Malware - Fake Telegram Site Distributes Multi-Stage Loader
Basically, a fake Telegram site tricks users into downloading dangerous software.
A fake Telegram download site is spreading malware disguised as a legitimate installer. Users risk severe system compromises through simple URL typos. Stay vigilant and only download from verified sources.
What Happened
A new threat has emerged from a typosquatted website designed to look like the official Telegram download page. The site, hosted at telegrgam[.]com, masquerades as a legitimate portal, prompting users to download a Windows installer named tsetup-x64.6.exe. This installer is not what it seems; it is a malicious file that initiates a multi-stage loading process, allowing attackers to execute harmful code without detection.
The malware operates by modifying system settings and running commands in the background. It avoids traditional detection methods by executing its final payload directly in the system's memory, never writing it to disk. This stealthy approach makes it particularly dangerous, as many antivirus programs rely on scanning files stored on the disk to identify threats.
Who's Being Targeted
This campaign primarily targets everyday users who may not pay close attention to the URLs they visit. The attackers exploit the popularity of Telegram, a widely used messaging app, to lure victims into downloading the fake installer. By creating similar domain names, such as www.telefgram[.]com and www.tejlegram[.]com, they increase their chances of catching unsuspecting users who mistype the URL.
The risk is significant; a single mistake can lead to a full system compromise. Users searching for a popular app can easily fall victim to this visual deception, which is a reminder of how cybercriminals exploit human error rather than relying solely on technical vulnerabilities.
Signs of Infection
Once the malicious installer is executed, it begins by checking for existing infections and disabling real-time protection in Windows Defender. This is done through an obfuscated PowerShell command that excludes all drive partitions from scanning. The installer then drops several files into a location designed to mimic legitimate software folders, further obscuring its presence.
The core of the attack lies in how the malware executes its payload. It uses a technique called reflective loading, where the malicious code is reconstructed in memory and executed without ever being saved to disk. This makes it extremely difficult for traditional security tools to detect the threat, allowing it to operate undetected while maintaining a connection to a command-and-control server.
How to Protect Yourself
To defend against such threats, users should only download software from official and verified sources. Always double-check the URL before downloading any files. Keeping endpoint security tools updated and monitoring network traffic for unusual outbound connections are also effective strategies to detect and mitigate these types of threats.
In addition, users should be cautious about any unexpected prompts or changes in their system after installing software. By staying vigilant and informed, individuals can better protect themselves from these sophisticated malware attacks.