What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Intel

0 sources verified·6 min read

By Lyrie Threat Intelligence·5/2/2026

Telegram Session Stealer: A Pastebin-Hosted PowerShell That Skips Passwords Entirely

TL;DR

Flare's research team analyzed an in-development Telegram session-stealer disguised as a "Windows Telemetry Update" PowerShell script, hosted openly on Pastebin. The script doesn't bother with passwords, cookies, or SMS interception — it goes straight for Telegram Desktop's tdata session keys, archives them, and exfils via Telegram's own Bot API. If a victim's tdata directory is copied successfully, the operator can resume an authenticated Telegram session on their own machine without ever crossing a 2FA prompt.

This is not novel tradecraft — tdata theft has existed for years — but the artifact reveals an operator caught mid-development, with v1 broken, v2 working, and a hardcoded bot token that exposed their entire collection history. It's a textbook case of why session-token theft is the future of identity attacks, and why password-centric defenses are obsolete.

What Happened

A Pastebin user uploaded two versions of a PowerShell script titled "Windows Telemetry Update" — naming designed to dodge casual inspection. Flare's threat-detection pipeline flagged it as high-severity malicious tooling.

The script:

1. Harvests host metadata — Windows username, computer name, public IP (via api.ipify.org)

2. Probes for Telegram Desktop and Telegram Desktop Beta tdata/ directories under %APPDATA%

3. Force-kills Telegram.exe to release file locks

4. Archives the entire tdata folder into %TEMP%\diag.zip

5. Uploads the ZIP to the operator's Telegram bot via the official Bot API sendDocument endpoint

6. Includes victim metadata (username@hostname + IP) as the message caption

7. Deletes diag.zip afterward to limit forensic footprint

8. (v2 only) Sends a "no Telegram installed" beacon even when nothing is found, turning the script into a host-reachability probe

The author's mistakes were the gift to researchers:

Hardcoded bot token and chat ID readable in plaintext on lines 1–3
v1 used the wrong content-type (application/x-www-form-urlencoded instead of multipart/form-data), so uploads silently failed — visible from the bot's empty message history
v2 fixed the multipart encoding and added a WebClient.UploadFile fallback
The same bot channel (afhbhfsdvfh_bot) was used for a separate web-based Telegram session capture tool — confirming the same operator runs two stealer variants against desktop and browser sessions

By extracting the bot token from the script and running Matkap (a Telegram bot history extractor), Flare reconstructed the operator's full collection log without ever sandboxing the malware.

Technical Details

Why `tdata` is the prize

Telegram Desktop's tdata directory contains the authorization keys that Telegram's MTProto protocol uses to authenticate the client with Telegram's servers. Three properties make these keys the perfect theft target:

Long-lived. Generated at initial login. Persist indefinitely until the user manually revokes the session under "Active Sessions" or Telegram's security backend invalidates them.
Device-bound but portable. Tied to a specific Desktop install — but if you copy the entire tdata/ folder onto your own machine, the Telegram client treats you as the original device.
Credential-independent. No password, no 2FA code, no SMS prompt is ever requested when resuming via copied tdata. The session resumes silently.

Steal tdata, paste it into your own Telegram Desktop install, you have the victim's account.

The execution gate

The entire script's behavior depends on a single condition: $paths.Count -gt 0. If at least one tdata path exists, exfiltration runs. Otherwise it sends the no-Telegram beacon (v2) and exits. This makes the script extremely cheap to detect if you're watching for the right behaviors — it has zero obfuscation, zero persistence, and zero anti-analysis.

The fingerprint

Behaviors that matter for detection:

PowerShell process spawning a child that terminates Telegram.exe
Followed by archive creation in %TEMP%\diag.zip
Followed by an outbound HTTPS POST to api.telegram.org/bot<TOKEN>/sendDocument
Or fallback HTTPS PUT/POST via System.Net.WebClient.UploadFile

Any one of these in isolation is benign. The chain is the signature.

Lyrie Assessment

This is exactly the threat class autonomous defense was built for — and the threat class signature antivirus will never reliably catch.

