{
	"id": "5ce09bc5-9d4f-4ca7-aabe-e93f49d72b7a",
	"created_at": "2026-04-06T00:16:51.962055Z",
	"updated_at": "2026-04-10T03:21:40.306187Z",
	"deleted_at": null,
	"sha1_hash": "c9e73f3223e3cb230c3ff5c24cae040345fa4af2",
	"title": "Masad Stealer: Exfiltrating using Telegram",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1052352,
	"plain_text": "Masad Stealer: Exfiltrating using Telegram\r\nBy Paul Kimayong\r\nPublished: 2019-09-26 · Archived: 2026-04-05 22:26:55 UTC\r\nJuniper Threat Labs discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information. Using\r\nTelegram as a Command and Control (C\u0026C) channel allows the malware some anonymity, as Telegram is a legitimate\r\nmessaging application with 200 million monthly active users.\r\nThe malware is being advertised on black market forums as “Masad Clipper and Stealer.” It steals browser data, which\r\nmight contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency\r\nwallets from the clipboard with its own.\r\nMasad Stealer sends all of the information it collects – and receive commands from – a Telegram bot controlled by the threat\r\nactor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by\r\nmultiple threat actors who may or may not be the original malware writers.\r\nWhat it does\r\nThis malware is written using Autoit scripts and then compiled into a Windows executable. Most samples we have seen are\r\nabout 1.5 MiB in size, however, Masad Stealer can be found in larger executables as it is sometimes bundled into other\r\nsoftware.\r\nWhen Masad Stealer is executed, it drops itself in %APPDATA%\\folder_name}\\{file_name}, where folder_name and\r\nfile_name are defined in the binary. Examples include amd64_usbhub3.inf.resources and ws2_32.exe, respectively. As a\r\npersistence mechanism, mMasad Stealer creates a scheduled task that will start itself every one minute.\r\nMasad\r\nstealer using scheduled task as persistence mechanism\r\nStealing routine\r\nAfter installing itself, Masad Stealer starts by collecting sensitive information from the system, such as:\r\nCryptocurrency Wallets\r\nhttps://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram\r\nPage 1 of 12\n\nPC and system information\r\nCredit Card Browser Data\r\nBrowser passwords\r\nInstalled software and processes\r\nDesktop Files\r\nScreenshot of Desktop\r\nBrowser cookies\r\nSteam files\r\nAutoFill browser fields\r\nDiscord and Telegram data\r\nFileZilla files\r\nIt zips this information into a file using 7zip utility, which is bundled into the malware binary.\r\nA screenshot of what this malware have exfiltrated on one test machine\r\nThe above screenshot is a view of what Masad Stealer tries to exfiltrate from a sandbox. But the data that it can exfiltrate\r\ncan expand to the following list:\r\nhttps://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram\r\nPage 2 of 12\n\nA list of information that this malware can steal\r\nUsing a hardcoded bot token, which is basically a way to communicate with the Command and Control bot, Masad Stealer\r\nsends this zip file using the sendDocument API.\r\nA snip of sendDocument telegram bot API that this malware used to exfiltrate data\r\nIn order to communicate with the Command and Control bot, Masad Stealer first sends a getMe message using the bot token\r\nto be able to confirm that the bot is still active. Upon receiving this request, the bot replies with the user object that contains\r\nthe username of the bot. This username object is useful for identifying possible threat actors related to this malware. This is\r\nan important consideration because of the off-the-shelf nature of this malware – multiple parties will be operating Masad\r\nStealer instances for different purposes.\r\nhttps://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram\r\nPage 3 of 12\n\nInitial request by the malware\r\nto the telegram bot to make sure it is active.\r\nWhere the bot’s token is “719604859:AAE3Pg_oJ8cPgTxKzDtysU-3Zpj6hsBxNqI”.