{"id":8906,"date":"2024-09-25T12:22:02","date_gmt":"2024-09-25T12:22:02","guid":{"rendered":"\/cybersecurity-blog\/?p=8906"},"modified":"2025-07-17T08:26:01","modified_gmt":"2025-07-17T08:26:01","slug":"intercept-stolen-data-in-telegram","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/","title":{"rendered":"How to Intercept Data Exfiltrated by Malware via Telegram and Discord"},"content":{"rendered":"\n<p>Often, malware uses platforms like \u2014 Telegram and Discord for data exfiltration. Due to its simplicity and the lack of need for building a server architecture, this exfiltration method has gained significant popularity. However, this very simplicity is also its weakness.&nbsp;<\/p>\n\n\n\n<p>In this article we\u2019ll show you how to obtain information related to threat actors&#8217; activities using Telegram API, which can help reveal their identity, attribute malware samples to known families or discover new ones.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Parsing a Telegram Chat&nbsp;<\/strong>&nbsp;<\/h2>\n\n\n\n<p>First, we need to find a relevant malware sample using <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktolookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> with the following query:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-170\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"170\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522api.telegram.org%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522api.telegram.org%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"\u200b\u200bdomainName:\u201dapi.telegram.org\u201d\u200b \" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">\u200b\u200bdomainName:\u201dapi.telegram.org\u201d\u200b <\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-170'>\ntable#wpdtSimpleTable-170{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-170 td, table.wpdtSimpleTable170 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5a-1024x507.png\" alt=\"\" class=\"wp-image-8907\" width=\"644\" height=\"319\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5a-1024x507.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5a-300x148.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5a-768x380.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5a-370x183.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5a-270x134.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5a-740x366.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5a.png 1312w\" sizes=\"(max-width: 644px) 100vw, 644px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup instantly provides matching sandbox sessions found across its vast database<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>TI Lookup reveals a hundred sandbox sessions featuring samples that match our query.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nStart your first investigation in <span class=\"highlight\">TI Lookup<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=intercepting_malware_data&#038;utm_term=250924&#038;utm_content=linktotiplans\/\" rel=\"noopener\" target=\"_blank\">\nGet a free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>We can select one of them and <a href=\"https:\/\/app.any.run\/tasks\/93e29328-a39a-4769-94d7-44256e1c9cbb\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">rerun it<\/a> with the MITM Proxy feature enabled.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5b.png\" alt=\"\" class=\"wp-image-8908\" width=\"599\" height=\"494\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5b.png 845w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5b-300x247.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5b-768x633.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5b-370x305.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5b-270x223.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5b-740x610.png 740w\" sizes=\"(max-width: 599px) 100vw, 599px\" \/><figcaption class=\"wp-element-caption\"><em>The sandbox analysis setup window in ANY.RUN lets you configure your environment&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In Telegram, to send a message, two main methods are typically used:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-171\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"171\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        \/sendMessage\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        \/sendDocument\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        For sending text\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        For sending text and files\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Any HTTP method (GET, POST, etc.) can be used. The GET method allows parameters to be passed in the query string (url-encoded)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Only the POST method is available. The POST method requires parameters to be passed in the request body\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-171'>\ntable#wpdtSimpleTable-171{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-171 td, table.wpdtSimpleTable171 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>After turning on the MITM Proxy and starting the sandbox session, we navigate to the HTTP Requests tab, where we can see a request to api.telegram.org.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5c-1024x96.png\" alt=\"\" class=\"wp-image-8909\" width=\"624\" height=\"59\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5c-1024x96.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5c-300x28.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5c-768x72.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5c-370x35.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5c-270x25.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5c-740x69.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5c.png 1308w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\"><em>The HTTP Requests tab displays all requests recorded during the session<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Looking at the POST request to \/sendDocument, we see that it uses the form-data method for transmission.&nbsp;<\/p>\n\n\n\n<p>In this case, the bot token can be obtained from the URL of the request, and the chat_id from the body (in the screenshot, it is the first parameter in the body).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5d-1024x630.png\" alt=\"\" class=\"wp-image-8910\" width=\"590\" height=\"363\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5d-1024x630.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5d-300x185.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5d-768x473.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5d-370x228.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5d-270x166.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5d-740x456.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5d.png 1051w\" sizes=\"(max-width: 590px) 100vw, 590px\" \/><figcaption class=\"wp-element-caption\"><em>Data\/contents of the request to the Telegram API<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We can also examine the response from the server. It arrives in JSON format and contains a lot of useful information: the chat_id, bot username, bot name\/title, chat name, and chat type.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5e-1024x626.png\" alt=\"\" class=\"wp-image-8911\" width=\"600\" height=\"367\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5e-1024x626.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5e-300x183.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5e-768x469.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5e-370x226.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5e-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5e-740x452.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5e.png 1049w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><figcaption class=\"wp-element-caption\"><em>The server response examined in the ANY.RUN sandbox&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In <a href=\"https:\/\/app.any.run\/tasks\/861482ae-8f96-41ff-918f-3a642c87db79\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">this sandbox session<\/a>, we can see an example of a request to \/sendMessage using the GET method, where the data is passed in the query string (url-encoded):&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5f.png\" alt=\"\" class=\"wp-image-8912\" width=\"521\" height=\"275\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5f.png 529w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5f-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5f-370x196.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image5f-270x143.png 270w\" sizes=\"(max-width: 521px) 100vw, 521px\" \/><figcaption class=\"wp-element-caption\"><em>Encoded<\/em> <em>query string<\/em> <em>shown in the ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze <span class=\"highlight\">malware and phishing<\/span> in ANY.RUN sandbox&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=intercepting_malware_data&#038;utm_term=250924&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Using <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=URL_Decode()&amp;input=aHR0cHM6Ly9hcGkudGVsZWdyYW0ub3JnL2JvdDcwMjM4OTkzNjM6QUFGRXpnYmZXemh5RTMyTGY5NVRLU1JZRVlYTWQ0QWZNeWsvc2VuZE1lc3NhZ2U\/Y2hhdF9pZD02MzU0ODQ0NjYzJnRleHQ9JUUyJTk4JUEwJTIwJTVCWFdvcm0lMjBWNS42JTVEJTBEJTBBJTBEJTBBTmV3JTIwQ2xpbmV0JTIwOiUyMCUwRCUwQTNDNTQ3NDBGN0NDMEYyM0I1M0U1JTBEJTBBJTBEJTBBVXNlck5hbWUlMjA6JTIwYWRtaW4lMEQlMEFPU0Z1bGxOYW1lJTIwOiUyME1pY3Jvc29mdCUyMFdpbmRvd3MlMjAxMCUyMFBybyUwRCUwQVVTQiUyMDolMjBGYWxzZSUwRCUwQUNQVSUyMDolMjBJbnRlbCUyMCUyMGk1LTY0MDAlMjAlMjBAJTIwMi43MEdIeiUwRCUwQUdQVSUyMDolMjBNaWNyb3NvZnQlMjBCYXNpYyUyMERpc3BsYXklMjBBZGFwdGVyJTIwJTBEJTBBUkFNJTIwOiUyMDMuOTklMjBHQiUwRCUwQUdyb3ViJTIwOiUyMFhXb3JtJTIwVjUuNg&amp;oenc=65001&amp;oeol=CRLF\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CyberChef<\/a>, we can decode the query string. Here is what the sent data looks like:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image60.png\" alt=\"\" class=\"wp-image-8913\" width=\"596\" height=\"205\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image60.png 952w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image60-300x103.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image60-768x264.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image60-370x127.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image60-270x93.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image60-740x254.png 740w\" sizes=\"(max-width: 596px) 100vw, 596px\" \/><figcaption class=\"wp-element-caption\"><em>The system info exfiltrated to a Telegram bot<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In this case, the bot token and chat_id are present in the query string.&nbsp;<\/p>\n\n\n\n<p>Now, let&#8217;s use the attacker&#8217;s chat_id and bot token. The chat_id can refer to either a group chat or direct messages.&nbsp;First, we check if the bot has a webhook:&nbsp;<\/p>\n\n\n\n<p>https:\/\/api.telegram.org\/bot&lt;token&gt;\/getWebhookInfo<\/p>\n\n\n\n<p>The presence of a webhook means a high chance of early detection of abuse.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image61.png\" alt=\"\" class=\"wp-image-8914\" width=\"300\" height=\"120\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image61.png 284w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image61-270x108.png 270w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><figcaption class=\"wp-element-caption\"><em>The result of a request to \/getWebhookInfo when no webhook is set<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>If a webhook is present, we save its data and delete it using \/deleteWebhook.&nbsp;<\/p>\n\n\n\n<p>NOTE! The webhook may have a secret token which could reveal the substitution.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image62.png\" alt=\"\" class=\"wp-image-8915\" width=\"596\" height=\"88\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image62.png 795w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image62-300x44.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image62-768x113.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image62-370x54.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image62-270x40.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image62-740x109.png 740w\" sizes=\"(max-width: 596px) 100vw, 596px\" \/><figcaption class=\"wp-element-caption\"><em>Description of the secret token<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>If there is no webhook, the likelihood of detection is very low.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Next, you need to:&nbsp;&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"1\">\n<li>Create a Telegram group&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>Make yourself anonymous&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>And only then add the bot to the group&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Here is how you can create a group using different clients:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-172\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"172\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Telegram Desktop\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Menu (\u2630) > New Group > Next > Create \u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Telegram Web (K version)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        New (\ud83d\udd89) > New group > Next (\u2b95) > Next (\u2b95)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Telegram App\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Menu (\u2630) > New Group > Next (\u2b95) > Create (\u2713)\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-172'>\ntable#wpdtSimpleTable-172{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-172 td, table.wpdtSimpleTable172 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Then the group chat will open, if not \u2013 open it manually&nbsp;<\/p>\n\n\n\n<p>Next, we need to set the Administrators list and change your user settings:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-173\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"173\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Telegram Desktop\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Settings (\u22ee) > Manage Group > Administrators > Right click on your profile > Edit admin rights\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Telegram Web (K version)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Click on group header > Side-menu appears > Edit (\ud83d\udd89) > Administrators > Click on your user profile\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Telegram App\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Click on group header > Edit (\ud83d\udd89) > Administrators > Click on your user profile\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-173'>\ntable#wpdtSimpleTable-173{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-173 td, table.wpdtSimpleTable173 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>In the opened window, toggle <em>Remain anonymous<\/em> and click <em>Save<\/em>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"362\" height=\"712\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image63.png\" alt=\"\" class=\"wp-image-8916\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image63.png 362w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image63-153x300.png 153w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image63-270x531.png 270w\" sizes=\"(max-width: 362px) 100vw, 362px\" \/><figcaption class=\"wp-element-caption\"><em>It\u2019s important to select <strong>Remain anonymous<\/strong><\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>If everything is successful, the input field will display the placeholder &#8220;Send anonymously.