New Telegram Session-Stealing PowerShell Script Discovered on Pastebin
Cybersecurity researchers at Flare have identified a malicious PowerShell script hosted on Pastebin, designed to steal Telegram session data from both desktop and web-based clients. The script, titled "Windows Telemetry Update," masquerades as a legitimate Windows system update to deceive users into executing it.
Upon execution, the script first gathers host metadata including the victim’s username, computer name, and public IP address before targeting Telegram’s session files in directories like %APPDATA%\Telegram Desktop and %APPDATA%\Telegram Desktop Beta. These files are compressed into a temporary diag.zip archive and exfiltrated via the Telegram Bot API.
Two versions of the script were found on Pastebin under the same account. The initial version (v1) contained a broken multipart upload implementation, preventing successful data exfiltration. The operator later released a corrected version (v2), which properly transmits the stolen data using the sendDocument endpoint. The debugging process, visible in the Pastebin post history, offers rare insight into the development of session-stealing tools.
The script forcibly terminates the Telegram process to bypass file locks before compressing session data. If the primary exfiltration method fails, a fallback WebClient UploadFile ensures the archive reaches the attacker. The script then deletes diag.zip to minimize forensic traces.
A separate web-based stealer component, sharing the same bot infrastructure, captures Telegram Web’s localStorage session keys, allowing attackers to reconstruct authenticated sessions without passwords or SMS verification.
Flare’s analysis suggests the script was still in testing rather than active deployment. However, the functional v2 variant and shared infrastructure with the web-based stealer indicate the capability is now validated and could be scaled for broader use. The lack of obfuscation, persistence, or automated delivery mechanisms further supports this assessment.
Source: https://cybersecuritynews.com/hackers-use-pastebin-hosted-powershell-script/
Telegram TPRM report: https://www.rankiteo.com/company/telegram-messenger
"id": "tel1777040705",
"linkid": "telegram-messenger",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': 'Global (targets Windows users with '
'Telegram)',
'type': 'Individual Users'}],
'attack_vector': 'Malicious PowerShell Script',
'data_breach': {'data_exfiltration': 'Yes (via Telegram Bot API and WebClient '
'UploadFile)',
'file_types_exposed': 'Telegram session files (.zip archive)',
'personally_identifiable_information': 'Potential (session '
'data may include PII)',
'sensitivity_of_data': 'High (enables account takeover)',
'type_of_data_compromised': 'Session data, host metadata, '
'localStorage keys'},
'description': 'Cybersecurity researchers at Flare have identified a '
'malicious PowerShell script hosted on Pastebin, designed to '
'steal Telegram session data from both desktop and web-based '
"clients. The script, titled 'Windows Telemetry Update,' "
'masquerades as a legitimate Windows system update to deceive '
'users into executing it. Upon execution, the script gathers '
'host metadata and targets Telegram’s session files, '
'exfiltrating them via the Telegram Bot API. Two versions of '
'the script were found, with the second version correcting a '
'broken multipart upload implementation. The script forcibly '
'terminates Telegram processes to bypass file locks and '
'includes a fallback exfiltration method. A separate web-based '
'stealer component captures Telegram Web’s localStorage '
'session keys, allowing attackers to reconstruct authenticated '
'sessions without passwords or SMS verification.',
'impact': {'data_compromised': 'Telegram session data, host metadata '
'(username, computer name, public IP), '
'localStorage session keys',
'identity_theft_risk': 'High (session hijacking enables account '
'takeover)',
'operational_impact': 'Unauthorized access to Telegram accounts, '
'potential data exfiltration',
'systems_affected': 'Windows systems with Telegram Desktop or '
'Telegram Web clients'},
'initial_access_broker': {'entry_point': 'Pastebin (malicious script '
'hosting)'},
'investigation_status': 'Ongoing (researchers identified the threat but no '
'active deployment confirmed)',
'lessons_learned': 'The incident highlights the risks of session-stealing '
'malware, the importance of verifying script sources, and '
'the need for monitoring malicious infrastructure like '
"Pastebin. The debugging process visible in the script's "
'development also underscores the iterative nature of '
'cyber threats.',
'post_incident_analysis': {'corrective_actions': 'Improved user awareness, '
'endpoint protection, and '
'session management '
'practices',
'root_causes': 'Social engineering (fake Windows '
'update), lack of script '
'verification, insecure session '
'storage in Telegram clients'},
'recommendations': ['Educate users on the risks of executing unverified '
'scripts.',
'Monitor for suspicious PowerShell activity and '
'unauthorized Telegram process terminations.',
'Implement multi-factor authentication (MFA) for Telegram '
'and other sensitive accounts.',
'Regularly audit and clear localStorage/session data for '
'web applications.',
'Use endpoint detection and response (EDR) tools to '
'detect and block malicious scripts.'],
'references': [{'source': 'Flare'}],
'response': {'third_party_assistance': 'Flare (cybersecurity researchers)'},
'title': 'New Telegram Session-Stealing PowerShell Script Discovered on '
'Pastebin',
'type': 'Session Hijacking',
'vulnerability_exploited': 'Social Engineering (Fake Windows Update)'}