Netskope Threat Labs has discovered a new Golang-based backdoor that uses Telegram as its command-and-control (C2) communication channel. Believed to be of Russian origin, the malware acts as a backdoor once executed and supports PowerShell command execution, persistence, and self-destruction, with a partially implemented screenshot feature. It uses an open-source Golang library for Telegram Bot API interactions, enabling attackers to receive and execute commands via Telegram chat. The malware is designed to copy itself to "C:\Windows\Temp\svchost.exe" for persistence. Its Russian roots are evident from the language used in its commands. Attackers leverage cloud apps like Telegram for ease of setup and to evade detection during attacks.

‍