{ "id": "8c50a50e-1ea6-45f1-a4af-322cddb02ea1", "created_at": "2026-04-06T00:14:43.393052Z", "updated_at": "2026-04-10T03:37:09.124712Z", "deleted_at": null, "sha1_hash": "99488580cbf3f32c16dee9717adcbc63a54d0f83", "title": "Threat Actors Leveraging Telegram To Build Malware | Cyble", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3828855, "plain_text": "Threat Actors Leveraging Telegram To Build Malware | Cyble\r\nBy cybleinc\r\nPublished: 2022-05-12 · Archived: 2026-04-05 22:07:01 UTC\r\nIn this analysis, Cyble looks at the Eternity Malware suite, listing a wide variety of malware for sale on Telegram.\r\nDuring our routine threat hunting exercise, Cyble Research Labs came across a TOR website listing a variety of\r\nmalware for sale. This includes stealers, clippers, worms, miners, ransomware, and DDoS Bots which the Threat\r\nActors (TAs) have named ‘Eternity Project.’\r\nFigure 1 – Product Information\r\nUpon further investigation, the TAs also have a Telegram channel with around 500 subscribers, where they have\r\nprovided information about the malware’s operation and features through detailed videos. The Telegram channel also\r\nshares information about the malware’s updates, which shows that the TAs are actively working to enhance the\r\nfeatures of the malware.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 1 of 14\n\nFigure 2 – Telegram Channel\r\nInterestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary. The TAs\r\nprovide an option in the Telegram channel to customize the binary features, which provides an effective way to build\r\nbinaries without any dependencies.  \r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 2 of 14\n\nFigure 3 – Telegram Builder\r\nThis blog showcases our research on Eternity Project’s malware capabilities and steps to secure yourself and your\r\norganization accordingly.\r\nEternity Stealer\r\nThe developer sells the Stealer module for $260 as an annual subscription. The Eternity Stealer steals passwords,\r\ncookies, credit cards, and crypto-wallets from the victim’s machine and sends them to the TA’s Telegram Bot.\r\nThe features of the stealer malware mentioned on the TAs website and Telegram channel are:\r\nBrowsers collection (Passwords, CreditCards, Cookies, AutoFill, Tokens, History, Bookmarks):\r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 3 of 14\n\nChrome, Firefox, Edge, Opera, Chromium, Vivaldi, IE, and +20 more.\r\nEmail clients: Thunderbird, Outlook, FoxMail, PostBox, MailBird.\r\nMessengers: Telegram, Discord, WhatsApp, Signal, Pidgin, RamBox.\r\nCold cryptocurrency wallets: Atomic, Binance, Coinomi, Electrum, Exodus, Guarda, Jaxx, Wasabi, Zcash,\r\nBitcoinCore, DashCore, DogeCore, LiteCore, MoneroCore.\r\nBrowser cryptocurrency extensions: MetaMask, BinanceChain, Coinbase Wallet, and 30+ more.\r\nPassword managers: KeePass, NordPass, LastPass, BitWarden, 1Password, RoboForm and 10+ more.\r\nVPN clients: WindscribeVPN, NordVPN, EarthVPN, ProtonVPN, OpenVPN, AzireVPN.\r\nFTP clients: FileZilla, CoreFTP, WinSCP, Snowflake, CyberDuck.\r\nGaming software: Steam session, Twitch, OBS broadcasting keys.\r\nSystem credentials: Credman passwords, Vault passwords, Networks passwords).\r\nFigure 4 demonstrates the steps to build Eternity Stealer malware through the Telegram Bot. Initially, the Telegram\r\nchannel shows available products to users who purchased the malware when they enter a command /Product.  \r\nOnce the users select the stealer product, they are presented with further options for features such as AntiVM and\r\nAntiRepeat. Finally, the user has the option to select the available payload file extension such as .exe, .scr, .com, and\r\npif. After selecting the file extension, the user can download the stealer payload from the Telegram channel.\r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 4 of 14\n\nFigure 4 – Purchasing and Building Eternity Stealer Payload\r\nThe stolen information is saved in .txt files, as shown below.\r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 5 of 14\n\nFigure 5 – Stolen Information Saved in .txt files\r\nEternity Miner\r\nThe developer sells the Miner module for $90 as an annual subscription. The Eternity Miner is a malicious program\r\nthat uses the resources of an infected computer to mine cryptocurrency.\r\nThe features of the miner malware mentioned on the TA’s website and Telegram channel are:\r\nStartup\r\nSmall size\r\nSilent Monero mining\r\nRestart when killed\r\nHidden from the task manager\r\nFigure 6 demonstrates the steps to build Eternity Miner malware through the Telegram Bot. Here, the users can enter\r\ntheir Monero wallet address and Monero pool URLs while building the binary.\r\nFigure 6 – Building Miner Payload\r\nEternity Clipper\r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 6 of 14\n\nThe developer sells the clipper malware for $110. The Eternity Clipper is a malicious program that monitors the\r\nclipboard of an infected machine for cryptocurrency wallets and replaces them with the TA’s crypto-wallet addresses.\r\nThe features of the Clipper malware mentioned on the TA’s website and Telegram channel are:\r\nStartup\r\nSmall size\r\nHidden from the task manager\r\nReporting to Telegram Bot\r\nPrevents second reporting of replacement to prevent spam\r\nSupport of multiple address formats for BTC, LTC, ZEC, and BCH\r\nFigure 7 demonstrates the steps to build the Eternity Clipper malware through a Telegram Bot. Here, users can enter\r\ntheir crypto wallet addresses while building the binary.\r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 7 of 14\n\nFigure 7 – Eternity Clipper Payload Building\r\nEternity Ransomware\r\nThe developer sells the Eternity Ransomware for $490. Eternity Ransomware is a malicious program that prevents\r\nusers from accessing their machine, either by locking the system’s screen or encrypting the users’ files until a ransom\r\nis paid.\r\nThe features of the ransomware mentioned on the TA’s website and Telegram channel are:\r\nEncrypts all documents, photos, and databases on disks, local shares, and USB drives.\r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 8 of 14\n\nOffline encryption (Doesn’t requires network connection)\r\nUses a very strong algorithm of encryption utilizing both AES and RSA.\r\nThe ability to set a time limit after which the files cannot be decrypted.\r\nExecution on a specific date\r\nCurrently, FUD (0/26)\r\nSmall size ~130kb\r\nFigure 8 depicts the steps to build Eternity Ransomware through the TA’s Telegram channel. Here, users can enter\r\ntext to be shown once the victims open an encrypted file. The TAs can mention the ransom notes and payment details\r\netc., for further communication with victims.\r\nAdditionally, users have the option to enter the time limit for the ransom payment. If victims fail to pay the ransom\r\nwithin the time limit, the encrypted files can’t be decrypted. This is set as a default feature while compiling\r\nransomware binary.\r\nFigure 8 – Ransomware Payload Building\r\nFigure 9 shows the Eternity Ransomware Decryption window when users open an encrypted file.\r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 9 of 14\n\nFigure 9 – Eternity Ransomware Decryption Window\r\nEternity Worm\r\nThe developer sells the Eternity Worm for $390. It is a virus that spreads through infected machines via files and\r\nnetworks. The features of the worm dropper malware mentioned on the TA’s website and Telegram channel are:\r\nUSB Drives\r\nLocal network shares\r\nLocal Files (py, zip, exe, bat, jar, pdf, Docx, xlsx, pptx, mp3, mp4, png)\r\nCloud Drives (GoogleDrive, OneDrive, DropBox)\r\nPython Interpreter (Injects worm loader into all compiled python projects)\r\nDiscord Spam (Sends your messages to all channels and friends)\r\nTelegram Spam (Sends your messages to all channels and contacts)\r\nFigure 10 depicts the steps to build Eternity worm malware through the TAs Telegram channel. Here, users can\r\nprovide the URL where the worm payload will be located and also provide direct download URLs to download the\r\nworm payload. Eternity Worm can infect local files and spread through Discord and Telegram channels.\r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 10 of 14\n\nFigure 10 – Worm Malware Building\r\nThe below image shows the malware spreading via Discord.\r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 11 of 14\n\nFigure 11 – Discord Account\r\nEternity DDoS Bot\r\nAccording to the TA’s website, the DDoS Bot malware is currently under development.\r\nWe suspect the developer behind the Eternity project is leveraging code from the existingGithub repository and then\r\nmodifying and selling it under a new name.\r\nOur analysis also indicated that the Jester Stealer could also be rebranded from this particular Github project which\r\nindicates some links between the two Threat Actors.\r\nConclusion\r\nCyble Research Labs has observed a significant increase in cybercrime through Telegram channels and cybercrime\r\nforums where TAs sell their products without any regulation. We have encountered the Eternity products being sold\r\non one such Telegram channel and TOR website.\r\nCyble will continue to monitor Eternity Project’s products and update our readers with the latest information.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 12 of 14\n\nSafety measures needed to prevent malware attacks\r\nConduct regular backup practices and keep those backups offline or in a separate network.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic. \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.\r\nIndicators Of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\n8d52a66459df0ea387d5aab3fc7a2bc9 MD5\r\nEternity\r\nStealer\r\nPayload\r\n1707b034483eb9f279dfaa3a8862592bddb2ac4e SHA1\r\nEternity\r\nStealer\r\nPayload\r\neb812b35acaeb8abcb1f895c24ddba8bb32f175308541d8db856f95d02ddcfe2 SHA256\r\nEternity\r\nStealer\r\nPayload\r\nc4b46a2d0898e9ba438366f878cd74bd MD5\r\nEternity\r\nClipper\r\nPayload\r\nf95a0529fbb8aa61cd3dee602fa6555b2c86dd62 SHA1\r\nEternity\r\nClipper\r\nPayload\r\n025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3 SHA256\r\nEternity\r\nClipper\r\nPayload\r\n76c5b877fb931ed728df30c002bf8823 MD5\r\nEternity\r\nRansomware\r\nPayload\r\n16a8a21ef1a30849bedc514e42286de7676db5af SHA1\r\nEternity\r\nRansomware\r\nPayload\r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 13 of 14\n\n55bf0aa9c3d746b8e47635c2eae2acaf77b4e65f3e6cbd8c51f6b657cdca4c91 SHA256\r\nEternity\r\nRansomware\r\nPayload\r\nb35aa57c5c963bde7abee2a4e459b146 MD5\r\nEternity\r\nWorm\r\nPayload\r\ne0817176fa7e1875a5d301b47d9a9a6977c39da5 SHA1\r\nEternity\r\nWorm\r\nPayload\r\n656990efd54d237e25fdb07921db3958c520b0a4af05c9109fe9fe685b9290f7 SHA256\r\nEternity\r\nWorm\r\nPayload\r\nSource: https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nhttps://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/\r\nPage 14 of 14\n\n https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/ \nFigure 4-Purchasing and Building Eternity Stealer Payload\nThe stolen information is saved in .txt files, as shown below. \n Page 5 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/" ], "report_names": [ "a-closer-look-at-eternity-malware" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434483, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99488580cbf3f32c16dee9717adcbc63a54d0f83.pdf", "text": "https://archive.orkl.eu/99488580cbf3f32c16dee9717adcbc63a54d0f83.txt", "img": "https://archive.orkl.eu/99488580cbf3f32c16dee9717adcbc63a54d0f83.jpg" } }