Handala multi-stage malware with Telegram C2 and exfiltration
Malware Activity
Summary
Hide ▲
Show ▼
The Handala malware package uses a multi-stage payload to give operators remote access to infected Windows devices, increasing the risk of stealthy data theft. The second stage connects to Telegram C2 bots, allowing the tooling to exfiltrate files and screen captures from victim devices. The activity also relies on social engineering and disguises itself as familiar software or services to improve execution. The result is a capable collection tool for targeted espionage-style operations.
Related Happenings
Trojanized Pyrogram forks with hidden Telegram backdoor
Malware Activity
H score14
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
About this happening:
Trojanized **Pyrogram** forks on **PyPI** now ship a hidden backdoor that gives attackers remote command execution and file access on compromised **Telegram bot servers**. The mal...
Trojanized Pyrogram forks with hidden Telegram backdoor
Malware ActivityAbout this happening: Trojanized **Pyrogram** forks on **PyPI** now ship a hidden backdoor that gives attackers remote command execution and file access on compromised **Telegram bot servers**. The mal...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware Activity
H score29
First: 25.06.2026 12:23
Last: 25.06.2026 12:23
Sources 1
About this happening:
A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware ActivityAbout this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware Activity
H score30
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware ActivityAbout this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
H score33
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware ActivityAbout this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
Campaign
H score56
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
About this happening:
The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...
Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
CampaignAbout this happening: The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...
Timeline
-
24.03.2026 11:30 2 articles · 3mo ago
Handala malware uses multi-stage payload and Telegram C2 on Windows
Technical Analysis UpdateHandala uses a multi-stage payload on Windows devices, disguising the first stage as common software or services and using social engineering and file transfers to get execution. The second stage connects infected machines to Telegram command-and-control bots for remote access and exfiltration of screen captures or files, while additional samples show PowerShell execution, directory exclusions, screen and audio recordings, cache capture, file compression, and file deletion.
Show sources
- Handala Group Tied to Iranian Hack‑and‑Leak Operations, FBI Reveals — www.infosecurity-magazine.com — 24.03.2026 11:30
- Handala Group Tied to Iranian Hack‑and‑Leak Operations, FBI Reveals — www.infosecurity-magazine.com — 24.03.2026 11:30