\r\nClipping Routine\r\nThis malware includes a function that replaces wallets on the clipboard, as soon as it matches a particular configuration.\r\nBelow are the regular expressions and supported wallets that it matches against the clipboard data:\r\nhttps://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram\r\nPage 4 of 12\n\nA list of\r\nwallet and corresponding regular expressions that it monitors on the clipboard\r\nBelow is a list of coins/wallet it tries to clip:\r\nMonero Bitcoin Cash Litecoin Neo Web Money\r\nADA ZCASH DogeCoin Stratis QIWI Pay\r\nBicond Waves Reddcoin Qtum Payeer\r\nBytecoin Bitcoin Black Coin VIA\r\nSteam Trade Link Bitcoin Gold Emercoin Lisk\r\nEthereum Dash Ripple Yandex Money\r\nhttps://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram\r\nPage 5 of 12\n\nIf the clipboard data matches one of the patterns coded into Masad Stealer, the malware replaces the clipboard data with one\r\nof the threat actors’ wallets, which are also found in its binary. Below are the bitcoin and monero wallets found in one of the\r\nsamples:\r\nBitcoin: 1AtwyYF2TGR969cyRDrR2XFDqSPzwCXKfe\r\nMonero:\r\n42Mm9gjuUSmPNr7aF1ZbQC6dcTeSi1MgB1Tv41frv1ZRFWLn4wNoLH3LDAGn9Fg2dhJW2VRHTz8Fo9ZAit951D2pDY8ggC\r\nBelow is a snapshot of the bitcoin wallet transaction, as of this writing. This wallet has already received around $9,000 USD\r\nequivalent of bitcoins (as of Sept 15, 2019), which may or may not come from the activity of this malware.\r\nA sample fraudulent\r\nbitcoin wallet found on one of the sample\r\nAttack Vector\r\nBased on our telemetry, Masad Stealer’s main distribution vectors are masquerading as a legitimate tool or bundling\r\nthemselves into third party tools. Threat actors achieve end user downloads by advertising in forums, on third party\r\ndownload sites or on file sharing sites. Below are the currently known list of software that Masad Stealer has been seen\r\nmimicking:\r\nProxySwitcher (legitimate version here: https://www.proxyswitcher.com/)\r\nCCleaner.exe (legitimate version here: https://ccleaner.com/)\r\nUtilman.exe (legitimate version comes with Windows)\r\nNetsh.exe (legitimate version comes with Windows)\r\nIobit v 1.7.exe (legitimate version here:https://www.iobit.com/)\r\nBase Creator v1.3.1 [FULL CRACK].exe (there is no legitimate version)\r\nEXEA HACK CRACKED (PUBG,CS GO,FORTNITE,GTA 5,DOTA).exe (there is no legitimate version)\r\nIcacls.exe (legitimate version comes with Windows)\r\nWSManHTTPConfig.exe (legitimate version comes with Windows)\r\nRADMIR CHEAT MONEYY.exe (there is no legitimate version)\r\nTradebot_binance.exe (legitimate version here: https://tradesanta.com/en)\r\nWhoami.exe (legitimate version comes with Windows)\r\nProxo Bootstrapper.exe (this is actually a reasonably popular form of malware)\r\nFortniteaimbot  2019.exe (there is no legitimate version)\r\nGalaxy Software Update.exe (https://www.samsung.com/us/support/answer/ANS00077582/)\r\nDownload additional malware\r\nSome samples of Masad Stealer have the capability to download additional malware. We have seen samples that download\r\nhttps://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram\r\nPage 6 of 12\n\nother malware, usually a miner, from these URLs:\r\nhttps://masadsasad[.]moy.su/base.txt (miner)\r\nhttps://zuuse[.]000webhostapp.com/mi.exe (miner)\r\nhttps://37[.]230.210.84/still/Build.exe\r\nhttps://37[.]230.210.84/still/SoranoMiner.exe\r\nhttps://187[.]ip-54-36-162.eu/steal.exe\r\nhttps://bgtyu73[.]ru/22/Build.exe\r\nMasad stealer downloading a miner via HTTPS and with modified header\r\nThe figure above is a response from the request to https://masadsasad[.]moy.su/base.txt. This response contains an\r\nexecutable file with modified header. In addition to connecting via TLS, the modified header is an added trick by the\r\nmalware to hide itself.\r\nTLS streams are more difficult to inspect, helping to hide them from network-based security defenses. The modified header\r\nhelps to hide the fact that the payload being downloaded is an executable from endpoint security products.\r\nThreat Actors\r\nThis malware is being advertised in several hack forums as Masad Stealer. It starts with a free version and ladders up to\r\nversions asking up to $85, with each tier of the malware offering different features.\r\nhttps://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram\r\nPage 7 of 12\n\nSample Masad stealer ad found in hackforums\r\nThere is at least one dedicated website (masadproject[.]life) in existence to promote the sale of Masad Stealer. The\r\ndevelopers have also created a Telegram group for their potential clients, and presumably to offer tech support.  At time of\r\nwriting, this group has more than 300 members.\r\nScreenshot of a telegram group where one threat actor is operating\r\nOf the more than 1,000 samples we identified to be variants of this malware, there where 338 unique Telegram Command\r\nand Control bot IDs. From this data, we can estimate the number of threat actors – or at least the number of different\r\ncampaigns being run using the Masad Stealer malware – and the size of their operations. We used the getMe API, along with\r\nthe bot token, to identify the usernames. Among the top bot IDs are as follows:\r\nTelegram Bot ID Telegram Bot Username Unique Hashes\r\nhttps://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram\r\nPage 8 of 12\n\nbot610711208 potterk_bot 45\r\nbot830353220 reaper228bot 24\r\nbot661438794 RanisYolo19_bot 23\r\nbot796671289 dfsklnjfmkdvehfsf454sdfbot 22\r\nbot870978042 dawdvwabot 20\r\nbot753197414 korote_bot 14\r\nbot823037532 NA/Inactive 13\r\nbot699800942 RcbBots_Bot 13\r\nbot831297312 xAmytBot 13\r\nbot883608782 bichpaket777_bot 12\r\nbot656889928 notius_bot 12\r\nbot813438470 idontknowubot 12\r\nbot911603667 Masat_bot 11\r\nbot963764792 NA/Inactive 11\r\nbot930786995 reborntodes_bot 9\r\nbot884837464 istrong_bot 9\r\nbot646596033 SkyDen_bot 9\r\nbot865594389 gnoy199519bot] 8\r\nPrevious versions of this malware (or possibly a direct ancestor) are called “Qulab Stealer”.\r\nHow does Juniper Networks protect you against this?\r\nJuniper Advanced Threat Protection products JATP and Sky ATP use machine learning to be able to accurately identify\r\nmalware. The following images show the Sky ATP detecting multiple variations of this malware.\r\nhttps://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram\r\nPage 9 of 12\n\nJuniper Sky ATP’s detection of this malware family\r\nThe use of machine learning is critical to defending against this malware because of the number of rapid iterations it\r\nunderwent throughout its development. Machine learning allows Juniper Connected Security to identify Masad Stealer\r\nvariants as they emerge, helping to keep customers protected even before new strains have been identified.\r\nConclusion\r\nJuniper Threat Labs believes that Masad Stealer represents an active and ongoing threat.  Command and Control bots are\r\nstill alive and responding as of this writing, and the malware appears to still be available for purchase on the black market.\r\nIn order to protect your organization, make sure that you have a next generation firewall (NGFW) with Advanced Threat\r\nProtection. NGFWs have the ability to identify the Telegram protocol and block it, if there is no legitimate business use,\r\nwhile Advanced Threat Protection products offer other methods to detect and counteract this malware.\r\nJuniper Sky ATP, in conjunction with our SRX firewall will block any client infected with Masad Stealer from reaching out\r\nto the Command and Control bot master. It will also block the download of the Masad Stealer malware files in the first\r\nplace, offering both remediation and prevention capabilities.