PowerShell stealer targets Telegram sessions
π‘οΈ Researchers discovered a PowerShell script masquerading as a Windows telemetry update that steals Telegram for Windows session data. The script collects system info, closes Telegram to access the tdata folder, zips its contents, and sends the archive to an attacker-controlled bot before removing traces. The sample was found on Pastebin and appears to be a prototype, with no confirmed successful exfiltration yet. Users are advised to use robust endpoint security and enable Telegram TwoβStep Verification or passkeys.
