Skip to main content

Netskope identifies a new Python RAT targeting gamers through Telegram

November 11, 2025

Netskope's latest findings reveal a multi-functional Python Remote Access Trojan (RAT) utilizing the Telegram Bot Application Programming Interface (API) as its Command and Control (C2) channel. This threat may interest enterprise IT leaders due to its approach in targeting gamers through social engineering tactics.

Key Findings

The malware disguises itself as the 'Nursultan Client', mimicking a legitimate Minecraft software to deceive users. Despite being Windows-specific for some functions, its core C2 framework operates across multiple platforms, including Windows, Linux, and macOS.

Utilizing Telegram for all C2 communications allows for data exfiltration and command execution, emphasizing the need for vigilance in monitoring network activity, especially encrypted channels. The malware can compromise Discord authentication tokens while also performing system surveillance, indicating a multifaceted threat.

Technical Analysis

Payload and Installation

The analyzed sample, created with PyInstaller, attempts to conceal its presence on execution by hiding its console and displaying misleading installation prompts. It inaccurately establishes persistence mechanisms, decreasing its likelihood of surviving system reboots.

Functionality Overview

The use of hardcoded Telegram credentials helps ensure that commands are restricted to authorized users. Key functions include stealing Discord tokens and gathering system profiles, which are sent back to the attacker through Telegram.

Additionally, commands allow for live surveillance through screenshots and webcam access, along with adware functionalities that can display unsolicited content to users.

Conclusion

This analysis emphasizes the need for organizations to maintain visibility of network communications, particularly those conducted via platforms like Telegram. Despite being equipped with numerous capabilities, the malware displays typical traits of a less experienced threat actor due to certain implementation errors.

Detection Capabilities

Netskope's threat protection services offer coverage against the identified threat, reinforcing the necessity for continuous monitoring and proactive defenses.

Additional Resources

Indicators of Compromise (IOC) related to this malware can be accessed in the provided GitHub repository.