View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 27, 2022updated 05 Aug 2022 6:59am

Telegram and Discord bots used to deliver info-stealing malware

Bots have legitimate uses on the popular chat apps, but are being exploited by cybercriminals.

By Claudia Glover

Cybercriminals are using bots deployed in popular messaging apps Discord and Telegram to steal credentials, new research has revealed. Users of gaming platforms Roblox and Minecraft are also being targeted in similar attacks, according to a report from security vendor Intel471.

The gangs are using info-stealing tools – trojan malware designed to swipe information from systems – which they attach to legitimate bots in the apps to lift credentials such as autofill data, bookmarks, browser cookies, card information and passwords, the report says.

Telegram malware
Bots on apps including Discord and Telegram are being co-opted to deliver malware. (Photo by stockcam/iStock)

Bots are used on Telegram and Discord to allow users to share media, play games and moderate channels for undesirable content. But they can also be used to deliver malware.

The Intel471 team found that one information-stealing trojan, known as X-files, can download information stored in multiple browsers by accessing bot commands inside Telegram. On Discord, the app’s ‘webhooks’ feature that implements automated messaging and updates has been co-opted by an info stealer called Blitzed Grabber to store stolen data.

The cloud infrastructure used by these apps is also being targeted. “Many threat actors currently use Discord’s content delivery network (CDN) to host malware payloads,” the report says. “Malware operators seemingly do not face any restrictions when uploading their malicious payloads to the Discord CDN for file hosting. The links are open to any users without authentication.”

The design of these apps makes them easy for criminals to access says Chris Hauk, consumer privacy advocate at Pixel Privacy. “Many messaging platforms were not built for organisational use, and were instead created for general usage,” Hauk says. “They often have APIs that allow anyone to implement malware, as they do not require any authorisation to write code to run on the platforms.”

Discord and Telegram malware attacks are common

As the popularity of these messaging platforms increases, they become a more attractive target for hackers. Discord currently has 150 million active users compared to 100 million in 2020, while Telegram claims to gave 700 million active users, up from 400 million two years ago.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Attacks are ticking up too. In 2021 security company Check Point detected a 140% year-on-year increase in the amount of malware on Discord servers. The company had also discovered 9,500 unique URLs hosting malware on Discord’s CDN.

Last year it was revealed an entire scam has been automated on Telegram to steal money and payment data. Known as “Classicscam”, Telegram bots were used to provide criminals with ready-to-use pages mimicking popular classifieds, marketplaces and sometimes delivery services. Security vendor Group-IB discovered “at least 40 groups leveraging ‘Classicscam’ with each of them running a separate Telegram chat-bot”. Group-IB estimated that the gangs were making $522,000 per month from the scheme.

How should businesses approach Discord and Telegram?

Discord is increasingly used by businesses, with several productivity platforms including Slack, Trello and Microsoft Teams offering integration options. This could give an info stealer access to company data.

On Telegram, bots are commonly used to conduct business. They can be deployed as an alternative to mobile apps because they are easier to develop and don’t require users to install additional apps or software. These bots can take over communications with customers and even place orders with payment.

Etay Maor, senior director of security strategy at Cato Networks, says: “We’ve seen a significant increase in the usage of consumer applications, such as Discord, on enterprise networks. The number of Telegram flows on enterprise networks more than tripled in the first quarter of 2022, and TikTok flows increased by 10%.”

Tech leaders must insist on “full visibility into their entire network”, Maor says, if they are “to identify the applications being run in the organisation.” Only then “can they accurately understand their risk,” he adds.

Even if companies do not use these apps to conduct business, employees using them on their own devices could be just as dangerous, adds Hauk. “While companies can outlaw and block the use of these messaging services by employees during company hours, this does not prevent employees from using the messaging services on their own time,” he says. “Organisations should survey employees to find out how they use these messaging apps, then consider whether or not the messaging apps can be used reasonably safely.”

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit

Read more: Microsoft’s Discord bid is dead, but its quest for communities continues

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.