In this talk, I will dive deep into a case study where a threat actor's critical OPSEC mistake—testing his own keylogging and infostealing malware on his production hacking machine—opened an unprecedented window into a live cybercrime operation.

I will detail how intercepting Telegram-based C2 communications allowed me to obtain over 100 screenshots and logs that reveal not only the mechanics of the malware but also the underlying infrastructure and tactics of the threat actor. The presentation will cover the entire lifecycle of the malware’s communication strategy, from the initial setup using Telegram BotFather and the subsequent embedding of bot tokens in malware, to the automated analysis leveraging VirusTotal and custom YARA rules to hunt down samples communicating with Telegram’s API.

I will explain how, through this process, I was able to extract and analyse bot tokens to forward stolen communications, map the associated backend infrastructure and link various elements of the operation to broader phishing and malware campaigns ran by the actor. The session will highlight both the technical aspects of exploiting trusted communication platforms like Telegram and the implications for threat intelligence, offering insights into how such vulnerabilities can be turned against adversaries to disrupt their operations and enhance proactive defence measures.

This detailed exploration not only exposes the inner workings of a low-tier cybercriminal operation but also provides actionable lessons on the importance of robust operational security in defending against malware campaigns.