ToxicEye operators are utilizing Telegram to maintain control of their malware. The RAT exploits the instant messaging service as a part of C2 infrastructure to conduct excessive data theft. 

What has happened?

A researcher from Check Point Research observed ToxicEye in the wild associated with 130 attacks in the past three months. 
The attack chain starts with the creation of a Telegram account and a bot. In this case, the bot is inserted inside the malware's configuration for malicious intentions.
  • Phishing emails are sent to targeted victims that have the malicious document as an attachment. If a victim downloads the subsequent malicious .exe file, ToxicEye is deployed.
  • Any system infected with this malicious payload can be targeted via the Telegram bot that establishes a connection to the user's device back to the attacker's C2 using Telegram.
  • The RAT can scan for and steal credentials, computer OS details, clipboard content, browser history and cookies, and kill PC processes and hijack task management, among others.

Recent attacks using Telegram 

The Telegram instant messaging platform is widely used by cybercriminals for malicious purposes.
  • Recently, Hack Boss, a Telegram channel, has been used to spread malicious software for other hackers.
  • Cybercriminals utilized Telegram to steal from food delivery services and restaurants.


ToxicEye is the latest in a line of malware that uses Telegram as C2 and such threats are expected to evolve in the future. Both individuals and enterprises suspecting the possible infection of this RAT should search for C:\Users\ToxicEye\rat[.]exe file and remove it from the system immediately.

Cyware Publisher