A sophisticated malware campaign is actively targeting users through fake Telegram download websites, using advanced evasion techniques to bypass security controls and establish persistent access on infected systems.
According to a detailed analysis published by K7 Computing – available in the original research here – attackers are leveraging typosquatted domains to trick users into downloading a malicious installer disguised as the popular messaging app Telegram.
A Deceptive Entry Point: Fake Telegram Downloads
At the heart of this campaign is a classic yet highly effective tactic: typosquatting.
Threat actors created domains such as:
- telegrgam[.]com
- telefgram[.]com
- tejlegram[.]com
These sites closely mimic the legitimate Telegram download page, making it easy for unsuspecting users to download what appears to be a standard installer — tsetup-x64.6.exe.
But behind the familiar filename lies a multi-stage malware loader.
Inside the Infection Chain
Once executed, the fake installer initiates a complex attack sequence designed to evade detection and maintain persistence.
Stage 1: System Reconnaissance & Defense Evasion
The malware begins by scanning running processes, likely to detect security tools or prior infections. It then executes a critical step:
- Disables antivirus visibility by adding all system drives (C:, D:, etc.) to Microsoft Defender exclusion lists via PowerShell.
This effectively blinds native security defenses.
Stage 2: Payload Staging & Persistence
The malware drops multiple files into:
C:\Users\<User>\AppData\Roaming\Embarcadero\
To avoid suspicion, it uses legitimate-looking file names and even deploys a real Telegram installer, ensuring the victim sees a normal installation process.
It also creates registry entries to:
- Mark the system as infected
- Avoid reinfection
- Maintain persistence
Stage 3: Fileless Execution via DLL Loader
The attack escalates with the execution of a malicious DLL using rundll32.exe, a legitimate Windows utility.
However, instead of storing the payload directly, the malware:
- Reads encoded data from XML files (e.g., GPUCache.xml)
- Reconstructs a hidden executable payload
- Loads it directly into memory
This technique – known as reflective loading – allows attackers to bypass traditional file-based detection.
Stage 4: Command-and-Control (C2) Communication
Once active, the malware establishes a persistent connection to attacker-controlled infrastructure, including:
- IP: 27.50.59.77:18852
- Domain: jiijua[.]com
Through this channel, attackers can:
- Execute remote commands
- Exfiltrate data
- Push updated payloads dynamically
This transforms the infection into a fully controllable remote access foothold.
Why This Matters Globally
This campaign highlights a dangerous convergence of social engineering + fileless malware + SaaS impersonation.
Applications like Telegram are widely used across:
- Enterprises
- Governments
- Financial institutions
- Remote work environments
In regions such as the Middle East and Africa — where mobile-first communication and app-based ecosystems are rapidly growing — such campaigns can have amplified impact.
The use of:
- Trusted brand impersonation
- Legitimate installers
- Memory-based execution
…makes this attack particularly difficult to detect with traditional security tools.
10 Recommended Security Actions
To mitigate risks from similar campaigns, organizations should:
- Enforce software download policies, only allow installations from verified official sources.
- Implement DNS and web filtering to block typosquatted domains.
- Monitor PowerShell activity for suspicious commands, especially Defender exclusions.
- Enable endpoint detection and response (EDR) for behavioral analysis.
- Restrict use of rundll32.exe and monitor abnormal DLL execution.
- Audit Windows Defender configurations regularly for unauthorized exclusions.
- Inspect registry changes for persistence mechanisms.
- Deploy network monitoring tools to detect unusual outbound connections.
- Conduct user awareness training to recognize fake download pages via Saintynet Cybersecurity.
- Adopt advanced threat detection solutions and continuous monitoring strategies with Saintynet Cybersecurity to detect fileless and memory-based attacks.
For deeper insights into evolving malware techniques, explore related threat analyses on CyberCory.
Industry Insight: The Rise of Fileless & Deceptive Malware
This campaign is a textbook example of how attackers are evolving beyond traditional malware delivery.
Key trends include:
- Fileless execution to evade antivirus tools
- Living-off-the-land binaries (LOLBins) like rundll32.exe
- Dynamic payload updates via C2 servers
- Brand impersonation using typosquatting
The result: attacks that are quieter, stealthier, and significantly harder to detect.
Conclusion
The fake Telegram malware campaign uncovered by K7 Computing underscores a critical reality, attackers are combining deception with advanced technical evasion to compromise systems at scale.
By exploiting user trust and leveraging multi-stage loaders with in-memory execution, this campaign demonstrates how modern malware can bypass traditional defenses and maintain persistent control over infected systems.
Organizations must move beyond basic antivirus protections and adopt behavior-based detection, strict access controls, and continuous monitoring to stay ahead.
CyberCory will continue tracking this campaign and similar threats as the global malware landscape continues to evolve.
