‘ToxicEye’ Is the Latest Malware to Abuse Telegram for Command & Control

Last updated July 14, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

There’s a rising trend of malware authors abusing Telegram for their malicious operations, using it as a ready-made command and control (C&C) system. The latest notable entry in this category is a remote access trojan named ‘ToxicEye’, which has been spotted, sampled, analyzed, and detailed in a write-up by Check Point.

The benefits of using Telegram as C&C can be analyzed in the following:

Source: Check Point

‘ToxicEye’ is notable because it is one of the nastiest pieces of RATs that are circulating out there. Check Point has seen it in over 130 attacks, spreading via phishing emails that come with a .exe file as an attachment. Users who are convinced to download and execute the binary are infected and then run the following risks:

ToxicEye can steal the data, including browser history and cookies, PC information, or credentials and passwords. The RAT can also deploy a keylogger, monitor and exfiltrate clipboard data, and support ransomware operation with both encryption and decryption features built-in.

To protect yourself against dangers of this kind, you should first and foremost avoid downloading any attachments that have arrived via unsolicited emails. No matter what these messages claim, or what emergencies are presented, you should always treat them with caution.

If you suspect that you may already be in trouble, search for the following file on your computer ‘C:\Users\ToxicEye\rat.exe’. Additionally, you could scrutinize your organization's network traffic to see if any of your systems communicate with Telegram, even though the IM software isn’t installed on them.

Source: Check Point

Only yesterday, we analyzed how malware authors are increasingly turning to the abuse of legitimate services and cloud platforms, and why stopping it is both difficult and complicated. The ToxicEye RAT is yet another example of that, and one that’s added on top of a rapidly growing pile.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: