{
	"id": "7c2244b1-4de5-442e-8d64-af0fbaa9055b",
	"created_at": "2026-04-23T02:54:46.983724Z",
	"updated_at": "2026-04-25T02:18:22.26047Z",
	"deleted_at": null,
	"sha1_hash": "d328e93ae4246e39f083e6b4863954d6ec946357",
	"title": "Turning Telegram toxic: ‘ToxicEye’ RAT is the latest to use Telegram for command \u0026 control",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77095,
	"plain_text": "Turning Telegram toxic: ‘ToxicEye’ RAT is the latest to use\r\nTelegram for command \u0026 control\r\nBy gmcdouga\r\nPublished: 2021-04-22 · Archived: 2026-04-23 02:52:32 UTC\r\nRemote access trojan exploits Telegram communications to steal data from victims\r\nand update itself to perform additional malicious activities\r\nResearch by: Omer Hofman\r\nTelegram, the cloud-based IM platform has enjoyed a surge in popularity this year because of controversial\r\nchanges to its rival, WhatsApp’s privacy settings.  Telegram was the most downloaded app worldwide for January\r\n2021 with more than 63 million installs, and has surpassed 500 million monthly active users.  This popularity also\r\nextends to the cyber-criminal community.  Malware authors are increasingly using Telegram as a ready-made\r\ncommand and control (C\u0026C) system for their malicious products, because it offers several advantages compared\r\nto conventional web-based malware administration.\r\nIn this blog, we’ll explore why criminals are increasingly using Telegram for malware control, using the example\r\nof a new malware variant called ‘ToxicEye’ that we have recently observed in the wild.\r\nWhy hackers are turning to Telegram for malware control\r\nThe first use of Telegram as the C\u0026C infrastructure for malware was the ‘Masad’ info-stealer back in 2017.  The\r\ncriminals behind Masad realized that using a popular IM service as an integral part of their attacks gave them a\r\nnumber of operational benefits:\r\nTelegram is a legitimate, easy-to-use and stable service that isn’t blocked by enterprise anti-virus engines,\r\nnor by network management tools\r\nAttackers can remain anonymous as the registration process requires only a mobile number\r\nThe unique communications features of Telegram mean attackers can easily exfiltrate data from victims’\r\nPCs, or transfer new malicious files to infected machines\r\nTelegram also enables attackers to use their mobile devices to access infected computers from almost any\r\nlocation globally.\r\nSince Masad became available on hacking forums, dozens of new types of malware that use Telegram for C\u0026C\r\nand exploit Telegram’s features for malicious activity, have been found as ‘off-the-shelf’ weapons in hacking tool\r\nrepositories in GitHub.\r\nToxicEye, a new remote access trojan\r\nhttps://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/\r\nPage 1 of 8\n\nOver the past three months, Check Point Research (CPR) has seen over 130 attacks using a new multi-functional\r\nremote access trojan (RAT) dubbed ‘ToxicEye.’ ToxicEye is spread via phishing emails containing a malicious\r\n.exe file.  If the user opens the attachment, ToxicEye installs itself on the victim’s PC and performs a range of\r\nexploits without the victim’s knowledge, including:\r\nstealing data\r\ndeleting or transferring files\r\nkilling processes on the PC\r\nhijacking the PC’s microphone and camera to record audio and video\r\nencrypting files for ransom purposes\r\nToxicEye is managed by attackers over Telegram, communicating with the attacker’s C\u0026C server and exfiltrating\r\ndata to it.\r\nToxicEye’s infection chain\r\nThe attacker first creates a Telegram account and a Telegram ‘bot.’ A Telegram bot account is a special remote\r\naccount with which users can interact by Telegram chat or by adding them to Telegram groups, or by sending\r\nrequests directly from the input field by typing the bot’s Telegram username and a query.\r\nThe bot is embedded into the ToxicEye RAT configuration file and compiled into an executable file (an example\r\nof a file name we found was ‘paypal checker by saint.exe’).\r\nAny victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s\r\ndevice back to the attacker’s C\u0026C via Telegram.\r\nIn addition, this telegram rat can be downloaded and run by opening a malicious document seen in the phishing\r\nemails called solution.doc and by pressing on “enable content.”\r\nhttps://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/\r\nPage 2 of 8\n\nThe ToxicEye infection chain\r\nhttps://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/\r\nPage 3 of 8\n\nCode snippet example from open source telegram RAT repositories\r\nTelegram RAT functionality\r\nObviously, every RAT using this method has its own functionality, but we were able to identify a number of key\r\ncapabilities that characterize most of the recent attacks we observed:\r\nData stealing features – the RAT can locate and steal passwords, computer information, browser history\r\nand cookies.