Cybercriminals Using Telegram messaging service to Distribute ToxicEye Malware

Social Media
Advisory ID:
April 28, 2021


Researchers discovered that Telegram instant messaging service is being used by malicious actors to manage a remote access trojan (RAT) called ToxicEye. These cyber criminals are increasingly abusing Telegram as a "command-and-control" system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems. More than 130 attacks involving the ToxicEye RAT has been discovered recently, and warning that even when Telegram is not installed or being used, the system allows hackers to send malicious commands and operations remotely via the instant messaging app.

Description & Consequence

The attack chain commences with the creation of a Telegram bot by the attacker, which is then embedded into the RAT's configuration file, before compiling it into an executable (e.g. "paypal checker by saint.exe"). This .EXE file is then injected into a decoy Word document ("solution.doc") that, when opened, downloads and runs the Telegram RAT ("C:\Users\ToxicEye\rat.exe").

The malware is spread via phishing emails embedded with a malicious Windows executable file. ToxicEye uses Telegram to communicate with the command-and-control (C2) server and upload data to it.

In the analysed attack, the attackers first created a Telegram account and a dedicated Telegram bot which they then bundled with the ToxicEye malware and spread it via spam campaigns as an email attachment.

If opened by a victim, the malicious attachment connects to Telegram, enabling the attackers to gain a foothold on their device via the bot.

The malware on successful exploit allows it to steal data, transfer and delete files, terminate processes, deploy a keylogger, hijack the computer's microphone and camera to record audio and video, and even encrypt files for a ransom.


  1. Search for a file called C:\Users\ToxicEye\rat.exe – if this file exists on your PC, you have been infected and must immediately contact your helpdesk and erase this file from your system.
  2. Monitor the traffic generated from PCs in your organization to a Telegram C&C – if such traffic is detected, and Telegram is not installed as an enterprise solution, this is a possible indicator of compromise
  3. Beware of attachments containing usernames – malicious emails often use your username in their subject line or in the file name of the attachment on it. These indicate suspicious emails: delete such emails, and never open the attachment nor reply to the sender.
  4. Undisclosed or unlisted recipient(s) – if the email recipient(s) has no names, or the names are unlisted or undisclosed – this is a good indication this email is malicious and / or a phishing email.
  5. Always note the language in the email – Social engineering techniques are designed to take advantage of human nature. This includes the fact that people are more likely to make mistakes when they’re in a hurry and are inclined to follow the orders of people in positions of authority. 
  6. Deploy an automated anti-phishing solution.





Related Articles