Check Point malware analyst Omer Hofman recently revealed in a blog post that cybercriminals are increasingly using Telegram to spread ToxicEye malware.

Telegram is a freeware, cross-platform, cloud-based instant messaging software and application service. According to a Backlinko report, the app currently has 500 million monthly active users, making it the most downloaded app worldwide in January 2021.

Unfortunately, Telegram’s popularity also extends to the cyber-criminal community. Hofman observed that threat actors are increasingly using the app as a ready-made command and control (C&C) system to administer their malicious products, as it offers several advantages compared to the classic web-based malware delivery.

Telegram was first used as a C&C infrastructure for malware back in 2017 by malware strain Masad Stealer. But more recently, a new malware variant dubbed ToxicEye was observed in the wild. The threat actors behind Masad and ToxicEye realized that using a popular IM service as an integral part of their attacks can be very beneficial for them.

According to Hofman, there are several reasons behind their choice:

Telegram is a legitimate, easy-to-use and stable service that isn’t blocked by enterprise anti-virus engines, nor by network management tools.

Attackers can remain anonymous as the registration process requires only a mobile number.

The unique communications features of Telegram mean attackers can easily exfiltrate data from victims’ PCs, or transfer new malicious files to infected machines.

Telegram also enables attackers to use their mobile devices to access infected computers from almost any location globally.


Over 130 ToxicEye attacks have been observed by Check Point Research (CPR) in the last three months. The RAT is spread via phishing emails containing a malicious .exe file. If the victim downloads the attachment, ToxicEye installs itself and performs a range of exploits without the victim’s knowledge, including stealing, deleting, or transferring files, killing PC processes, compromising the microphone and camera to record audio, and video, encrypting files for ransom purposes.

ToxicEye telegram image heimdal security

ToxicEye Infection Chain
Image Source: Check Point

Given that Telegram can be used to distribute malicious files, or as a C&C channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future.


To spot if you’ve been infected with ToxicEye, make sure you search for a file called C:\Users\ToxicEye\rat.exe. If you find this file on your PC, it means you have been infected and you’re advised to contact your helpdesk and erase this file from your system as soon as possible.

Phishing Emails Are Now Spreading Trickbot Malware, FBI and CISA Warn

What is a Remote Access Trojan (RAT)?

Leave a Reply

Your email address will not be published. Required fields are marked *