Threat Actors Leveraging Telegram To Build Malware | Cyble
By cybleinc
Published: 2022-05-12 · Archived: 2026-04-05 22:07:01 UTC
In this analysis, Cyble looks at the Eternity Malware suite, listing a wide variety of malware for sale on Telegram.
During our routine threat hunting exercise, Cyble Research Labs came across a TOR website listing a variety of
malware for sale. This includes stealers, clippers, worms, miners, ransomware, and DDoS Bots which the Threat
Actors (TAs) have named ‘Eternity Project.’
Figure 1 – Product Information
Upon further investigation, the TAs also have a Telegram channel with around 500 subscribers, where they have
provided information about the malware’s operation and features through detailed videos. The Telegram channel also
shares information about the malware’s updates, which shows that the TAs are actively working to enhance the
features of the malware.
See Cyble in Action
World's Best AI-Native Threat Intelligence
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 1 of 14

Figure 2 – Telegram Channel
Interestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary. The TAs
provide an option in the Telegram channel to customize the binary features, which provides an effective way to build
binaries without any dependencies.  
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 2 of 14

Figure 3 – Telegram Builder
This blog showcases our research on Eternity Project’s malware capabilities and steps to secure yourself and your
organization accordingly.
Eternity Stealer
The developer sells the Stealer module for $260 as an annual subscription. The Eternity Stealer steals passwords,
cookies, credit cards, and crypto-wallets from the victim’s machine and sends them to the TA’s Telegram Bot.
The features of the stealer malware mentioned on the TAs website and Telegram channel are:
Browsers collection (Passwords, CreditCards, Cookies, AutoFill, Tokens, History, Bookmarks):
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 3 of 14

Chrome, Firefox, Edge, Opera, Chromium, Vivaldi, IE, and +20 more.
Email clients: Thunderbird, Outlook, FoxMail, PostBox, MailBird.
Messengers: Telegram, Discord, WhatsApp, Signal, Pidgin, RamBox.
Cold cryptocurrency wallets: Atomic, Binance, Coinomi, Electrum, Exodus, Guarda, Jaxx, Wasabi, Zcash,
BitcoinCore, DashCore, DogeCore, LiteCore, MoneroCore.
Browser cryptocurrency extensions: MetaMask, BinanceChain, Coinbase Wallet, and 30+ more.
Password managers: KeePass, NordPass, LastPass, BitWarden, 1Password, RoboForm and 10+ more.
VPN clients: WindscribeVPN, NordVPN, EarthVPN, ProtonVPN, OpenVPN, AzireVPN.
FTP clients: FileZilla, CoreFTP, WinSCP, Snowflake, CyberDuck.
Gaming software: Steam session, Twitch, OBS broadcasting keys.
System credentials: Credman passwords, Vault passwords, Networks passwords).
Figure 4 demonstrates the steps to build Eternity Stealer malware through the Telegram Bot. Initially, the Telegram
channel shows available products to users who purchased the malware when they enter a command /Product.  
Once the users select the stealer product, they are presented with further options for features such as AntiVM and
AntiRepeat. Finally, the user has the option to select the available payload file extension such as .exe, .scr, .com, and
pif. After selecting the file extension, the user can download the stealer payload from the Telegram channel.
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 4 of 14

Figure 4 – Purchasing and Building Eternity Stealer Payload
The stolen information is saved in .txt files, as shown below.
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 5 of 14

Figure 5 – Stolen Information Saved in .txt files
Eternity Miner
The developer sells the Miner module for $90 as an annual subscription. The Eternity Miner is a malicious program
that uses the resources of an infected computer to mine cryptocurrency.
The features of the miner malware mentioned on the TA’s website and Telegram channel are:
Startup
Small size
Silent Monero mining
Restart when killed
Hidden from the task manager
Figure 6 demonstrates the steps to build Eternity Miner malware through the Telegram Bot. Here, the users can enter
their Monero wallet address and Monero pool URLs while building the binary.
Figure 6 – Building Miner Payload
Eternity Clipper
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 6 of 14

The developer sells the clipper malware for $110. The Eternity Clipper is a malicious program that monitors the
clipboard of an infected machine for cryptocurrency wallets and replaces them with the TA’s crypto-wallet addresses.
The features of the Clipper malware mentioned on the TA’s website and Telegram channel are:
Startup
Small size
Hidden from the task manager
Reporting to Telegram Bot
Prevents second reporting of replacement to prevent spam
Support of multiple address formats for BTC, LTC, ZEC, and BCH
Figure 7 demonstrates the steps to build the Eternity Clipper malware through a Telegram Bot. Here, users can enter
their crypto wallet addresses while building the binary.
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 7 of 14

Figure 7 – Eternity Clipper Payload Building
Eternity Ransomware
The developer sells the Eternity Ransomware for $490. Eternity Ransomware is a malicious program that prevents
users from accessing their machine, either by locking the system’s screen or encrypting the users’ files until a ransom
is paid.
The features of the ransomware mentioned on the TA’s website and Telegram channel are:
Encrypts all documents, photos, and databases on disks, local shares, and USB drives.
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 8 of 14

Offline encryption (Doesn’t requires network connection)
Uses a very strong algorithm of encryption utilizing both AES and RSA.
The ability to set a time limit after which the files cannot be decrypted.
Execution on a specific date
Currently, FUD (0/26)
Small size ~130kb
Figure 8 depicts the steps to build Eternity Ransomware through the TA’s Telegram channel. Here, users can enter
text to be shown once the victims open an encrypted file. The TAs can mention the ransom notes and payment details
etc., for further communication with victims.
Additionally, users have the option to enter the time limit for the ransom payment. If victims fail to pay the ransom
within the time limit, the encrypted files can’t be decrypted. This is set as a default feature while compiling
ransomware binary.
Figure 8 – Ransomware Payload Building
Figure 9 shows the Eternity Ransomware Decryption window when users open an encrypted file.
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 9 of 14

Figure 9 – Eternity Ransomware Decryption Window
Eternity Worm
The developer sells the Eternity Worm for $390. It is a virus that spreads through infected machines via files and
networks. The features of the worm dropper malware mentioned on the TA’s website and Telegram channel are:
USB Drives
Local network shares
Local Files (py, zip, exe, bat, jar, pdf, Docx, xlsx, pptx, mp3, mp4, png)
Cloud Drives (GoogleDrive, OneDrive, DropBox)
Python Interpreter (Injects worm loader into all compiled python projects)
Discord Spam (Sends your messages to all channels and friends)
Telegram Spam (Sends your messages to all channels and contacts)
Figure 10 depicts the steps to build Eternity worm malware through the TAs Telegram channel. Here, users can
provide the URL where the worm payload will be located and also provide direct download URLs to download the
worm payload. Eternity Worm can infect local files and spread through Discord and Telegram channels.
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 10 of 14

Figure 10 – Worm Malware Building
The below image shows the malware spreading via Discord.
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 11 of 14

Figure 11 – Discord Account
Eternity DDoS Bot
According to the TA’s website, the DDoS Bot malware is currently under development.
We suspect the developer behind the Eternity project is leveraging code from the existingGithub repository and then
modifying and selling it under a new name.
Our analysis also indicated that the Jester Stealer could also be rebranded from this particular Github project which
indicates some links between the two Threat Actors.
Conclusion
Cyble Research Labs has observed a significant increase in cybercrime through Telegram channels and cybercrime
forums where TAs sell their products without any regulation. We have encountered the Eternity products being sold
on one such Telegram channel and TOR website.
Cyble will continue to monitor Eternity Project’s products and update our readers with the latest information.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We
recommend that our readers follow the best practices given below:  
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 12 of 14

Safety measures needed to prevent malware attacks
Conduct regular backup practices and keep those backups offline or in a separate network.
Turn on the automatic software update feature on your computer, mobile, and other connected devices
wherever possible and pragmatic. 
Use a reputed anti-virus and Internet security software package on your connected devices, including PC,
laptop, and mobile.
Refrain from opening untrusted links and email attachments without verifying their authenticity.
Indicators Of Compromise (IOCs)
Indicators
Indicator
type
Description
8d52a66459df0ea387d5aab3fc7a2bc9 MD5
Eternity
Stealer
Payload
1707b034483eb9f279dfaa3a8862592bddb2ac4e SHA1
Eternity
Stealer
Payload
eb812b35acaeb8abcb1f895c24ddba8bb32f175308541d8db856f95d02ddcfe2 SHA256
Eternity
Stealer
Payload
c4b46a2d0898e9ba438366f878cd74bd MD5
Eternity
Clipper
Payload
f95a0529fbb8aa61cd3dee602fa6555b2c86dd62 SHA1
Eternity
Clipper
Payload
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3 SHA256
Eternity
Clipper
Payload
76c5b877fb931ed728df30c002bf8823 MD5
Eternity
Ransomware
Payload
16a8a21ef1a30849bedc514e42286de7676db5af SHA1
Eternity
Ransomware
Payload
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 13 of 14

55bf0aa9c3d746b8e47635c2eae2acaf77b4e65f3e6cbd8c51f6b657cdca4c91 SHA256
Eternity
Ransomware
Payload
b35aa57c5c963bde7abee2a4e459b146 MD5
Eternity
Worm
Payload
e0817176fa7e1875a5d301b47d9a9a6977c39da5 SHA1
Eternity
Worm
Payload
656990efd54d237e25fdb07921db3958c520b0a4af05c9109fe9fe685b9290f7 SHA256
Eternity
Worm
Payload
Source: https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/
Page 14 of 14

 https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/  
Figure 4-Purchasing and Building Eternity Stealer Payload
The stolen information is saved in .txt files, as shown below. 
  Page 5 of 14