Why trust Greenbot
A new malware strain discovered by Netskope Threat Labs uses Telegram’s messaging platform to send commands to infected computers.
The team’s February 14, 2025 report revealed a sophisticated Golang-based malware using Telegram as its command-and-control (C2) channel.
“The malware is compiled in Golang and once executed it acts like a backdoor,” said Leandro Fróes, a security researcher at Netskope. “Although the malware seems to still be under development it is completely functional.”
Under the name “svchost.exe“, the malware operates by copying itself to the Windows temporary folder. It then establishes a connection with its controllers through Telegram’s Bot API, allowing attackers to send commands without maintaining their own server infrastructure.
Russian language prompts in the malware’s command interface point to its likely origin. The program accepts four basic commands. The “/cmd” instruction prompts attackers in Russian before executing hidden PowerShell commands. A “/persist” command reinstalls the malware for system restart survival, while “/selfdestruct” removes all traces. The “/screenshot” command exists but only sends fake confirmation messages.
The attackers’ use of Telegram represents a growing trend. “The use of cloud apps presents a complex challenge to defenders and attackers are aware of it,” Fróes explained. “Other aspects such as how easy it is to set and start the use of the app are examples of why attackers use applications like that in different phases of an attack.”
Security experts warn this technique could spread to other cloud platforms. Services like OneDrive, GitHub, and Dropbox face similar risks as attackers seek new ways to hide their activities. Telegram’s Bot API, for instance, allows automated control, making it easy to issue commands remotely.
Netskope has labeled the threat “Trojan.Generic.37477095” and published technical details in their GitHub repository. This information helps organizations defend against the new attack method.
The discovery reveals how cybercriminals adapt their tactics to exploit trusted services. As more businesses rely on cloud applications, distinguishing between legitimate and malicious traffic becomes increasingly difficult for security teams.
To defend against this threat, users are advised to install up-to-date antivirus software from established security companies. These programs can detect and stop malicious programs, even ones written in Go programming language.
