Skip to main content

Netskope Reports New Python RAT Exploiting Telegram API

November 18, 2025

Netskope has reported the discovery of a multi-functional Python Remote Access Trojan (RAT) that utilizes the Telegram Bot Application Programming Interface (API) for command and control operations. This RAT poses risks by enabling data exfiltration and remote access to compromised systems, particularly affecting the gaming community.

Key Findings

  • The malware masquerades as a legitimate Minecraft software named “Nursultan Client” and uses deception in its installation messages to mislead users.
  • Although predominantly targeting Windows, the malware's command and control mechanisms are compatible across various operating systems, including Linux and macOS.
  • Utilizing Telegram for command and control facilitates data exfiltration and command issuance through a widely used messaging platform.
  • It specifically targets Discord authentication tokens and features surveillance capabilities like screen capture and webcam access.

Details

Initial Analysis

The RAT was identified through an executable created with PyInstaller, which is often used for packaging both legitimate and malicious Python applications. The file size is notably significant, potentially indicating stealth tactics against security tools.

Analysis of the executable revealed the underlying Python payload, unpacked and decompiled to expose the malware's functionalities.

Installation and Deception

Upon execution, the malware attempts to obscure its operations by hiding any visible output and presenting a false installation progress indicator. It also implements a startup persistence mechanism that is flawed, limiting its ability to remain active post-reboot.

Telegram C2 Channel

The malware's operation heavily relies on Telegram as a C2 channel, incorporating hardcoded tokens to restrict control to authorized users, facilitating data transmission to the attacker.

Information Stealing Capabilities

The malware is designed to collect Discord tokens and conduct system reconnaissance. Commands issued through Telegram allow attackers to extract sensitive data stored by the victim.

  • “/tokens” – Captures Discord tokens from various storage locations.
  • “/info” – Retrieves detailed system information, formatted in Russian.

Surveillance and Adware Functions

The RAT also offers tools for surveillance, including screenshot capture and webcam activation, along with adware capabilities to overlay messages or prompts on the victim's system.

Conclusions

The analysis indicates a strategy aimed at exploiting social engineering tactics to target gamers. The malware's use of the Telegram API highlights the need for organizations to enhance visibility into network traffic, particularly regarding encrypted communications. Unusual API activity should be monitored to detect potential command and control channels.

This malware exemplifies attributes typical of Malware-as-a-Service offerings, designed to be accessible for resale to lower-tier criminals, though it lacks the sophistication associated with more developed threat actors.

Netskope Detection

Netskope Advanced Threat Protection has established coverage to address this reported threat.

  • Netskope Threat Protection
    • QD:Trojan.GenericKDQ.F8A018F2A0

Data Analysis

The insights and data in this blog are derived from anonymized usage data from the Netskope Security Cloud platform, with consent from a subset of customers.

IOCs

Indicators of Compromise (IOC) related to this malware are available in the Netskope Threat Labs GitHub repository.

Related Perspectives