Compromising Threat Actor Communications
2025-10-23 , Europe

This talk exposes how a simple OPSEC mistake—a threat actor testing malware on his own production system—can unravel an entire cybercrime operation. By intercepting Telegram-based C2 communications, we’ll uncover the inner workings of infostealers, reveal infrastructure details, and discuss how these real-world insights can reshape threat intelligence and defensive strategies.


In this talk, I will dive deep into a case study where a threat actor's critical OPSEC mistake—testing his own keylogging and infostealing malware on his production hacking machine—opened an unprecedented window into a live cybercrime operation.

I will detail how intercepting Telegram-based C2 communications allowed me to obtain over 100 screenshots and logs that reveal not only the mechanics of the malware but also the underlying infrastructure and tactics of the threat actor. The presentation will cover the entire lifecycle of the malware’s communication strategy, from the initial setup using Telegram BotFather and the subsequent embedding of bot tokens in malware, to the automated analysis leveraging VirusTotal and custom YARA rules to hunt down samples communicating with Telegram’s API.

I will explain how, through this process, I was able to extract and analyse bot tokens to forward stolen communications, map the associated backend infrastructure and link various elements of the operation to broader phishing and malware campaigns ran by the actor. The session will highlight both the technical aspects of exploiting trusted communication platforms like Telegram and the implications for threat intelligence, offering insights into how such vulnerabilities can be turned against adversaries to disrupt their operations and enhance proactive defence measures.

This detailed exploration not only exposes the inner workings of a low-tier cybercriminal operation but also provides actionable lessons on the importance of robust operational security in defending against malware campaigns.

Ben is massive cyber-nerd, with a passion for creative defence-evasion techniques, reverse-engineering malware and fighting adversaries! He works at Huntress as a Security Operations Analyst. In his spare time you'll find him dissecting malware captured in his honeypots, pwning boxes and recording his solutions for his YouTube, or enjoying a pint in the pub.