Too many hacks lead to Telegram: security researchers recommend blocking it
Multiple recent cyberattacks have relied on Telegram infrastructure as a central tool for tracking victims, controlling malware, and moving stolen data, prompting security researchers to recommend blocking Telegram traffic where it is not essential.
Since the beginning of October 2025, the cybersecurity consulting firm NVISO has identified four distinct malicious campaigns, all of which rely on the abuse of Telegram at various stages of cyberattacks.
Despite the platform’s efforts to crack down on cybercrime, attackers still find Telegram easy to misuse, making it a reliable platform for running operations while also making it hard for defenders to monitor.
“Telegram in particular has constantly been the subject of abuse by multiple threat actors, favored for its anonymity, accessibility, resilience, and operational advantages,” NVISO Labs said in a report about detection and response challenges when dealing with Telegram abuse.
The researchers detail four recent malicious campaigns in which Telegram served as the core infrastructure for attackers.
Lunar Spider, a Russian-speaking, financially motivated cybergang, has been flooding the internet with fake CAPTCHAs, abusing the ClickFix technique to trick victims into copy-pasting malicious commands and ultimately infecting themselves with Latrodectus malware.
“Lunar Spider utilizes Telegram for monitoring FakeCaptcha victims,” the researchers said.
Whenever new victims get infected, their browsers send identifying data and browser information through Telegram’s /sendMessage API endpoint. In this case, the victims initiate the communication towards Telegram.
Another attacker has been targeting WordPress sites and exploiting them for the distribution of DeerStealer malware. The compromised websites masquerade as fake Google Chrome updates, tricking visitors into downloading and executing the installer.
Telegram comes in as a tool to deliver execution notifications from infected systems.
Lumma stealer, one of the most notorious brands of infostealer malware, has adopted Telegram channels for command and control (C2). Attackers modify Telegram channel names to include encrypted commands.
“Lumma samples had the capability to reach out to a Telegram channel, retrieve its name, decrypt it using a ROT15 or ROT13 cipher, and use it as their C2,” NVISO said in the report.
Whenever a Telegram channel gets taken down, the attackers can quickly switch to a new one.
Telegram is also useful for cybercriminals as a tool for exfiltrating compromised data. Another infostealer malware, Raven Stealer, uploads a ZIP file by abusing the Telegram /sendDocument API.
In yet another campaign where attackers, analyzed by CloudSEK, abused Telegram to both control trojanized XWorm builder and exfiltrate data.
“Telegram’s bot API is widely leveraged in malware operations for data exfiltration, execution notifications, and command-and-control (C2),” NVISO said.
While the experts share recommendations for monitoring processes, interactions, and outbound communication that help identify suspicious activity early, they also suggest the ultimate solution.
“Where there is no legitimate business need, blocking traffic to api.telegram.org is highly recommended,” the report concludes.
Unlock more exclusive Cybernews content on YouTube.
