Find notable cyber news and cases, enriched with sources, timelines, and signals.

Trojanized Pyrogram forks with hidden Telegram backdoor

Malware Activity
First reported
Last updated
Happening score
H score 14
1 unique sources, 1 articles

Summary

Hide ▲

Trojanized Pyrogram forks on PyPI now ship a hidden backdoor that gives attackers remote command execution and file access on compromised Telegram bot servers. The malware activates through concealed Telegram command handlers when an infected bot starts. It can expose files, secrets, chats, contacts, and environment variables, and it returns output back to attackers over Telegram.

Related Happenings

Operation Navy Ghost PyPI supply-chain campaign

Campaign
H score26 First: 01.07.2026 00:02 Last: 01.07.2026 00:02 Sources 1

How related: A campaign active since last November has been targeting Python developers building Telegram bots with trojanized Pyrogram forks that allow attackers to read arbitrary files on compromised servers.

About this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...

Millenium RAT Windows malware activity and native C++ rewrite

Malware Activity
H score62 First: 29.06.2026 17:30 Last: 29.06.2026 17:30 Sources 1

About this happening: The **Millenium RAT** malware activity is spreading across **Windows** systems, with **60,000+ infections** in **160+ countries** and a newer **native C++** build that helps it ev...

Gaslight macOS implant with Telegram C2 and prompt-injection payload

Malware Activity
H score29 First: 25.06.2026 12:23 Last: 25.06.2026 12:23 Sources 1

About this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...

MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel

Malware Activity
H score30 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

Timeline

  1. 01.07.2026 00:02 2 articles · 2h ago

    Checkmarx details Operation Navy Ghost PyPI backdoor

    Initial Disclosure

    Checkmarx says the Operation Navy Ghost campaign published at least eight trojanized Pyrogram forks on PyPI between November 2025 and June 2026, targeting Python developers building Telegram bots and operators of Telegram bot servers. The packages include a hidden secret.py backdoor in the helpers module that registers Telegram command handlers, executes attacker-supplied Python or shell commands, returns output over Telegram, suppresses errors, disables logging, and uses a hardcoded OWNERS list to control infected bots.

    Show sources