“Hacktivist” CyberVolk using Telegram-based bots for ransomware campaigns (with a few glitches)
The resurfaced threat group is using bots via Telegram to manage command-and-control, marketing, sales, and affiliate support.
While the group, thought to have originated in India, brands itself as pro-Russia and hacktivist, its actions are starting to resemble those of a medium-to-large enterprise.
Thanks to Telegram’s enforcement actions, the group remained inactive for most of this year but now it appears to be back with a vengeance by enabling affiliate buyers to interact with ransomware through automated bots on the platform.
According to a new report from SentinelOne, the group has returned with a ransomware-as-a-service (RaaS) offering called VolkLocker, following a period of apparent inactivity earlier this year.
While the malware itself includes new features, researchers say the more significant development lies in how CyberVolk operates – and sells – its tools through popular communication channels.
“All aspects of the CyberVolk RaaS are managed through Telegram,” SentinelOne senior researcher Jim Walter noted, adding that the messaging platform is used to manage infections, issue commands, recruit affiliates, advertise services, and provide operational support.
New bots and channels to promote RaaS
According to Walter, rather than relying on custom-built web dashboards or hidden services, CyberVolk has built much of its operation around Telegram bots and channels.
For instance, affiliates can interact with the ransomware through an automated bot called CyberVolk_Kbot, which generates payloads, monitors activity, and facilitates communication with victims via a familiar chat interface.
By relying on bots and automation, rather than dedicated infrastructure, the model reduces the technical overhead required to launch attacks, allowing threat actors to scale their operations.
There’s even a pre-built HTML ransom note featuring a countdown timer on offer to affiliates, highlighting how the gang is also streamlining victim interaction.
Walter's report also highlights how CyberVolk is also using Telegram as a marketing platform. SentinelOne observed that the group was actively promoting VolkLocker and related tools through Telegram channels, advertising pricing models, bundled malware offerings, and a host of new features.
In November 2025, for instance, it notes that operators began advertising standalone RAT and keylogger tools, with a suggested pricing model :
RaaS (single OS): $800-$1,100 USD
VolkLocker prices for services, as reported by SentinelOne
RaaS (Linux + Windows): $1,600-$2,200 USD
Standalone RAT or Keylogger: $500 USD each
The report added that : “Intelligence suggests bundle discounts are available for customers purchasing multiple services.”
Critical flaw in malware gives victims hope
Despite its polished business model, VoltLocker has a flaw that could allow victims to recover their data without paying a ransom.
According to Walter, the ransomware stores its master encryption key locally on the infected system and fails to delete it. If recovered, the key can potentially be used to decrypt affected files.
“The presence of the encryption key on disk represents a significant implementation flaw,” the researcher said, suggesting the issue may stem from rushed development.
“Given that VolkLocker is a relatively new service, the presence of what appears to be debug functionality in live deployments suggests that the operation is struggling to maintain quality control while aggressively recruiting lesser-skilled affiliates,” Walter added.
“Our analysis reveals an operation struggling with the challenges of expansion: taking one step forward with sophisticated Telegram automation, and one step backward with payloads that retain test artifacts enabling victim self-recovery."
Unlock exclusive Cybernews content on YouTube
