How a PowerShell Pastebin Steganography Trojan Hijacks Telegram Sessions

Overview – In late April 2026 the security community examined a highly stealthy “session cloning” attack that steals Telegram Desktop sessions using only legitimate‑looking infrastructure.

Delivery – Attackers employ social‑engineering, masquerading the payload as a “Windows Telemetry Update” or a “network acceleration script”, prompting the victim to run a short PowerShell command.

Hosting and steganography – The malicious script is hosted on Pastebin, appearing as an ordinary computer‑science article or log. It reads characters at fixed intervals (e.g., every 16th character) to reconstruct the real C2 address and second‑stage download URL, thereby evading keyword‑based firewalls.

Target selection – The Trojan focuses on Telegram Desktop’s session folder ( %AppData%\Telegram Desktop\tdata). It searches for encrypted files such as map0, map1, and files named like D877F783D5D3EF8C, then packs them.

Authentication bypass – Telegram Desktop authenticates locally via these tdata files. By copying them to another machine, an attacker can log in without needing the account password or two‑factor authentication.

Anti‑analysis techniques – The script runs with -W Hidden -E to hide any window, uses Invoke‑Expression (IEX) for fileless in‑memory execution, and first queries api.ipify.org to obtain the public IP and host details. If a virtual‑machine environment is detected, the script self‑destructs.

Data exfiltration – Collected tdata files are compressed into an encrypted ZIP. A hard‑coded Telegram Bot Token is used with the sendDocument API to upload the archive to the attacker’s private Telegram group. Because the traffic is directed to api.telegram.org, standard firewalls treat it as normal Telegram communication.

Conclusion – The case exemplifies a “triple‑layer” attack that leverages a legitimate platform (Pastebin), a legitimate tool (PowerShell), and a legitimate channel (Telegram API) to achieve stealthy credential theft.