&#8221;&nbsp;For Telegram Web, you may need to refresh the page.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image64.png\" alt=\"\" class=\"wp-image-8917\" width=\"440\" height=\"53\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image64.png 440w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image64-300x36.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image64-370x45.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image64-270x33.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image64-435x53.png 435w\" sizes=\"(max-width: 440px) 100vw, 440px\" \/><figcaption class=\"wp-element-caption\"><em>The input field contains the \u201cSend anonymously\u201d text<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Now, let&#8217;s add the bot to the group:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-174\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"174\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Telegram Desktop\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Click on group header > Add member (+\ud83d\udc64) > Enter bot name and click > Add\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Telegram Web (K version)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Click on group header > Side-menu appears > Add member (\ud83d\udc64+) > Enter bot name and click > Next (\u2b95) > Pop-up appears > Add\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Telegram App\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Click on group header > Click on \u201c+\ud83d\udc64 Add members\u201d > Enter bot name and click > Submit (\u2713) > Pop-up appears > Add\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-174'>\ntable#wpdtSimpleTable-174{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-174 td, table.wpdtSimpleTable174 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>The bot username can be obtained by calling \/getMe.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image65.png\" alt=\"\" class=\"wp-image-8918\" width=\"640\" height=\"212\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image65.png 853w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image65-300x100.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image65-768x255.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image65-370x123.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image65-270x90.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image65-740x246.png 740w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><figcaption class=\"wp-element-caption\"><em>The bot username is \u201cLABKEN_BOT\u201d<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>After adding the bot, the following message will be displayed:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image66.png\" alt=\"\" class=\"wp-image-8919\" width=\"579\" height=\"164\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image66.png 772w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image66-300x85.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image66-768x218.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image66-370x105.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image66-270x77.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image66-740x210.png 740w\" sizes=\"(max-width: 579px) 100vw, 579px\" \/><figcaption class=\"wp-element-caption\"><em>The bot was successfully added<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Next, it is necessary to call the \/getUpdates method with the argument offset=-1.&nbsp;<\/p>\n\n\n\n<p>This will reset the bot&#8217;s update history to the most recent update.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image67-1024x694.png\" alt=\"\" class=\"wp-image-8920\" width=\"618\" height=\"419\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image67-1024x694.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image67-300x203.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image67-768x520.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image67-370x251.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image67-270x183.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image67-740x501.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image67.png 1066w\" sizes=\"(max-width: 618px) 100vw, 618px\" \/><figcaption class=\"wp-element-caption\"><em>The latest update awaiting processing by the bot, in JSON format<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>From the data received from the server (see the image above), we take the update_id and chat_id and save them. The chat_id is the ID of the group to which we added the bot.&nbsp;<\/p>\n\n\n\n<p>Next, we call \/getUpdates again with the argument offset=update_id + 1.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"171\" height=\"55\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image68.png\" alt=\"\" class=\"wp-image-8921\"\/><figcaption class=\"wp-element-caption\"><em>The server returns an empty array of updates<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This will completely clear the bot&#8217;s update history.&nbsp;After this, if a webhook existed, we restore it using \/setWebhook.&nbsp;<\/p>\n\n\n\n<p>Once the bot has been added, you can use several methods such as \/forwardMessage, \/copyMessage, \/deleteMessage, \/getChat, and \/getChatAdministrators, which are among the most useful.&nbsp;<\/p>\n\n\n\n<p>You can experiment with these methods in interactive mode here: <a href=\"https:\/\/telegram-bot-api.vercel.app\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/telegram-bot-api.vercel.app<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image69.png\" alt=\"\" class=\"wp-image-8922\" width=\"602\" height=\"254\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image69.png 996w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image69-300x127.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image69-768x324.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image69-370x156.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image69-270x114.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image69-740x312.png 740w\" sizes=\"(max-width: 602px) 100vw, 602px\" \/><figcaption class=\"wp-element-caption\"><em>Remove the &#8220;bot&#8221; part when entering the bot token<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We enter the bot token in the token field.