Malicious Telegram installers are distributing malware

Telegram Review Listing
(Image credit: Telegram)

Experts have warned users to beware a malware downloader pretending to be an installer for popular communications platform Telegram. 

According to cybersecurity researchers Minerva Labs, someone is distributing two files in a single download - one is a legitimate Telegram installer, while the other one is an AutoIT program, also a downloader, but for the PurpleFox malware.

When downloaded, the Telegram one doesn’t run, but the AutoIT one does. It seems to be a two-stage application, with the first stage being scouting and reconnaissance. The malware will first scan the device, disable any defense mechanisms, install a few registry entries, and once it’s ready, it will signal to its Command and Control (C2) server, and the download of the stage two malware can begin.

Flying under the radar

Stage two, the actual Purple Fox, can do plenty of damage to the target device, from file search and exfiltration, to process killing, data deletion, as well as worming into other Windows systems, or downloading and running other malicious code.

While Minerva labs’ report doesn’t dig deeper into who is behind the attack, it does say that the multi-stage approach makes it harder for cybersecurity solutions to spot and mitigate the threat.

“This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV (antivirus) engines, with the final stage leading to Purple Fox rootkit infection,” it explains.

It also said that the files are being distributed in different ways, from email, to phishing websites. The good news is that by the time the researchers published their results, the C2 server was already down. 

Remember folks, always make sure to download your software from legitimate sources, and to question everything you get in an email. 

  • You might also want to check out our list of the best firewalls right now 
TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Android phone malware
This nasty Android malware is posing as the Telegram Premium app
Telegram
New Golang malware is hijacking Telegram to help itself spread
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Fake Reddit sites found pushing Lumma Stealer malware
An iPhone sitting on a wooden table
Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe
malware
Google warns of legit VPN apps being used to infect devices with malware
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Latest in News
Group of people meeting
Inflexible work policies are pushing tech workers to quit
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
Youtube
YouTube Premium could be getting a new time-saving perk, showing you recommended videos directly in your playback queue
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools