Skip to main content

Telegram Bot API traffic indicating possible infection

ID:telegram_bot
Data type:DNS, HTTP
Severity:
High
MITRE ATT&CK:TA0010:T1048

Description

AlphaSOC has identified network traffic associated with the Telegram Bot API. The Telegram Bot API is an interface for building Telegram bots, which are automated programs that interact with users. While often used for legitimate purposes, threat actors can exploit Telegram bots for malicious activities. This finding indicates potential unauthorized use of Telegram bots within the network.

Impact

Adversaries may leverage Telegram bots to establish covert communication channels, exfiltrate sensitive data, or control compromised systems remotely, all while evading traditional security measures.

Severity

SeverityCondition
High
Telegram Bot API traffic detected

Investigation and Remediation

Investigate the source and destination of the Telegram Bot API traffic. Identify the involved systems and users. Review logs and network traffic for suspicious activities. If unauthorized use is confirmed, isolate affected systems, terminate the bot connections, and conduct a thorough security assessment.