Unlocking the Dark Web: How CTI Pros Are Tracking Hackers on Telegram

Listen to this Post

Featured Image

Introduction:

The cyber threat landscape is increasingly shifting to encrypted platforms like Telegram, where threat actors communicate, recruit, and leak stolen data. Cyber Threat Intelligence (CTI) professionals are now leveraging open-source resources to systematically monitor these channels, turning a hacker’s communication tool into a vital source of intelligence. This proactive approach is essential for understanding emerging threats and mitigating attacks before they occur.

Learning Objectives:

  • Understand the role of Telegram in the modern cybercriminal ecosystem.
  • Learn how to access and utilize curated lists of threat actor channels for intelligence gathering.
  • Develop a methodology for safely and effectively monitoring adversarial communications.

You Should Know:

1. Accessing the Primary Resource

The foundational step is accessing the curated intelligence. The `deepdarkCTI` GitHub repository, maintained by user fastfire, serves as a centralized, crowdsourced list of Telegram channels associated with known threat groups like Scattered Spider and Lapsus$.

Command/Resource:

https://github.com/fastfire/deepdarkCTI/blob/main/telegram_threat_actors.md

Step-by-step guide:

Navigate to the GitHub URL using a standard web browser. This page is a Markdown file (.md) that acts as a living document. You will find a structured list of threat actor names, each hyperlinked directly to their respective Telegram channel. Simply click on any hyperlinked threat actor name to be redirected to the Telegram app or web client, where you can choose to view or join the channel. This resource eliminates the need to manually search for these often-obfuscated channel names.

2. Safeguarding Your Analysis Environment

Before engaging with any adversarial content, it is paramount to isolate your activity. Direct interaction from a corporate or personal machine can expose your IP address and device fingerprints.

Verified Command (Linux):

 Launch a dedicated, isolated Virtual Machine using VirtualBox
VBoxManage createvm --name "CTI-Workstation" --ostype "Ubuntu_64" --register
VBoxManage modifyvm "CTI-Workstation" --memory 4096 --cpus 2
VBoxManage createhd --filename "CTI-Workstation.vdi" --size 30000
VBoxManage storagectl "CTI-Workstation" --name "SATA Controller" --add sata --controller IntelAhci
VBoxManage storageattach "CTI-Workstation" --storagectl "SATA Controller" --port 0 --device 0 --type hdd --medium "CTI-Workstation.vdi"

Step-by-step guide:

This series of commands creates a new, headless Ubuntu Virtual Machine (VM) from the command line. Using a VM provides a hardware-level sandbox, ensuring any accidental interaction with malware or tracking scripts is contained within the virtual environment and does not affect your host operating system. Always use a VPN or the Tor network within this VM for an additional layer of anonymity.

3. Anonymizing Your Connection with Tor

To prevent threat actors from logging and blocking your analyst IP address, route all traffic through the Tor network.

Verified Command (Linux):

 Install and start the Tor service
sudo apt update && sudo apt install tor -y
sudo systemctl start tor
sudo systemctl enable tor

Configure curl to use the Tor proxy (SOCKS5 on port 9050)
curl --socks5-hostname 127.0.0.1:9050 https://check.torproject.org/ | grep -i "congratulations"

Step-by-step guide:

After installing the `tor` package, the `systemctl` commands ensure the Tor service is running and will start automatically on boot. The `curl` command is then used to test the configuration. By routing the request through the Tor SOCKS5 proxy, the external website `check.torproject.org` will see the request originating from a Tor exit node. If the command output returns “Congratulations,” your connection is successfully anonymized.

4. Automating Channel Monitoring with Telegram CLI

Manually checking dozens of channels is inefficient. Using the Telegram Command-Line Interface (CLI) allows for scriptable, automated data collection.

Verified Command (Linux – Installation):

 Clone and build the Telegram CLI tool from source
git clone --recursive https://github.com/vysheng/tg.git && cd tg
./configure
make

Verified Command (Linux – Operation):

 Launch the CLI and send a command to get a channel's history
./telegram-cli -k tg-server.pub -W -e "history @channelname 100"

Step-by-step guide:

After compiling the tool from source, run the `telegram-cli` executable. The `-k` flag specifies a public key, `-W` disables creating a log file for security, and `-e` allows you to execute a command without entering the interactive shell. The `history` command followed by the channel username and a number will dump the latest 100 messages from that channel directly to your terminal for analysis.