\r\nFile system control – Deleting and transferring files, or killing PC processes and taking over the PC’s task\r\nmanager.\r\nI/O hijacking – the RAT can deploy a keylogger, or record audio and video of the victim’s surroundings via\r\nthe PC’s microphone and camera, or hijack the contents of the clipboard.\r\nRansomware features – the ability to encrypt and decrypt victim’s files.\r\nhttps://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/\r\nPage 4 of 8\n\nA functionality snippet example from chosen Telegram Rat project\r\nhttps://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/\r\nPage 5 of 8\n\nAfter installing the executable file, the attacker can hijack the computer through the bot (Source)\r\nHow to spot if you’ve been infected and tips to remain protected\r\n1. Search for a file called C:\\Users\\ToxicEye\\rat.exe – if this file exists on your PC, you have been infected\r\nand must immediately contact your helpdesk and erase this file from your system.\r\n2. Monitor the traffic generated from PCs in your organization to a Telegram C\u0026C – if such traffic is\r\ndetected, and Telegram is not installed as an enterprise solution, this is a possible indicator of compromise\r\n3. Beware of attachments containing usernames – malicious emails often use your username in their subject\r\nline or in the file name of the attachment on it. These indicate suspicious emails: delete such emails, and\r\nnever open the attachment nor reply to the sender.\r\n4. Undisclosed or unlisted recipient(s) – if the email recipient(s) has no names, or the names are unlisted or\r\nundisclosed – this is a good indication this email is malicious and / or a phishing email.\r\n5. Always note the language in the email – Social engineering techniques are designed to take advantage of\r\nhuman nature. This includes the fact that people are more likely to make mistakes when they’re in a hurry\r\nand are inclined to follow the orders of people in positions of authority. Phishing attacks commonly use\r\nhttps://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/\r\nPage 6 of 8\n\nthese techniques to convince their targets to ignore their potential suspicions about an email and click on a\r\nlink or open an attachment.\r\n6. Deploy an automated anti-phishing solution – Minimizing the risk of phishing attacks to the organization\r\nrequires AI-based anti-phishing software capable of identifying and blocking phishing content across all of\r\nthe organization’s communication services (email, productivity applications, etc.) and platforms (employee\r\nworkstations, mobile devices, etc.). This comprehensive coverage is necessary since phishing content can\r\ncome over any medium, and employees may be more vulnerable to attacks when using mobile devices.\r\nCheck Point email security solution will help you prevent the most sophisticated phishing and social\r\nengineering attacks, before they reach users.\r\nConclusion\r\nThe developers who publish these tools disguise their true purpose by defining them as “Remote Administration\r\nTool” or “for educational purpose only”, although some of  their characteristics are often found in malicious\r\nTrojans.\r\nGiven that Telegram can be used to distribute malicious files, or as a C\u0026C channel for remotely controlled\r\nmalware, we fully expect that additional tools that exploit this platform will continue to be developed in the\r\nfuture.\r\nCheck Point protections\r\nTelegram RAT\r\nproject\r\nSamples (sha1) Protection\r\nTelegram Rat\r\n2020\r\n173542ba9f3a6b6da172572668b8d105f16eef48\r\ne3a2b905d8d5587d2a123b5b4097df574e9d22c5\r\ned013c93d22c5c36a425f2aa58c6b7a4c8175c7f\r\nRAT.Win.TelegramRat.A\r\nToxic eye 2020\r\n2f452f001efd48f76a67c2f880d926e040775048\r\n3de600dfcc588de8b4a190bc421dd854e29722c5\r\n46396bab68ee8940b35e00840da95d3eac12a1d5\r\nRAT.Win.ToxicEye.A\r\nRAT.Wins.ToxicEye.B\r\nRat via Telegram\r\n2019\r\n11cb873cfea6055966ddf78bd3e0c1194586ddac RAT.Win.TelegramRat.B\r\nTeleshadow3\r\n2019\r\n75f737f1291552a5d44204d30809831e2c29e44f RAT.Win.TelegramRat.C\r\nMASAD 2017 42c30dc551a3cb3bc935c0eae79b79f17942e439 RAT.Win.ChatC2.A\r\nhttps://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/\r\nPage 7 of 8\n\nSource: https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/\r\nhttps://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/"
	],
	"report_names": [
		"turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control"
	],
	"threat_actors": [],
	"ts_created_at": 1776912886,
	"ts_updated_at": 1777083502,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d328e93ae4246e39f083e6b4863954d6ec946357.pdf",
		"text": "https://archive.orkl.eu/d328e93ae4246e39f083e6b4863954d6ec946357.txt",
		"img": "https://archive.orkl.eu/d328e93ae4246e39f083e6b4863954d6ec946357.jpg"
	}
}