&nbsp;<\/p>\n\n\n\n<p>Next, we call \/forwardMessage with the arguments:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>chat_id: the ID of the group chat&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>from_chat_id: from the malware request&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>message_id: the index of the message in the chat&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6a-1024x666.png\" alt=\"\" class=\"wp-image-8923\" width=\"618\" height=\"402\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6a-1024x666.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6a-300x195.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6a-768x499.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6a-370x241.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6a-270x176.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6a-740x481.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6a.png 1413w\" sizes=\"(max-width: 618px) 100vw, 618px\" \/><figcaption class=\"wp-element-caption\"><em>Fill out the fields<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We enter the parameters in the corresponding fields (chat_id, from_chat_id, message_id) and click <em>Execute<\/em>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6b-1024x630.png\" alt=\"\" class=\"wp-image-8924\" width=\"614\" height=\"378\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6b-1024x630.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6b-300x185.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6b-768x473.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6b-370x228.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6b-270x166.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6b-740x455.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6b.png 1412w\" sizes=\"(max-width: 614px) 100vw, 614px\" \/><figcaption class=\"wp-element-caption\"><em>JSON response<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>As a result, we receive a response in JSON format containing information about the forwarded message.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6c.png\" alt=\"\" class=\"wp-image-8925\" width=\"584\" height=\"331\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6c.png 778w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6c-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6c-768x435.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6c-370x210.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6c-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6c-740x419.png 740w\" sizes=\"(max-width: 584px) 100vw, 584px\" \/><figcaption class=\"wp-element-caption\"><em>As a result of the request, a message is sent to the group<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>You can also do this directly in the browser:&nbsp;<\/p>\n\n\n\n<p>https:\/\/api.telegram.org\/bot&lt;token&gt;\/forwardMessage?chat_id=&lt;<strong>your_chat_id<\/strong>&gt;&amp;from_chat_id=&lt;<strong>malware_chat_id<\/strong>&gt;&amp;message_id=&lt;<strong>message_id_from_malware<\/strong>&gt;<\/p>\n\n\n\n<p>For demonstration purposes, we will use another bot mentioned earlier. The actual request is: <a href=\"https:\/\/api.telegram.org\/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk\/forwardMessage?chat_id=-1002455457772&amp;from_chat_id=6354844663&amp;message_id=49817\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/api.telegram.org\/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk\/forwardMessage?chat_id=-1002455457772&amp;from_chat_id=6354844663&amp;message_id=49817<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6d-1024x523.png\" alt=\"\" class=\"wp-image-8926\" width=\"586\" height=\"300\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6d-1024x523.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6d-300x153.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6d-768x392.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6d-370x189.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6d-270x138.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6d-585x300.png 585w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6d-740x378.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6d.png 1166w\" sizes=\"(max-width: 586px) 100vw, 586px\" \/><figcaption class=\"wp-element-caption\"><em>The server response<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The server returns data about the forwarded message, similar to the previous example. Here, we can see the message_id (in our group), the sender (from), the original chat (forward_origin, forward_from), and the date the original message was sent as a UNIX timestamp (forward_date).&nbsp;<\/p>\n\n\n\n<p>The result in the chat:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6e.png\" alt=\"\" class=\"wp-image-8927\" width=\"508\" height=\"336\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6e.png 539w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6e-300x198.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6e-370x244.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6e-270x178.png 270w\" sizes=\"(max-width: 508px) 100vw, 508px\" \/><figcaption class=\"wp-element-caption\"><em>Executing the request resulted in the message being forwarded to the group<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">How to Copy the Entire Chat&nbsp;<\/h2>\n\n\n\n<p>If you want to copy a chat entirely, you need to understand how message_id works.&nbsp;<\/p>\n\n\n\n<p>This id is actually the index of the message.&nbsp;<\/p>\n\n\n\n<p>For private chats and each group (group\/supergroup), the indices run in parallel.&nbsp;Message_id for private chats is shared across all chats with users.&nbsp;With each message received from an individual user or sent to an individual user, the message_id increments by one.&nbsp;<\/p>\n\n\n\n<p>Thus, the first message in a chat with one user might have a message_id of 4096, even though in the context of the chat it should have a message_id of 1.&nbsp;In groups, however, message_id works as expected, starting from 1.&nbsp;<\/p>\n\n\n\n<p>This can be visualized as follows:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-175\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"5\"\n           data-rows=\"6\"\n           data-wpID=\"175\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"6\"                     data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:20%;                    padding:10px;\n                    \"\n                    >\n                                        Message_id\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:20%;                    padding:10px;\n                    \"\n                    >\n                                        Group 1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:20%;                    padding:10px;\n                    \"\n                    >\n                                        Group 2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:20%;                    padding:10px;\n                    \"\n                    >\n                                        User 1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E1\"\n                    data-col-index=\"4\"\n                    data-row-index=\"0\"\n                    style=\" width:20%;                    padding:10px;\n                    \"\n                    >\n                                        User 2\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E2\"\n                    data-col-index=\"4\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D3\"\n                    data-col-index=\"3\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E3\"\n                    data-col-index=\"4\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        