New Go-Based Malware Controlled via Telegram Identified

Cybersecurity researchers have discovered a new malware (backdoor) written in the Go programming language. This malicious software uses the Telegram messenger as a command and control (C2) channel. Although still under development, it is already fully functional and capable of executing various malicious actions.

✅ Written in the Go programming language and controlled via Telegram;
✅ Suspected to have Russian origins;
✅ Although not fully completed, its core commands are operational;
✅ This technology complicates the detection and prevention of cyberattacks.

The malware, developed in Golang (Go), acts as a backdoor upon execution. Its main operational workflow is as follows:

🔹 Self-installation on the system: When launched, the malware checks if it is running from C:\Windows\Temp\svchost.exe. If not, it copies itself to this directory.
🔹 Terminating the original process: The malware starts its newly copied instance and terminates the initial process.
🔹 Communicating with Telegram: It uses an open-source Go library to interact with Telegram. The bot is created using a token obtained through the Telegram BotFather service.
🔹 Receiving commands: The malware continuously listens for commands from a Telegram channel using the GetUpdatesChan function.

Currently, the malware supports four commands, three of which are fully implemented:

🔹 /cmd – Executes PowerShell commands sent via Telegram.
🔹 /persist – Restarts itself in the C:\Windows\Temp\svchost.exe directory.
🔹 /screenshot – Not fully implemented yet but sends a notification pretending a screenshot was taken.
🔹 /selfdestruct – Deletes itself and terminates the process.

The malware sends the results of executed commands back to the Telegram channel in an encrypted format. For example, when executing the /cmd command, the attacker sends a PowerShell command, which is executed in stealth mode.

Detecting malware controlled via cloud-based services like Telegram, OneDrive, GitHub, and Dropbox is increasingly challenging. These platforms provide cybercriminals with highly convenient control mechanisms, making it difficult to differentiate malicious traffic from normal network activity.

Netskope Advanced Threat Protection has classified this threat as Trojan.Generic.37477095. Experts emphasize the importance of continuous monitoring and proactive security measures to counter such threats.

🔹 Keep software and systems updated – Outdated programs and operating systems are more vulnerable to such attacks.
🔹 Use antivirus and security tools – Netskope and other cybersecurity firms offer solutions to detect these threats.
🔹 Monitor network traffic – Regularly inspect suspicious connections to services like Telegram.
🔹 Restrict administrative privileges – Limiting user privileges reduces the likelihood of malware execution.
🔹 Educate employees – Awareness training on cybersecurity helps staff identify suspicious activities early.

✅ A new Go-based malware controlled via Telegram poses a significant cybersecurity threat, as it can bypass traditional security mechanisms using cloud services.

✅ Organizations must continuously update their security systems, educate employees, and monitor suspicious network traffic.

✅ Netskope Threat Labs is actively monitoring this threat and publishing updates in its public repository on GitHub.

🛡 Do not ignore cybersecurity! Prepare for emerging threats in advance!