\r\nIndicators of Compromise\r\nSha256\r\ne968affb1fc7756deb0e29807a06681d09a0425990be76b31816795875469e3d\r\n4b1ccf6b823ee82e400ba25b1f532cd369d7e536475a470e2011b77ffeaf7bb3\r\nhttps://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram\r\nPage 10 of 12\n\nfc84d6636a34ad1a11dbaa1daec179e426bdcd9887b3d26dc06b202417c08f95\r\n9ca15f15fbae58cb97b0d48a0248461e78e34e6d530338e3e5b91f209a166267\r\n31f3a402c1662ed6adffbf2b1b65cf902d1df763698eb76d21e4e94b4c629714\r\n8d9f124ddd69c257189f1e814bb9e3731c00926fc2371e6ebe2654f3950ca02e\r\na0923d7645604faaa864a079adeb741a5d6e65507a2819b2fee4835d396077d9\r\na19b790ea12f785256510dde367d3313b5267536a58ca0c27dbdac7c693f57e1\r\nf030fb4e859ee6a97c50c973a73dced3640befe37f579cfd15367ce6a9bbede2\r\nf01db6d77ac21211992ceae4e66e1e03c1cb39d61e03645b9369f28252ca7693\r\ndfe3d0e95feaed685a784aed14d087b019ba2eb0274947a840d2bdbae4ae3674\r\nbf6083040ca51e83415f27c9412d9e3d700bd0841493b207bc96abf944ab0ca7\r\nb154151dc8ace5c57f109e6bb211a019db20c4f0127c4d13c7703f730bf49276\r\n6bf6b1bde63cee9b81902efd187fdd56ecee5853754ce0a19d5ab5c3b0242988\r\n0dcf547bd8f4074af97416d8b84ea64b2f3319064aa4bce64ad0c2e2d3957175\r\n6cff1249cc45b61ce8d28d87f8edc6616447e38168e610bed142f0b9c46ea684\r\n5b5ebe019806885bbaafe37bc10ca09549e41c240b793fd29a70690a5d80b496\r\n103d87098c9702cab7454b52869aeeb6a22919f29a7f19be7509255ce2d8c83e\r\nc73675005a09008bc91d6bc3b5ad59a630ab4670dca6ac0d926165a3ecfd8d92\r\nef623aadd50330342dc464a31b843b3d8b5767d62a62f5e515ac2b380b208fbe\r\n3ba3c528d11d1df62a969a282e9e54534fb3845962672ad6d8bbc29cb6d062f5\r\nb763054180cd4e24c0a78b49055ad36dbc849f1a096cddf2db8cee0b9338c21d\r\nd5ce4b04b7eec6530a4a9d40510177468fadc235253e5a74530a8c9d990f3c50\r\n965a5949d8f94e17ebcd4cb6d0a7c19f49facbfc1b1c74111e5ceb83550d6c8f\r\n44134b9d4b10d94f6381b446a1728b116d62e65c1a52db45235af12caf7e38c0\r\n848d76a227f4fe282b7ddfd82a6dfc4c25da2735a684462b42fe4e1c413d8e34\r\n5ca0a957fe6c253827f344da4ba8692d77a4e21a1df4251594be2d27d87dd8ae\r\n016fa511f6546ed439d2606c6db8821685a99f5a14ef3f710668b58dc89c6926\r\n22be594fbfa878f631c0632f6c4d260b00918817ff66a1f9f15efe44c1a58460\r\nf3571ec66288405dab43332ca03812617f85fb08832fbbe1f1d89901fe034b8a\r\n04c949eca23103b1de05278b49f42c3ab6b06f4bf20aafa5f2faefaa84c16ecd\r\ne968affb1fc7756deb0e29807a06681d09a0425990be76b31816795875469e3d\r\nhttps://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram\r\nPage 11 of 12\n\nd6fc04acda8f33a6d35eb577c27754c2f2b4d6f4869576c7c4e11b2c5e9b0176\r\n18c0bd4dd98008383fc52045ad896449fa7f0037593bb730ed1ef88aa547006d\r\n4c9d5469e9095813418260045c2b11e499e4eaa0ffb25293f90f580c464157df\r\n0b5f1fbc05dc8baca492b748adeb01fb4904e02723b59211ecde222f7b12d91e\r\n31ad5c4547ceae4d0550c8460524c16a6105afc056760e872c4966656256c9dc\r\nedb00a0e5ff70e899857549e3263c887a799416c8bbab43ab130ca1be9bbd78c\r\n96f852b81760a425befaa11ea37c0cdea2622630bf2a0c94bb95042211ab614d\r\n57fd171a5b1a88e9583b42439851a91a940eb31105ab29cb314846da2ed43b82\r\n277018b2cc6226dca6c7678cac6718c8584f7231340ad8cd7c03477559fdf48b\r\n1acf5a461ee16336eb8bbf8d29982c7e26d5e11827c58ca01adac671a28b52ad\r\n290a1b89517dec10bfd9938a0e86ae8c53b0c78ed7c60dc99e4f8e5837f4f24a\r\n7937a1068f130a90b44781eea3351ba8a2776d0fede9699ba8b32f3198de045b\r\n87e44bca3cc360c64cc7449ec1dc26b7d1708441d471bf3d36cd330db3576294\r\ncf97d52551a96dacb089ac41463d21cab2b004ba8c38ffc6cb5fb0958ddd34db\r\n79aa23c5a25c7cdbaba9c6c655c918dac3d9823ac62ebed9d7d3e94e1eaafc07\r\n03d703f6d341be258ac3d95961ff0a67d4bf792f9e896530e193b091dca29c2e\r\na368b6755e62e5c0ff79ea1e3bd146ee8a349af309b4acf0558a9c667e78293a\r\nba933cefbe9a8034f0ba34e7d18481a7db7451c8ef4b6172fb0cad6db0513a51\r\nURLs:\r\nhttps://masadsasad[.]moy.su/base.txt\r\nhttps://zuuse[.]000webhostapp.com/mi.exe\r\nhttps://37[.]230.210.84/still/Build.exe\r\nhttps://37[.]230.210.84/still/SoranoMiner.exe\r\nhttps://187[.]ip-54-36-162.eu/steal.exe\r\nhttps://bgtyu73[.]ru/22/Build.exe\r\nSource: https://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram\r\nhttps://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram"
	],
	"report_names": [
		"masad-stealer-exfiltrating-using-telegram"
	],
	"threat_actors": [],
	"ts_created_at": 1775434611,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c9e73f3223e3cb230c3ff5c24cae040345fa4af2.pdf",
		"text": "https://archive.orkl.eu/c9e73f3223e3cb230c3ff5c24cae040345fa4af2.txt",
		"img": "https://archive.orkl.eu/c9e73f3223e3cb230c3ff5c24cae040345fa4af2.jpg"
	}
}