Trojanized Pyrogram forks with hidden Telegram backdoor
Malware Activity
Summary
Hide ▲
Show ▼
Trojanized Pyrogram forks on PyPI now ship a hidden backdoor that gives attackers remote command execution and file access on compromised Telegram bot servers. The malware activates through concealed Telegram command handlers when an infected bot starts. It can expose files, secrets, chats, contacts, and environment variables, and it returns output back to attackers over Telegram.
Related Happenings
Operation Navy Ghost PyPI supply-chain campaign
Campaign
H score26
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
How related:
A campaign active since last November has been targeting Python developers building Telegram bots with trojanized Pyrogram forks that allow attackers to read arbitrary files on compromised servers.
About this happening:
The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Operation Navy Ghost PyPI supply-chain campaign
CampaignHow related: A campaign active since last November has been targeting Python developers building Telegram bots with trojanized Pyrogram forks that allow attackers to read arbitrary files on compromised servers.
About this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Millenium RAT Windows malware activity and native C++ rewrite
Malware Activity
H score62
First: 29.06.2026 17:30
Last: 29.06.2026 17:30
Sources 1
About this happening:
The **Millenium RAT** malware activity is spreading across **Windows** systems, with **60,000+ infections** in **160+ countries** and a newer **native C++** build that helps it ev...
Millenium RAT Windows malware activity and native C++ rewrite
Malware ActivityAbout this happening: The **Millenium RAT** malware activity is spreading across **Windows** systems, with **60,000+ infections** in **160+ countries** and a newer **native C++** build that helps it ev...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware Activity
H score29
First: 25.06.2026 12:23
Last: 25.06.2026 12:23
Sources 1
About this happening:
A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware ActivityAbout this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware Activity
H score30
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware ActivityAbout this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisAbout this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
Timeline
-
01.07.2026 00:02 2 articles · 2h ago
Checkmarx details Operation Navy Ghost PyPI backdoor
Initial DisclosureCheckmarx says the Operation Navy Ghost campaign published at least eight trojanized Pyrogram forks on PyPI between November 2025 and June 2026, targeting Python developers building Telegram bots and operators of Telegram bot servers. The packages include a hidden secret.py backdoor in the helpers module that registers Telegram command handlers, executes attacker-supplied Python or shell commands, returns output over Telegram, suppresses errors, disables logging, and uses a hardcoded OWNERS list to control infected bots.
Show sources
- Malicious PyPI packages give hackers control of Telegram bot servers — www.bleepingcomputer.com — 01.07.2026 00:02
- Malicious PyPI packages give hackers control of Telegram bot servers — www.bleepingcomputer.com — 01.07.2026 00:02