Monday, March 4, 2024

Telegram Zero day Flaw Abused by Attackers in Wild to Install Malware and Cryptominers

Security researchers from Kaspersky revealed a Zero-day vulnerability in Telegram Windows client that abused by attackers in wild for installing malware and cryptocurrency miners. This Telegram Zero day vulnerability was notified to telegram and the vulnerability no longer occurs in Telegram’s products.

What is the Vulnerability?

The vulnerability resides in with how the windows telegram client handles the RLO Unicode character that used to manage with the languages written from left to right “Right to left override”.

With this vulnerability, attackers can send as js file and make the recipient sees an incoming PNG image file instead of a JS file.

According to Alexey Firsh Attackers can sent malware in a message, the JS file renamed as evil.js -> photo_high_re*U+202E*gnp.js and the *U+202E* is the RLO character.

While the file rendered in the extension remains same as .js but rendered in a screen as photo_high_resj.png.

Telegram Zero day Vulnerability Exploitation to install Malware and Miners

Attackers use this vulnerability in wide to take control of the victim’s system, they push downloader and uses the Telegram API as command protocol to control systems.

Researchers said loader may be designed to download another piece of malware, possibly a logger that would spy on the victim user.

Now the cryptomining attacks are in the boom, attackers using it to make money from their victims and all they need to do is running a mining client on victim computer.

Cryptomining attacks and the Cryptocurrency exchange attacks are at it’s peak, in the recent massive attack, the hijacked 4275 websites to inject Coinhive Monero miner including the websites of government authorities(, NHS Foundation (, and

Researchers concluded saying it appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia.

We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017



First stage



Latest articles

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral Restaurant Chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles