Find notable cyber news and cases, enriched with sources, timelines, and signals.

Handala multi-stage malware with Telegram C2 and exfiltration

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The Handala malware package uses a multi-stage payload to give operators remote access to infected Windows devices, increasing the risk of stealthy data theft. The second stage connects to Telegram C2 bots, allowing the tooling to exfiltrate files and screen captures from victim devices. The activity also relies on social engineering and disguises itself as familiar software or services to improve execution. The result is a capable collection tool for targeted espionage-style operations.

Related Happenings

Trojanized Pyrogram forks with hidden Telegram backdoor

Malware Activity
H score14 First: 01.07.2026 00:02 Last: 01.07.2026 00:02 Sources 1

About this happening: Trojanized **Pyrogram** forks on **PyPI** now ship a hidden backdoor that gives attackers remote command execution and file access on compromised **Telegram bot servers**. The mal...

Gaslight macOS implant with Telegram C2 and prompt-injection payload

Malware Activity
H score29 First: 25.06.2026 12:23 Last: 25.06.2026 12:23 Sources 1

About this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...

MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel

Malware Activity
H score30 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...

Atlas RAT and related loaders deployed for remote access and credential theft

Malware Activity
H score33 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...

Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure

Campaign
H score56 First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

About this happening: The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...

Timeline

  1. 24.03.2026 11:30 2 articles · 3mo ago

    Handala malware uses multi-stage payload and Telegram C2 on Windows

    Technical Analysis Update

    Handala uses a multi-stage payload on Windows devices, disguising the first stage as common software or services and using social engineering and file transfers to get execution. The second stage connects infected machines to Telegram command-and-control bots for remote access and exfiltration of screen captures or files, while additional samples show PowerShell execution, directory exclusions, screen and audio recordings, cache capture, file compression, and file deletion.

    Show sources