Warning: Fake Telegram Distributes Multi-Stage Malware Running Directly in RAM

A new cyberattack campaign is raising concerns among security experts, as attackers exploit Telegram to distribute sophisticated malware. The most alarming aspect is the use of “fileless malware” – malicious code that executes directly in memory (RAM), making detection significantly more difficult than traditional threats.

Fake Telegram Used as a Malware Delivery Vector

According to reports, attackers are distributing fake Telegram versions or malicious download links disguised as legitimate applications to trick users. Once installed, the malware infects the system silently without obvious signs.

While this tactic is not entirely new, it has resurfaced with increased sophistication. Previous campaigns have also leveraged modified Telegram installers to deploy malware and gain control over user devices.

Multi-Stage Malware Operating in Memory

Unlike conventional malware that resides on disk, this variant uses a multi-stage attack approach:

• Stage 1: Initial payload delivery and execution

• Stage 2: Decryption and deployment of advanced payloads

• Stage 3: Execution directly in RAM

By operating entirely in memory, the malware can:

• Evade traditional antivirus detection

• Leave minimal forensic traces

• Maintain long-term persistence within infected systems

This reflects a growing trend in modern advanced persistent threat (APT) campaigns.

Telegram Increasingly Exploited by Cybercriminals

Telegram has long been abused by cybercriminal groups as a platform to:

• Distribute malware

• Control botnets

• Share hacking tools

Security research indicates that Telegram hosts a vast underground ecosystem where malicious content is actively exchanged. Additionally, certain platform mechanisms have been exploited in the past to collect user data through simple interactions such as clicking a link.

Risks for Individuals and Businesses

This campaign poses serious risks, especially for:

• Employees using Telegram for work-related communication

• Users downloading software from unofficial sources

• Organizations lacking behavioral monitoring solutions

Once compromised, attackers may:

• Steal login credentials

• Access sensitive internal data

• Launch deeper attacks within enterprise systems

Security Recommendations

To mitigate risks, experts recommend:

• Download Telegram only from official sources

• Avoid opening suspicious links or files

• Use advanced security solutions with behavior-based detection

• Keep operating systems and applications updated

• Implement SOC monitoring for enterprise environments

Resource: Whitehat, Telegram giả mạo phát tán mã độc nhiều tầng, chạy trực tiếp trong RAM