Why traditional EDR struggles here:

The script is unobfuscated PowerShell. No payload to decrypt, no shellcode, no DLL injection. Nothing to fingerprint.
The C2 channel is api.telegram.org — a Microsoft-trusted domain on the Tier-1 internet. No DNS reputation tool will block it.
The exfil method is multipart/form-data HTTPS POST, indistinguishable from a user manually sharing a file in Telegram.
No persistence, no privilege escalation, no lateral movement. The script runs once, finishes in seconds, deletes its own archive.

The kill chain that matters here is behavioral, not signature-based:

1. PowerShell process started by an unusual parent (Pastebin downloader, RMM agent, browser, suspicious shortcut)

2. taskkill against Telegram.exe by a non-user-initiated process

3. Bulk read of %APPDATA%\Telegram Desktop\tdata\*

4. Archive creation in %TEMP%

5. Outbound HTTPS to api.telegram.org with non-zero file payload from a non-Telegram-client process

An autonomous defender needs to correlate steps 2–5 within a 30-second window and kill the PowerShell process before step 5 completes. By the time signatures get written for this specific script, the operator has already shipped v3 with different filenames.

This is why Lyrie's threat model treats session tokens as the new password. The industry spent 15 years training users to use stronger passwords and enable 2FA. Attackers responded by skipping that whole layer and stealing the post-authentication artifact instead. Cookies, JWTs, OAuth refresh tokens, MTProto keys — they all share the same fundamental property: whoever holds them is the user.

The defensive stack of 2026 needs to monitor:

Process access to known session-token paths (tdata/, browser cookie stores, ~/.aws/credentials, ~/.kube/config, IDE refresh-token caches)
Bulk archival of those directories by non-owning processes
Outbound transmission of those archives, regardless of destination reputation

Static AV, signature EDR, and DNS reputation — all blind to this attack class by design.

Recommended Actions

For defenders:

1. Hunt the chain, not the script. Build detections around the behavior sequence: PowerShell → kill Telegram.exe → read tdata → archive → outbound HTTPS. Sigma rule wins beat IOC hunts here.

2. Treat api.telegram.org outbound from non-Telegram processes as suspicious. Especially when accompanied by file uploads >1MB.

3. Audit Telegram Desktop "Active Sessions" regularly. Train users (and yourself) to revoke unfamiliar sessions monthly. This is the only mitigation that invalidates stolen tdata after the fact.

4. For sensitive accounts, set Telegram Desktop's local passcode. It encrypts tdata at rest with a user-supplied key — making stolen archives useless without the passcode.

5. Monitor Pastebin, GitHub Gist, and similar paste-sites for newly-published PowerShell with hardcoded bot tokens. Flare's pipeline is one approach; OSINT collectors and tools like gitleaks against public corpora work too. Operators who hardcode tokens hand investigators their entire C2 history.

6. Enable Windows Defender Application Control (WDAC) or AppLocker to restrict PowerShell execution to signed scripts only on workstations where users don't legitimately script.

For Lyrie users:

Our autonomous-defense models train on this exact threat class. Behavioral detections for tdata theft are part of the baseline LyrieEndpoint ruleset shipping in 2026 Q3. If you're a customer running the agent on Windows endpoints, the chain described above triggers a SessionTokenExfilAttempt incident with auto-quarantine of the parent PowerShell process before step 5 fires.

Sources

1. Sukant Kumar, Flare. "Inside a Telegram Session Stealer: How a Pastebin-Hosted PowerShell Script Targets Desktop and Web Sessions." https://flare.io/learn/resources/blog/telegram-session-stealerpastebin-hosted-powershell-script-targets-desktop-web-sessions

2. Lefaroll Telegram channel coverage (Hebrew). https://t.me/Lefaroll

3. Telegram MTProto authorization key documentation. https://core.telegram.org/mtproto/auth_key

4. Matkap — Telegram bot history extractor. (Open-source DFIR tooling)

Lyrie.ai Cyber Research Division