3\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        3\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D4\"\n                    data-col-index=\"3\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        3\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E4\"\n                    data-col-index=\"4\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        4\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        4\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D5\"\n                    data-col-index=\"3\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        4\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E5\"\n                    data-col-index=\"4\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D6\"\n                    data-col-index=\"3\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E6\"\n                    data-col-index=\"4\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        5\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-175'>\ntable#wpdtSimpleTable-175{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-175 td, table.wpdtSimpleTable175 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>To determine the type of chat, you can use the \/getChat method.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If it is a group (group\/supergroup), there shouldn&#8217;t be any significant issues&nbsp;<\/li>\n\n\n\n<li>If it is a private chat, there is a possibility that the bot has chats with multiple users, and some messages may not be accessible without the IDs of those users.<\/li>\n<\/ul>\n\n\n\n<p>There is no simple way to retrieve all messages from a chat; some messages may not be accessible to the bot, but it will definitely have access to the messages it has sent.<\/p>\n\n\n\n<p>In the malware request, we can see the message_id of the message from the malware, allowing us to estimate the number of messages.&nbsp;<\/p>\n\n\n\n<p>Next, we iterate through all messages from 1 to the required number.&nbsp;Telegram allows for a stable rate of 20 requests per minute with short bursts.&nbsp;<\/p>\n\n\n\n<p>To copy multiple messages at once, you can use \/forwardMessages, which allows copying up to 100 messages in a single request.&nbsp;Thus, in one minute, you can stably copy 2000 messages or more if you utilize bursts.&nbsp;<\/p>\n\n\n\n<p>Using a Python script, we can copy the entire chat<\/p>\n\n\n\n<p>We recommend saving the server responses, as they contain additional data useful for research: the date of the original message, its ID, and the ID of the original chat.&nbsp;<\/p>\n\n\n\n<p>For more detailed information on the Telegram Bot API, refer to the <a href=\"https:\/\/core.telegram.org\/bots\/api\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">documentation<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Parsing Discord&nbsp;<\/h2>\n\n\n\n<p>Replicating the same method with Discord is challenging due to the use of webhooks.&nbsp;<\/p>\n\n\n\n<p>A Discord webhook allows sending messages to a chat for which it was designated. Retrieving a message without knowing the message_id is difficult because Discord uses a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Snowflake_ID\" target=\"_blank\" rel=\"noreferrer noopener\">snowflake ID<\/a>, which includes the timestamp of the message and service information for identification.&nbsp;<\/p>\n\n\n\n<p>The only known message IDs for you will be those you managed to intercept.&nbsp;<\/p>\n\n\n\n<p>Among the methods that can be executed directly in the browser, there are only two:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"1\">\n<li>Retrieving webhook data:&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>https:\/\/discord.com\/api\/webhooks\/&lt;webhook_id&gt;\/&lt;webhook_token&gt;<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>Retrieving a message:&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>https:\/\/discord.com\/api\/webhooks\/&lt;webhook_id&gt;\/&lt;webhook_token&gt;\/messages\/&lt;message_id&gt;<\/p>\n\n\n\n<p>For example, consider the <a href=\"https:\/\/app.any.run\/tasks\/189ce54d-7b1a-4d6f-a3ab-c6ea88d1aa5b\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">following sandbox session<\/a>.&nbsp;<\/p>\n\n\n\n<p>We once again run it with the MITM Proxy enabled.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6f-1024x116.png\" alt=\"\" class=\"wp-image-8928\" width=\"578\" height=\"65\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6f-1024x116.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6f-300x34.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6f-768x87.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6f-370x42.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6f-270x31.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6f-740x84.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image6f.png 1119w\" sizes=\"(max-width: 578px) 100vw, 578px\" \/><figcaption class=\"wp-element-caption\"><em>The HTTP Requests tab shows a POST request to discord.com\/api\/webhooks<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Next, we find a request to Discord. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image70.png\" alt=\"\" class=\"wp-image-8929\" width=\"489\" height=\"187\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image70.png 534w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image70-300x115.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image70-370x141.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image70-270x103.png 270w\" sizes=\"(max-width: 489px) 100vw, 489px\" \/><figcaption class=\"wp-element-caption\"><em>The full URL of the request, including the webhook_id and webhook_token<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>We copy the request URL.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image71-1024x246.png\" alt=\"\" class=\"wp-image-8930\" width=\"560\" height=\"135\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image71-1024x246.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image71-300x72.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image71-768x184.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image71-370x89.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image71-270x65.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image71-740x177.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image71.png 1126w\" sizes=\"(max-width: 560px) 100vw, 560px\" \/><figcaption class=\"wp-element-caption\"><em>The result of executing a GET request in the browser<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>By inserting the URL into the browser&#8217;s address bar, we can obtain data about the webhook, including its name (name) and the channel it is associated with (channel_id)&nbsp;<\/p>\n\n\n\n<p>Now, let&#8217;s open the server response in the sandbox session. We\u2019ll use the simplified view to find the message ID.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image72-1024x630.png\" alt=\"\" class=\"wp-image-8931\" width=\"600\" height=\"369\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image72-1024x630.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image72-300x185.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image72-768x473.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image72-370x228.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image72-270x166.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image72-740x455.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image72.png 1050w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><figcaption class=\"wp-element-caption\"><em>After a POST request to the webhook URL, the server returns all information about the message<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image73-1024x770.png\" alt=\"\" class=\"wp-image-8932\" width=\"604\" height=\"454\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image73-1024x770.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image73-300x226.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image73-768x578.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image73-370x278.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image73-270x203.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image73-740x557.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image73-80x60.png 80w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image73.png 1130w\" sizes=\"(max-width: 604px) 100vw, 604px\" \/><figcaption class=\"wp-element-caption\"><em>The information in JSON format<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>More useful are the methods that require POST and PATCH requests.&nbsp;<\/p>\n\n\n\n<p>By sending a request to the previous URL, we can modify the message using PATCH.&nbsp;<\/p>\n\n\n\n<p>You can also edit the webhook. Similarly, instead of retrieving webhook data using GET, you can use PATCH.&nbsp;<\/p>\n\n\n\n<p>A POST request to the webhook URL will allow you to send a message.&nbsp;<\/p>\n\n\n\n<p>For more detailed information, refer to the <a href=\"https:\/\/discord.com\/developers\/docs\/resources\/webhook\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">webhook documentation<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Python Scripts for Parsing Telegram Chats<\/h2>\n\n\n\n<p>We have prepared demonstration scripts in Python to make it easier to replicate the techniques shown above.&nbsp;You can find these scripts in our <a href=\"https:\/\/github.com\/anyrun\/blog-scripts\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GitHub repo<\/a>. &nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Script 1: prepare_bot.py<\/strong>&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/Scripts\/TelegramAPI\/prepare_bot.py\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">This script<\/a> allows you to obtain the chat ID of the group to which the bot will be added. The script will warn about the presence of a webhook and offer to delete it. If the bot already has unprocessed updates, the script will offer to delete them.&nbsp;<\/p>\n\n\n\n<p>After that, you only need to add the bot to the group. The script will restore the webhook if it existed and delete the update about being added to the group.&nbsp;<\/p>\n\n\n\n<p>As an example, we\u2019ll use the following bot token:&nbsp;<\/p>\n\n\n\n<p>bot6562806943:AAGufR13-622BXIjHsbpmkQygiIJA1Vo&#8211;c&nbsp;<\/p>\n\n\n\n<p>Once we run the script , the chat ID will be displayed.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"386\" height=\"136\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image74.png\" alt=\"\" class=\"wp-image-8933\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image74.png 386w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image74-300x106.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image74-370x130.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image74-270x95.png 270w\" sizes=\"(max-width: 386px) 100vw, 386px\" \/><figcaption class=\"wp-element-caption\"><em>The result of running the script with no webhook<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>If a webhook is present:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image75.png\" alt=\"\" class=\"wp-image-8934\" width=\"585\" height=\"344\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image75.png 780w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image75-300x177.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image75-768x452.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image75-370x218.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image75-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image75-740x435.png 740w\" sizes=\"(max-width: 585px) 100vw, 585px\" \/><figcaption class=\"wp-element-caption\"><em>The script reports a webhook, displays its parameters, and warns about potential risks<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Script 2: forward_message.py<\/strong>&nbsp;<\/h3>\n\n\n\n<p>The next useful script is <a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/Scripts\/TelegramAPI\/forward_message.py\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">forward_message.py<\/a>, which allows forwarding messages from one chat to another.&nbsp;<\/p>\n\n\n\n<p>The bot must have access to messages from the first chat and must be able to send messages to the second chat.&nbsp;<\/p>\n\n\n\n<p>You can specify the range of messages to forward, the method for handling HTTP 429 (too many requests), and the frequency of requests.&nbsp;<\/p>\n\n\n\n<p>All request results will be saved in a separate directory, which can also be reassigned.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image76-1024x30.png\" alt=\"\" class=\"wp-image-8935\" width=\"512\" height=\"15\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image76-1024x30.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image76-300x9.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image76-768x23.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image76-370x11.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image76-270x8.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image76-740x22.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image76.png 1356w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><figcaption class=\"wp-element-caption\"><em>Here is how you can use forward_message.py<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The script writes the launch parameters to the console and the ID of the message it attempts to forward.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image77.png\" alt=\"\" class=\"wp-image-8936\" width=\"458\" height=\"170\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image77.png 611w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image77-300x111.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image77-370x137.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image77-270x100.png 270w\" sizes=\"(max-width: 458px) 100vw, 458px\" \/><figcaption class=\"wp-element-caption\"><em>The results of running forward_message.py<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Server responses will be saved in separate JSON files in a specified directory.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"306\" height=\"700\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image78.png\" alt=\"\" class=\"wp-image-8937\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image78.png 306w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image78-131x300.png 131w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image78-270x618.png 270w\" sizes=\"(max-width: 306px) 100vw, 306px\" \/><figcaption class=\"wp-element-caption\"><em>Example of a saved server responses<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Script 3: forward_messages.py<\/strong>&nbsp;<\/h3>\n\n\n\n<p>The next script is <a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/Scripts\/TelegramAPI\/forward_messages.py\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">forward_messages.py<\/a>. Despite the similar name and settings, it has some differences from forward_message.py:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It forwards up to 100 messages in a single request.&nbsp;<\/li>\n\n\n\n<li>You do not receive data about the messages.&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image79-1024x32.png\" alt=\"\" class=\"wp-image-8938\" width=\"526\" height=\"16\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image79-1024x32.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image79-300x9.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image79-768x24.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image79-370x11.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image79-270x8.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image79-740x23.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image79.png 1358w\" sizes=\"(max-width: 526px) 100vw, 526px\" \/><figcaption class=\"wp-element-caption\"><em>Here is how you can use forward_messages.py<\/em><\/figcaption><\/figure>\n\n\n\n<p>Example:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image7a.png\" alt=\"\" class=\"wp-image-8939\" width=\"448\" height=\"220\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image7a.png 597w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image7a-300x147.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image7a-370x182.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image7a-270x133.png 270w\" sizes=\"(max-width: 448px) 100vw, 448px\" \/><figcaption class=\"wp-element-caption\"><em>The results of running forward_messages.py<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The script writes the launch parameters to the console, the range of messages it attempts to forward, and the number of messages that were successfully forwarded within that range.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"236\" height=\"215\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image7b.png\" alt=\"\" class=\"wp-image-8940\"\/><figcaption class=\"wp-element-caption\"><em>Example of saved server response<\/em>s<\/figcaption><\/figure><\/div>\n\n\n<p>The server returns only an array containing the IDs of the messages forwarded using the \/forwardMessages.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Malware configs&nbsp;<\/h2>\n\n\n\n<p>For more convenient data extraction, ANY.RUN lets you access malware&#8217;s configuration via the <a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/\" target=\"_blank\" rel=\"noreferrer noopener\"><em>MalConf<\/em><\/a> tab (<a href=\"https:\/\/app.any.run\/tasks\/861482ae-8f96-41ff-918f-3a642c87db79?malconf=66e7c1acfec4983250763c78\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">see sandbox session<\/a>). In this configuration, you can find the token.&nbsp;If there is info about requests in the process memory, their parameters are also displayed.<\/p>\n\n\n\n<p>You can also explore ready-made links for API requests, which you can paste into your browser&#8217;s address bar.<\/p>\n\n\n\n<p>The available links for Telegram are:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Get info about the bot&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Get incoming updates&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Get webhook&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Delete webhook&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Drop incoming updates&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image81.png\" alt=\"\" class=\"wp-image-8946\" width=\"580\" height=\"393\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image81.png 983w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image81-300x203.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image81-768x520.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image81-370x250.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image81-270x183.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image81-740x501.png 740w\" sizes=\"(max-width: 580px) 100vw, 580px\" \/><figcaption class=\"wp-element-caption\"><em>Example of a config for a Telegram bot, displaying its token<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>For Discord, malware typically uses webhooks. With a GET request, the only available action is to retrieve information about the webhook itself.&nbsp;<\/p>\n\n\n\n<p>See <a href=\"https:\/\/app.any.run\/tasks\/b86b6efc-093b-4418-ab4d-7385e1761bb8\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktoservice?malconf=true\" target=\"_blank\" rel=\"noreferrer noopener\">another session with an extracted malware config<\/a>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image82.png\" alt=\"\" class=\"wp-image-8947\" width=\"594\" height=\"398\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image82.png 983w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image82-300x201.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image82-768x516.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image82-370x248.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image82-270x181.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image82-740x497.png 740w\" sizes=\"(max-width: 594px) 100vw, 594px\" \/><figcaption class=\"wp-element-caption\"><em>The configuration displays the webhook token in the format webhook_id\/webhook_token<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In most cases, the malware retains data about the request and its result in memory, and you can obtain these details from the configuration.&nbsp;&nbsp;<\/p>\n\n\n\n<p>For Telegram, the most important data are chat_id and token. Thanks to ANY.RUN&#8217;s config extraction, you can see the text of the message sent by the malware.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image83.png\" alt=\"\" class=\"wp-image-8948\" width=\"606\" height=\"407\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image83.png 991w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image83-300x202.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image83-768x516.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image83-370x249.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image83-270x181.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image83-740x497.png 740w\" sizes=\"(max-width: 606px) 100vw, 606px\" \/><figcaption class=\"wp-element-caption\"><em>Extracted request from which you can obtain the bot_token and chat_id<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image84.png\" alt=\"\" class=\"wp-image-8949\" width=\"617\" height=\"417\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image84.png 985w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image84-300x203.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image84-768x519.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image84-370x250.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image84-270x183.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image84-740x500.png 740w\" sizes=\"(max-width: 617px) 100vw, 617px\" \/><figcaption class=\"wp-element-caption\">Example of an extracted response from the server<\/figcaption><\/figure><\/div>\n\n\n<p>Malware that uses Discord is often written in Python or JavaScript.&nbsp;&nbsp;<\/p>\n\n\n\n<p>In most cases, they do not leave complete data about requests in memory. However, if such data remains, you will be able to see it in the MalConf tab.&nbsp;<\/p>\n\n\n\n<p>We can obtain the message ID, channel ID, sending date, URL for downloading attachments, and other useful information from the server response.