{"id":56006,"date":"2026-06-23T13:27:33","date_gmt":"2026-06-23T17:27:33","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=56006"},"modified":"2026-06-23T13:27:33","modified_gmt":"2026-06-23T17:27:33","slug":"telegram-no-password-session-stealer","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/telegram-no-password-session-stealer\/56006\/","title":{"rendered":"Your Telegram account can be stolen without a password or verification code"},"content":{"rendered":"

There are dozens of ways to break into someone else\u2019s Telegram account. We\u2019ve frequently covered phishing in Telegram Mini Apps<\/a>, scams with bots, gifts, and giveaways<\/a>, and many other tactics. Today, we\u2019re looking at yet another account hijacking method, one that relies on a PowerShell script.<\/p>\n

The script, deceptively named \u201cWindows Telemetry Update\u201d, actually serves as a tool for hijacking Telegram sessions. It harvests data from completely defenseless<\/a>\u00a0user computers and forwards it to the attackers via a Telegram bot.<\/p>\n

An evil script with a stealer inside<\/h2>\n

Cybercriminals frequently rely on PowerShell scripts to covertly download malware or harvest data. This time, researchers uncovered<\/a> a script on Pastebin masquerading as a routine Windows update. In reality, it was an infostealer designed to hijack Telegram for Windows session data and allow hackers to take over accounts without a password or verification code.<\/p>\n

What\u2019s a PowerShell script anyway? Think of it as a text file packed with commands for a Windows computer. Instead of a human spending time clicking through tasks manually, the computer follows these quick instructions to get everything done automatically in a matter of seconds.<\/p><\/blockquote>\n

\"This<\/a>

This PowerShell script steals Telegram for Windows session data, letting hackers hijack accounts without a password or verification codes<\/p><\/div>\n

Right at the top of the script, researchers immediately spotted a Telegram bot token and a chat ID, alongside multiple references to the tdata<\/em> folder. This specific folder is where Telegram for Windows keeps the authorization keys used to log users in to its servers. If attackers grab this data, they can access the victim\u2019s Telegram account without a password or verification code. Once inside, they maintain access until the victim checks their active sessions in the app and manually terminates the suspicious ones.<\/p>\n

How the stealer works<\/h2>\n

The malware lands on the victim\u2019s computer disguised as a PowerShell script for a Windows telemetry update. As soon as it runs, it gathers basic system information: the username, hostname, and public IP address. It then checks if Telegram Desktop is installed. If it is, the script forces the app to close so it can unlock Telegram files for editing.<\/p>\n

From there, the rest is simple: the script zips up the entire contents of the tdata<\/em> folder into a temporary directory, forwards the archive straight to the attackers, and wipes the file from the computer to erase its tracks.<\/p>\n

The good news is that the stealer likely hasn\u2019t compromised any accounts yet, as experts found no evidence of actual data transfers. It appears researchers caught this malicious PowerShell script while it was still in the prototype testing phase.<\/p>\n

Another giveaway is its surprisingly suspicious name. Cybercriminals typically use neutral names to hide their bots and apps. In this case, when researchers found it, the bot was running under the burner handle afhbhfsdvfh_bot<\/em> with a dead-honest description: Telegram attacker<\/em>. Researchers noted that while the bot had likely undergone functional testing, it hadn\u2019t yet been deployed at scale, which explains the placeholder name.<\/p>\n

How to defend against PowerShell scripts<\/h2>\n

Defending against this nameless stealer requires a layered approach to security. First, it helps to understand how a PowerShell script ends up on your PC in the first place. Usually, they slip in unnoticed through malicious email attachments, software vulnerabilities, infected apps, or social engineering tricks. That\u2019s why we recommend installing a\u00a0robust security suite<\/a> on your device and staying highly cautious about the links you click and the files you download.<\/p>\n