5. Parsing and Filtering Data with grep

The raw data from Telegram channels is noisy. Use command-line tools to filter for actionable indicators like IP addresses, hashes, or specific keywords.

Verified Command (Linux):

 Extract potential IP addresses from a text file containing channel messages
grep -oE '\b([0-9]{1,3}.){3}[0-9]{1,3}\b' channel_dump.txt | sort -u > extracted_ips.txt

Search for mentions of specific malware or tools
grep -i "cobalt strike|metasploit|brute ratel" channel_dump.txt

Step-by-step guide:

The first `grep` command uses the `-oE` flags to only output (-o) the matched pattern using an Extended Regular Expression (-E). The regex pattern `\b([0-9]{1,3}\.){3}[0-9]{1,3}\b` is designed to match IPv4 addresses. The results are piped to `sort -u` to create a unique, sorted list which is then saved to extracted_ips.txt. The second command performs a case-insensitive (-i) search for common post-exploitation frameworks.

6. Validating Extracted Indicators

Before adding an indicator to a blocklist, validate it. A posted IP could be a victim’s infrastructure or a false flag.

Verified Command (Linux – Using whois):

 Perform a whois lookup on a suspicious IP
whois 192.168.90.1 | grep -i "country|netname|descr"

Verified Command (Using API with curl):

 Query the AbuseIPDB API to check an IP's reputation (replace API_KEY)
curl -G https://api.abuseipdb.com/api/v2/check \
--data-urlencode "ipAddress=192.168.90.1" \
-H "Key: YOUR_API_KEY_HERE" \
-H "Accept: application/json" | jq '.data.abuseConfidenceScore'

Step-by-step guide:

The `whois` command provides registration information, helping to identify the owning organization and country. The `curl` command queries the AbuseIPDB API, a crowdsourced reputation database. The `jq` tool is used to parse the JSON response and extract the abuseConfidenceScore; a high score (e.g., over 75) strongly suggests the IP is associated with malicious activity.

7. Implementing Defensive Measures with Windows Firewall

Once a malicious IP is confirmed, it can be proactively blocked at the network perimeter or endpoint.

Verified Command (Windows – Command Prompt as Administrator):

 Create a new firewall rule to block all outbound traffic to a specific IP
netsh advfirewall firewall add rule name="Block Malicious IP 192.168.90.1" dir=out action=block remoteip=192.168.90.1/32 protocol=any

Verify the rule was created
netsh advfirewall firewall show rule name="Block Malicious IP 192.168.90.1"

Step-by-step guide:

This `netsh` command modifies the Windows Advanced Firewall. The `add rule` directive creates a new rule named “Block Malicious IP…”. The `dir=out` parameter specifies the rule applies to outbound traffic, `action=block` denies the traffic, and `remoteip=` defines the specific IP address to block. The subsequent `show rule` command confirms the rule has been added correctly to the firewall policy.

What Undercode Say:

  • The democratization of CTI is shifting the advantage. Open-source resources like the `deepdarkCTI` list lower the barrier to entry, allowing smaller security teams to perform intelligence gathering that was once the domain of large corporations.
  • Proactive defense is no longer optional. Monitoring adversary communication channels provides a critical early-warning system, often revealing tactics, targets, and tools long before they appear in formal IOC feeds.

The analysis provided by the LinkedIn post and the associated GitHub resource highlights a fundamental shift in cybersecurity operations. Instead of waiting for indicators of compromise (IOCs) to be published after an attack, CTI teams are now going directly to the source. This proactive intelligence gathering allows organizations to understand the “why” and “how” behind attacks, not just the “what.” By tracking groups like Scattered Spider in their natural habitat, defenders can anticipate attack vectors, harden likely targets, and disrupt attack chains before they even begin. This turns a reactive security posture into an intelligence-driven, proactive one.

Prediction:

The use of Telegram and similar platforms by threat actors will only intensify, leading to the development of more sophisticated, AI-powered monitoring and analysis tools. We will see a new category of security software emerge that automatically translates chatter from these channels into actionable, automated defensive rules. Furthermore, threat actors will respond with increased use of code words, private groups, and custom encryption, sparking a new arms race between cybercriminals and CTI analysts in the overt, yet opaque, space of public messaging apps.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Eliwood If – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky