Coursera Spring Sale
40% Off Coursera Plus Annual!
Grab it
Explore how a cybercriminal's operational security failure led to unprecedented access into their entire operation in this DEF CON 33 conference talk. Learn how threat actors inadvertently exposed their activities by testing their own keylogger and infostealer malware on their personal systems, providing real-time visibility into their cybercrime infrastructure. Discover the methods used to intercept Telegram-based command-and-control communications, which yielded hundreds of screenshots and keylogs from the attackers' desktops, revealing the full scope of their malicious activities. Understand how cybercriminals create and embed Telegram bot tokens within malware to enable covert data exfiltration and remote control capabilities. Master automated analysis techniques using VirusTotal and custom YARA rules to track malware samples that communicate with Telegram's API, extract thousands of bot tokens used for data forwarding, and intercept ongoing communications between threat actors and their infrastructure. Examine how backend infrastructure mapping through desktop screenshots led to uncovering connections to broader phishing and malware campaigns, demonstrating how legitimate platforms like Telegram are systematically abused by malicious actors for cybercrime operations.
