The Typosquatting Trap: Fake Telegram Portal Delivers Stealthy Memory-Resident Malware
Do Son 
Infection Kill Chain | Image: K7 Labs
Cybersecurity researchers have uncovered a deceptive campaign that uses a typosquatted website to impersonate the official Telegram download portal. The site, found at the misleading domain telegrgam[.]com, has been actively distributing a malicious installer that bypasses traditional security measures by loading its payload directly into system memory.
While the website visually mirrors the legitimate Telegram page to fool unsuspecting users, the software it delivers is anything but helpful.
The attack begins when a user, searching for the messaging app, lands on the fake portal and downloads a file named tsetup-x64.6.exe. This file is a carefully crafted malicious installer designed to look and feel like a regular setup executable.
Once executed, the installer initiates a sophisticated deployment process:
- Process Discovery: The malware scans running processes for specific indicators, likely checking for security software or previous infections.
- Windows Defender Bypass: In a bold defensive move, the malware executes an obfuscated command to add every drive partition on the system to the Windows Defender exclusion list. “This significantly reduces the likelihood of detection and allows the malware to operate without antivirus scanning”.
- Registry Persistence: An infection marker is created in the Windows Registry (
HKCU\MicrosoftUser\Source), which helps the malware avoid redundant infections.
To remain as invisible as possible, the malware avoids writing its final malicious payload to the disk. Instead, it uses a technique known as manual PE loading or reflective loading.The installer drops a DLL named AutoRecoverDat.dll along with several XML files. The DLL reads encoded binary data from these XML files and reconstructs a Portable Executable (PE) payload at runtime.
“Instead of writing the payload to disk, it is loaded into memory using legitimate Windows utilities, helping the malware evade traditional file-based detection“.
Once the in-memory payload is active, the malware establishes a TCP connection to its command-and-control (C2) server, associated with the domain jiijua[.]com.
Through this persistent link, the attackers can:
- Execute Remote Commands: Take direct control of the infected machine.
- Exfiltrate Data: Steal sensitive information from the system.
- Update Payloads: Network traffic analysis confirmed a “Payload Update Mechanism” where the malware downloads updated components from the server to adapt to new environments.
To stay safe, users are urged to double-check URLs before downloading software and to rely on official app stores or verified direct links.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
