Weaponizing Telegram Bots: How Threat Actors Exfiltrate Credentials

This Cofense intelligence brief explains how threat actors weaponize Telegram bot accounts and the Telegram Bot API as lightweight C2 and exfiltration channels, showing concrete examples from credential-phishing pages and malware families (Agent Tesla, WSH RAT, Pure Logs Stealer). The report includes POST request/response examples, prevalence statistics, and investigative/mitigation guidance (blocking api.telegram.org/bot endpoints, user training), and highlights how exposed bot tokens and chat IDs enable analysts to retrieve historical bot messages.