Recently, our incident response (IR) team analyzed a malware sample that used Telegram as its command-and-control (C2) channel. We already had the bot token and chat ID — the keys that would normally unlock the full picture: stolen data, exfiltration paths, and attacker infrastructure.
But the sample was heavily obfuscated, and static analysis wasn’t getting us anywhere. After hours of reverse engineering, we still couldn’t extract the key indicators.
So we changed the approach.
Instead of breaking the obfuscation, we made the malware reveal itself.
That idea became TeleSink — and it immediately extracted the bot token and chat ID on the first request.
How TeleSink Works
TeleSink is built around a simple idea: make malware think it is communicating with real Telegram infrastructure.
It does this by:
- Generating a fresh trusted TLS certificate for
api.telegram.orgon every run - Redirecting
api.telegram.org → 127.0.0.1inside the analysis environment - Emulating a full Telegram Bot API locally so the malware continues normal execution
- Capturing bot tokens, chat IDs, and exfiltrated payloads during initial check-in
Instead of fighting obfuscation, TeleSink turns runtime behavior into intelligence.
Why It Matters
Traditional malware analysis often stalls due to encrypted configs, packed payloads, and layered obfuscation.
TeleSink removes that barrier by shifting the problem from:
“How do we decode this?”
to
“How do we make it run safely and talk?”
Threat Intelligence Workflow
Once extracted, TeleSink data can be combined with tools like matkap (0x6rss) to:
- Dump full Telegram bot message history
- Correlate exfiltration events
- Map attacker infrastructure
- Pivot from a single sample to a complete C2 picture
What normally takes hours of reverse engineering can be reduced to minutes of live interaction capture.
Safety and Usage
TeleSink is designed strictly for:
- Authorized malware analysis
- Controlled environments (Flare VM recommended)
- Security research and incident response
It also includes a benign simulator so analysts can test the full workflow without interacting with real malware.
Summary
TeleSink does not try to out-reverse malware.
It allows malware to expose itself by design.
From a single execution, analysts can move from an unknown binary to full C2 visibility in minutes.
Repository: https://github.com/RedSideSecurity/TeleSink