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image85.png\" alt=\"\" class=\"wp-image-8951\" width=\"628\" height=\"426\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image85.png 979w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image85-300x203.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image85-768x521.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image85-370x251.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image85-270x183.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/09\/image85-740x502.png 740w\" sizes=\"(max-width: 628px) 100vw, 628px\" \/><figcaption class=\"wp-element-caption\"><em>Response from the server containing information about the sent message<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in seconds<\/li>\n\n\n\n<li>Interact with samples in real time<\/li>\n\n\n\n<li>Save time and money on sandbox setup and maintenance<\/li>\n\n\n\n<li>Record and study all aspects of malware behavior<\/li>\n\n\n\n<li>Collaborate with your team&nbsp;<\/li>\n\n\n\n<li>Scale as you need<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request free trial \u2192<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Sandbox Sessions Used in Research <\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Telegram API<\/h3>\n\n\n\n<p>POST request to \/sendDocument: <a href=\"https:\/\/app.any.run\/tasks\/93e29328-a39a-4769-94d7-44256e1c9cbb\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/93e29328-a39a-4769-94d7-44256e1c9cbb<\/a><\/p>\n\n\n\n<p>GET request to \/sendMessage: <a href=\"https:\/\/app.any.run\/tasks\/861482ae-8f96-41ff-918f-3a642c87db79\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/861482ae-8f96-41ff-918f-3a642c87db79\/<\/a>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Discord API<\/h3>\n\n\n\n<p>POST request to webhook URL: <a href=\"https:\/\/app.any.run\/tasks\/189ce54d-7b1a-4d6f-a3ab-c6ea88d1aa5b\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/189ce54d-7b1a-4d6f-a3ab-c6ea88d1aa5b<\/a>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configurations<\/h3>\n\n\n\n<p>Two telegram bots and one discord webhook in one sample: <a href=\"https:\/\/app.any.run\/tasks\/861482ae-8f96-41ff-918f-3a642c87db79?malconf=66e7c1acfec4983250763c78\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/861482ae-8f96-41ff-918f-3a642c87db79?malconf=66e7c1acfec4983250763c78<\/a>&nbsp;<\/p>\n\n\n\n<p>Discord webhook and server response: <a href=\"https:\/\/app.any.run\/tasks\/b86b6efc-093b-4418-ab4d-7385e1761bb8\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=intercepting_malware_data&amp;utm_term=250924&amp;utm_content=linktoservice?malconf=true\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/b86b6efc-093b-4418-ab4d-7385e1761bb8?malconf=true<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IOCs&nbsp;<\/h2>\n\n\n\n<p><strong>Statement of Account as of AUGUST 2024SOA.pdf.exe<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MD5: ddbaaa52ea1192377573a76e4ac8fb7b<\/li>\n\n\n\n<li>SHA256: 4122f1d85ffb12401925c52470a6a3f4cc75e02546069894ed33ce7a6dd81897<\/li>\n<\/ul>\n\n\n\n<p><strong>svchost.exe \/ Builder.exe&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MD5: 6aba4665085cf92ad3d569a7b37f2b53&nbsp;<\/li>\n\n\n\n<li>SHA256: 7f158a2e68162d7e882dc389c8c4d8e4dcd1161272fd4ba5a2edd63e31385f69&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Builder.exe&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MD5: 3c168aa3065d0ff315220f060fbae7b3&nbsp;<\/li>\n\n\n\n<li>SHA256: e72325336065b6a088a43221a4e7da4e86e2c627c2b671c1b05a643dc19e9060&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>svchost.exe&nbsp;&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MD5: 50dce71a753bad01a07904f2af283123&nbsp;<\/li>\n\n\n\n<li>SHA256: 8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>csrss.exe&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MD5: 0998890ccf8a3d8702db7a84fe6dd7b3&nbsp;<\/li>\n\n\n\n<li>SHA256: c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Stlr.exe&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MD5: 712e31bac690f0f557c37f324cfe541b&nbsp;<\/li>\n\n\n\n<li>SHA256: 5809167017915ccd66d1fff1c39da41ea43f0dcf0a6b8fd3e5938281a5d78ac4&nbsp;<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Often, malware uses platforms like \u2014 Telegram and Discord for data exfiltration. Due to its simplicity and the lack of need for building a server architecture, this exfiltration method has gained significant popularity. However, this very simplicity is also its weakness.&nbsp; In this article we\u2019ll show you how to obtain information related to threat actors&#8217; [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":8954,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-8906","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Intercept Data Stolen by Malware via Telegram and Discord<\/title>\n<meta name=\"description\" content=\"See how you can obtain data collected by threat actors from infected systems and exfiltrated to Telegram or Discord.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How to Intercept Data Exfiltrated by Malware via Telegram and Discord\",\"datePublished\":\"2024-09-25T12:22:02+00:00\",\"dateModified\":\"2025-07-17T08:26:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/\"},\"wordCount\":2996,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/\",\"name\":\"How to Intercept Data Stolen by Malware via Telegram and Discord\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-09-25T12:22:02+00:00\",\"dateModified\":\"2025-07-17T08:26:01+00:00\",\"description\":\"See how you can obtain data collected by threat actors from infected systems and exfiltrated to Telegram or Discord.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to Intercept Data Exfiltrated by Malware via Telegram and Discord\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Intercept Data Stolen by Malware via Telegram and Discord","description":"See how you can obtain data collected by threat actors from infected systems and exfiltrated to Telegram or Discord.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"How to Intercept Data Exfiltrated by Malware via Telegram and Discord","datePublished":"2024-09-25T12:22:02+00:00","dateModified":"2025-07-17T08:26:01+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/"},"wordCount":2996,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/","url":"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/","name":"How to Intercept Data Stolen by Malware via Telegram and Discord","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-09-25T12:22:02+00:00","dateModified":"2025-07-17T08:26:01+00:00","description":"See how you can obtain data collected by threat actors from infected systems and exfiltrated to Telegram or Discord.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"How to Intercept Data Exfiltrated by Malware via Telegram and Discord"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8906"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=8906"}],"version-history":[{"count":43,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8906\/revisions"}],"predecessor-version":[{"id":9181,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8906\/revisions\/9181"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/8954"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=8906"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=8906"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=8906"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}