldwide spreaded as expected, since infostealer malware is widely accessible,\r\nand the top 5 most infected are the USA (16%), Turkey (12%) and Russia (9%), followed by India (5%) and\r\nGermany (4%). Turkey's high infection rate can be attributed to the prevalence of AgentTesla and\r\nSnakeKeylogger, two malware families seen being used in attacks targeting Turkish industries, and the fact that\r\nAgentTesla itself originated in Turkey may be related as well.\r\nhttps://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs\r\nPage 4 of 6\n\nFigure 5 - World distribution of systems infected with telegram-based infostealers.\r\nWithin 5 million logs, we’ve found 2.8 million credentials, from which 400,000+ unique domains and 10,000+\r\nunique IP addresses were extracted. In this relatively small dataset, we could find credentials associated with\r\nalmost 60,000 organizations, which says a lot about the diversity of the data. It’s important to note that there are\r\ntwo major classes of credentials: user/customer and employee credentials. The latter can be the most critical for\r\ncompanies, from a defensive perspective, as previously highlighted.\r\nFigure 6 shows the top domains and corresponding sectors by number of credentials. Most of the credentials are\r\nrelated to the Technology sector, such as email and social media accounts, but there are all kinds of credentials,\r\nrelated to all sectors. Some of the top sectors are the Government and Finance sectors, accounting for 5% and 6%\r\nof all credentials, respectively. For instance, we’ve found 0.2% or 56,000+ paypal credentials. The amount of\r\nTurkish domains is in accordance with the seen geographic distribution of infections.\r\nFigure 6 - Top domains and corresponding sectors by number of credentials found.\r\nAlthough this seems quite a lot of data, we are only seeing the tip of the iceberg. For instance, HudsonRock\r\ninfostealer reports show many thousands of compromised systems per week. According to one of their reports, the\r\nhttps://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs\r\nPage 5 of 6\n\nnumber of compromised users increased by a factor of six in 2022, a trend also evident in the data we collected.\r\nThis reinforces the growing perception that the infostealer market is becoming increasingly popular.\r\nThe 2024 Data Breach Investigations Report by Verizon reveals that stolen credentials were the single biggest\r\ninitial attack vector in 2023. Credentials, not exotic malware or zero-day exploits, were the most common way\r\nhackers breach systems and wreak havoc. For instance, a widely covered attack this year was the Snowflake\r\nincident, where a financially motivated threat actor stole a significant volume of records from Snowflake customer\r\nenvironments, using stolen customer credentials, and advertised victim data for sale on cybercrime forums, as well\r\nas attempted to extort many of the victims.\r\nData breaches resulting from these attacks can lead to severe financial losses for organizations. Therefore,\r\norganizations can benefit significantly from monitoring credential leakage, including reducing the risk of data\r\nbreaches, increasing compliance with industry and privacy laws, and saving costs by mitigating the impact of\r\nsecurity incidents.\r\nThis research is a “relatively” small sample of the volume of data stolen by infostealers and emphasizes that\r\ncybercriminals in general and the infostealer ecosystem in particular are increasingly taking advantage of\r\nlegitimate services, in this case Telegram (Discord is also being leveraged), to conduct illicit activities and\r\nmonetize system and data access as much as possible. As such, companies should care about this threat and\r\nenhance protection in their corporate environments. One possibly critical step that can be done, specifically\r\nregarding Telegram, is blocking access to the Telegram API (api.telegram.org), if there isn’t a business use case\r\nfor it. This single action can prevent Telegram based infostealers from exfiltrating data. Additionally,\r\nimplementing multi-factor authentication (MFA) across all company accounts is essential. Finally, regular\r\nmonitoring for compromised credentials may enable swift responses to potential breaches.\r\nSource: https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs\r\nhttps://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs" ], "report_names": [ "exfiltration-over-telegram-bots-skidding-infostealer-logs" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441564, "ts_updated_at": 1775826777, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7b6bf5e0716547e777b3d1dfe5e52fe86b7c5219.pdf", "text": "https://archive.orkl.eu/7b6bf5e0716547e777b3d1dfe5e52fe86b7c5219.txt", "img": "https://archive.orkl.eu/7b6bf5e0716547e777b3d1dfe5e52fe86b7c5219.jpg" } }