Sunday, May 25, 2025
Homecyber securityTriton RAT Uses Telegram for Remote System Access and Control

Triton RAT Uses Telegram for Remote System Access and Control

Published on

SIEM as a Service

Follow Us on Google News

Cado Security Labs has uncovered a new Python-based Remote Access Tool (RAT) named Triton RAT, which leverages Telegram for remote system access and data exfiltration.

This open-source malware, available on GitHub, is designed to execute a wide range of malicious activities, including credential theft, system control, and persistence establishment.

Technical Overview

Triton RAT initiates its operation by retrieving a Telegram Bot token and chat ID encoded in Base64 from Pastebin.

- Advertisement - Google News
Telegram token and chat ID encoded in Base64

These credentials enable the malware to communicate with a Telegram bot, which serves as the command-and-control (C2) server.

The RAT is equipped with an extensive feature set, including keylogging, webcam access, clipboard data theft, and the ability to steal saved passwords and Roblox security cookies.

Notably, Roblox cookies (.ROBLOSECURITY) are targeted across multiple browsers like Chrome, Edge, Firefox, and Brave.

These cookies can bypass two-factor authentication (2FA) to gain unauthorized access to Roblox accounts.

Function used to search for and exfiltrate Roblox security cookies

The malware also gathers system information such as Wi-Fi credentials and executes shell commands remotely.

It can record screens, change wallpapers, and upload or download files.

For anti-analysis purposes, Triton RAT detects “blacklisted” processes associated with debugging tools like xdbg and ollydbg or antivirus software.

Persistence Mechanisms

To maintain persistence on infected systems, Triton RAT deploys secondary payloads through VBScript and batch scripts.

A VBScript named updateagent.vbs disables Windows Defender, creates backups, schedules tasks for persistence, and monitors specific processes.

Additionally, a batch script (check.bat) downloads an executable named ProtonDrive.exe from Dropbox and stores it in a hidden folder under the directory C:\Users\user\AppData\Local\Programs\Proton\Drive.

This executable is a compiled version of Triton RAT using PyInstaller. Scheduled tasks are then created to ensure the malware runs upon user login.

All stolen data is exfiltrated to the Telegram bot in real-time. The bot also allows attackers to issue commands to compromised machines.

During analysis by Cado Security Labs, the associated Telegram channel contained over 4,500 messages though it remains unclear whether this reflects the number of infected systems.

Triton RAT represents a significant threat due to its comprehensive capabilities and reliance on widely used platforms like Telegram for C2 communication.

Its use of anti-analysis techniques further complicates detection by security tools.

Indicators of compromise (IOCs), such as the ProtonDrive executable and associated hashes, have been identified to aid in mitigation efforts.

Organizations are advised to monitor for unusual activity involving Telegram bots and implement robust endpoint protection measures to guard against this evolving threat.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...