{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/telegram/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-32982"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["information-disclosure","vulnerability","telegram"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.13 are susceptible to an information disclosure vulnerability (CVE-2026-32982). The vulnerability resides within the \u003ccode\u003efetchRemoteMedia\u003c/code\u003e function. When OpenClaw attempts to download media from Telegram and the download fails, the application generates an error message. Critically, the original Telegram file URL, which contains the Telegram bot token, is included in the \u003ccode\u003eMediaFetchError\u003c/code\u003e string. This error message is then logged and potentially displayed on error surfaces, leading to the exposure of sensitive bot tokens. This vulnerability was reported on March 31, 2026, and poses a risk to OpenClaw users who leverage Telegram bots, as compromised tokens could lead to unauthorized access and control of the bots.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OpenClaw instance running a version prior to 2026.3.13.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request that triggers the \u003ccode\u003efetchRemoteMedia\u003c/code\u003e function to download a non-existent or inaccessible media file from Telegram.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efetchRemoteMedia\u003c/code\u003e function attempts to download the media from the provided Telegram URL, which includes the bot token.\u003c/li\u003e\n\u003cli\u003eThe download fails due to the file not being found or being inaccessible.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efetchRemoteMedia\u003c/code\u003e function generates a \u003ccode\u003eMediaFetchError\u003c/code\u003e string that includes the original Telegram URL, containing the bot token.\u003c/li\u003e\n\u003cli\u003eThis error message, including the Telegram bot token, is written to application logs or displayed on error surfaces (e.g., web interface).\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to the logs or error surfaces and extracts the Telegram bot token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised Telegram bot token to perform unauthorized actions via the Telegram bot, potentially leading to data theft, service disruption, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32982 can lead to the exposure of Telegram bot tokens used by OpenClaw. Compromised bot tokens allow attackers to control the associated Telegram bots, potentially leading to unauthorized data access, message manipulation, or other malicious activities. The severity of the impact depends on the permissions and capabilities of the compromised bot. While the specific number of affected OpenClaw instances is unknown, any organization using OpenClaw with Telegram bot integration is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.13 or later to remediate CVE-2026-32982.\u003c/li\u003e\n\u003cli\u003eReview existing OpenClaw logs for any instances of \u003ccode\u003eMediaFetchError\u003c/code\u003e strings containing Telegram bot tokens.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls on OpenClaw logs to prevent unauthorized access to sensitive information.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Telegram Bot Token Leak in Logs\u003c/code\u003e to identify potential token exposure in log files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T12:16:29Z","date_published":"2026-03-31T12:16:29Z","id":"/briefs/2026-03-openclaw-token-leak/","summary":"OpenClaw before version 2026.3.13 exposes Telegram bot tokens in error messages due to the fetchRemoteMedia function embedding these tokens in MediaFetchError strings when media downloads fail.","title":"OpenClaw Information Disclosure via Telegram Bot Token Exposure","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-token-leak/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["telegram","command-and-control","dns","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis alert identifies systems querying the Telegram API domain (api.telegram.org) using processes other than the legitimate Telegram application. Threat actors frequently leverage Telegram bots for C2, due to their ease of use, encryption, and widespread availability. Malware can use these bots to receive commands, exfiltrate data, or perform other malicious activities. Detecting DNS queries for Telegram\u0026rsquo;s API from unexpected processes can uncover compromised systems or unauthorized use of Telegram for covert communication. The detection focuses on non-standard Telegram clients resolving the api.telegram.org domain to filter out legitimate Telegram application traffic and focus on suspicious processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user inadvertently downloads and executes a malicious payload (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system (e.g., via registry keys or scheduled tasks).\u003c/li\u003e\n\u003cli\u003eThe malware initiates a DNS query to resolve api.telegram.org to identify the Telegram API server IP address.\u003c/li\u003e\n\u003cli\u003eThe malware establishes a communication channel with a Telegram bot controlled by the attacker using the resolved IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker sends commands to the bot, which are relayed to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malware executes the received commands, potentially including data exfiltration or further malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates sensitive data to the attacker via the Telegram bot.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access and control over the compromised system via the Telegram bot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can be remotely controlled by attackers, leading to data theft, system disruption, or further propagation of malware within the network. The use of Telegram bots enables covert communication, making it difficult to detect malicious activity using traditional methods. Multiple threat actors employ Telegram-based C2, including those associated with information stealers, keyloggers, and crypto-mining malware. A successful attack can lead to significant data breaches and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Telegram DNS Queries\u003c/code\u003e to your SIEM to identify processes making DNS queries to the Telegram API (api.telegram.org) other than the legitimate Telegram application.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process execution history, network connections, and related system activity.\u003c/li\u003e\n\u003cli\u003eBlock the domain \u003ccode\u003eapi.telegram.org\u003c/code\u003e at the DNS resolver or firewall to prevent compromised systems from communicating with Telegram bots, unless legitimate business use requires it.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging to capture DNS query events on endpoints.\u003c/li\u003e\n\u003cli\u003eUpdate Sysmon to at least version 6.0.4 to ensure comprehensive DNS event logging.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-telegram-dns-query/","summary":"Detection of a process making DNS queries to the Telegram API domain, which is indicative of malware utilizing Telegram bots for command and control (C2) communications.","title":"Suspicious DNS Queries to Telegram API by Non-Telegram Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-03-telegram-dns-query/"}],"language":"en","title":"CraftedSignal Threat Feed — Telegram","version":"https://jsonfeed.org/version/1.1"}