- 911
- 246
Researchers have discovered a new malware campaign in which attackers disguise malware as a Telegram installer. Victims are lured to the domain telegrgam[.]com, which visually closely resembles the messenger's official website, and are then prompted to download what appears to be a normal Telegram installer.
In reality, instead of a normal installation, a whole infection chain is launched. The malicious file has a plausible name—tsetup-x64.6.exe—and, along with the malicious payload, it actually drops a legitimate Telegram installer onto the victim's computer to avoid raising unnecessary suspicion.
The user sees that Telegram has been installed and may not notice that another process is already running on the system.
One of the most disturbing features of this attack is its interference with Windows security. According to the researchers, the malware uses PowerShell to add the system drives C:, D:, E:, and F: to the Windows Defender exclusion list. Simply put, the antivirus is instructed to "ignore" any activity on these partitions. After this, the malware becomes noticeably more comfortable in the system.
Then, it begins to disguise itself more carefully. The malware components are stored in the AppData\Roaming\Embarcadero directory. The name was chosen deliberately—it resembles something legitimate and isn't immediately noticeable. The malicious DLL file itself is launched via rundll32.exe, using a standard Windows process to appear less suspicious. Researchers specifically note that the payload is assembled in memory and isn't written to disk in the usual way, which further complicates detection.
The campaign's communication with the control infrastructure is also quite typical for serious downloaders and RAT tools. Once activated, the Trojan establishes a TCP connection to 27.50.59.77:18852, associated with the jiijua[.]com domain, and can then receive commands, download new modules, and maintain constant access to the system.
In reality, instead of a normal installation, a whole infection chain is launched. The malicious file has a plausible name—tsetup-x64.6.exe—and, along with the malicious payload, it actually drops a legitimate Telegram installer onto the victim's computer to avoid raising unnecessary suspicion.
The user sees that Telegram has been installed and may not notice that another process is already running on the system.
One of the most disturbing features of this attack is its interference with Windows security. According to the researchers, the malware uses PowerShell to add the system drives C:, D:, E:, and F: to the Windows Defender exclusion list. Simply put, the antivirus is instructed to "ignore" any activity on these partitions. After this, the malware becomes noticeably more comfortable in the system.
Then, it begins to disguise itself more carefully. The malware components are stored in the AppData\Roaming\Embarcadero directory. The name was chosen deliberately—it resembles something legitimate and isn't immediately noticeable. The malicious DLL file itself is launched via rundll32.exe, using a standard Windows process to appear less suspicious. Researchers specifically note that the payload is assembled in memory and isn't written to disk in the usual way, which further complicates detection.
The campaign's communication with the control infrastructure is also quite typical for serious downloaders and RAT tools. Once activated, the Trojan establishes a TCP connection to 27.50.59.77:18852, associated with the jiijua[.]com domain, and can then receive commands, download new modules, and maintain constant access to the system.