Hackers Use Pastebin-Hosted PowerShell Script to Steal Telegram Sessions

Cybersecurity researchers have uncovered a purpose-built PowerShell script hosted on Pastebin that is designed to silently steal Telegram session data from both desktop and web-based clients.

The script is disguised as a routine Windows system update, making it easy for unsuspecting users to run it without raising any alarms.

The malicious script is titled “Windows Telemetry Update,” a name carefully chosen to mimic the naming style of legitimate Windows maintenance tasks. Once executed, the script wastes no time.

It first collects host metadata, including the victim’s username, computer name, and public IP address via api.ipify[.]org, before moving on to its primary objective.

Targeting directories under %APPDATA%Telegram Desktop and %APPDATA%Telegram Desktop Beta, the script locates and archives session files into a compressed file called “diag.zip” stored temporarily in the user’s TEMP folder.

Flare analysts identified this Pastebin-hosted script as a high-severity threat after tagging it during continuous monitoring of paste sites and illicit channels for malicious content.

Their analysis revealed a purpose-built Telegram session stealer that targets desktop session data, exfiltrates it through the Telegram Bot API, and shares infrastructure with a separate web-based session capture tool.

What makes this case particularly instructive is not the sophistication of the tooling, which is minimal, but what the artifacts reveal: two collection mechanisms operating at different stages of development, hardcoded credentials that exposed the operator’s entire history, and a clear debugging trail from a broken first version to a functional second one.

The script was found in two versions on Pastebin, both posted under the same account. The initial version (v1) contained a fundamentally broken multipart upload implementation that caused the “diag.zip” archive to never reach the bot.

The operator observed this failure, diagnosed the issue, and published a corrected version (v2) that properly implements the sendDocument endpoint using the Invoke-RestMethod-Form approach with correct multipart/form-data encoding.

This debugging cycle, visible in the public Pastebin post history, provides a rare window into how session-stealing tools are built and tested before operational deployment.

Neither version of the script includes obfuscation, persistence mechanisms, or an automated delivery or execution mechanism.

Based on Flare’s analysis, the script appeared to still be in active validation at the time of discovery rather than deployed in a live campaign.

However, the functional v2 variant and the confirmed web-based session stealer sharing the same bot infrastructure indicate the capability has passed functional validation and could move toward scaled operation.

How the Script Steals Your Telegram Session

The infection chain begins the moment a victim manually runs the PowerShell file. The script opens two investigative paths simultaneously: it queries the Telegram Bot API directly to enumerate the bot, and it pulls any existing bot telemetry from the bot’s message history using the Matka tool.

After collecting host metadata, the script checks for both the stable and beta installations of Telegram Desktop under %APPDATA%.

The matching paths are appended to a paths array, and the script proceeds only if at least one tdata path exists.

Otherwise, it triggers a “No Telegram installation found” beacon, meaning the script still sends an operator notification on every execution regardless of outcome.

The script then forcibly terminates the Telegram process to release file locks on the tdata directory before compression begins.

This two-second delay allows the process to complete termination before the Compress-Archive command runs, a behavior consistent with awareness of Telegram Desktop’s file-locking behavior.

Once the archive is ready, the bot API endpoint api.telegram.org/bot{token}/sendDocument is called with the operator’s chat ID, victim metadata as a caption, and “diag.zip” as the document.

If that method fails, a WebClient UploadFile fallback ensures the archive reaches the operator regardless, though it sacrifices the caption in the process.

The script closes by deleting the diag.zip file from disk immediately after upload to remove forensic artifacts.

Separately, the web-based stealer component captures active Telegram Web localStorage session state, specifically dcX_auth_key MTProto authorization keys and account1 session structures, using the same shared Telegram bot channel for exfiltration.

An attacker holding these keys can reconstruct authenticated sessions without needing the account password or SMS verification after initial setup.

Security teams and individual users should take the following steps if this script is suspected to have executed on a system.

Immediately terminate all active Telegram sessions through Telegram application Settings, then navigate to Privacy and Security, then Active Sessions, and select Terminate All Other Sessions.

Change your Telegram password and enable two-factor authentication if not already active. Review the Telegram account for any unauthorized activity, unusual messages sent from the affected account, or changes to account settings.

Consider that any sensitive information previously shared through Telegram may have been exposed and take appropriate steps to secure related accounts or notify affected parties.

At the network level, block the following domains at the proxy and firewall layer in environments where Telegram is not permitted: api.telegram.org and web.telegram.org.

In environments where Telegram is allowed, monitor for sendDocument and sendMessage API calls originating from scripting environments such as PowerShell, Python, or curl, as these are extremely rare in legitimate enterprise environments and should be triaged immediately.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.