SOCRadar® Cyber Intelligence Inc. | Zaraza Bot: New Malware Uses Telegram for Command & Control


Apr 18, 2023
3 Mins Read

Zaraza Bot: New Malware Uses Telegram for Command & Control

The Zaraza bot is a new type of malware that steals login information and uses Telegram as its command and control. This malware targets a wide range of web browsers explicitly and is being distributed on a popular Russian Telegram channel for hackers.

Researchers found that the Zaraza bot is a 64-bit binary file created using C#. It targets up to 38 web browsers, including Google Chrome, Microsoft Edge, Opera, AVG Browser, Brave, Vivaldi, and Yandex. Additionally, it can capture screenshots of the active window.

Cybercriminals offer the Zaraza bot as a subscription-based commercial tool. The attackers’ distribution method is unknown, but they typically employ various methods, including malvertising and social engineering.

After infiltrating the system, the malware collects login information from high-value targets such as online banking, cryptocurrency wallets, email accounts, and other important websites. 

Attackers can use this stolen data to carry out malicious activities like financial fraud, identity theft, and gaining unauthorized access to personal and business accounts.

GuLoader Campaign and the Recent Increase in Malware Distribution Activities

Researchers revealed a GuLoader (CloudEyE) phishing email campaign targeting the financial sector around the same time the Zaraza bot was found. In this campaign, attackers used tax-themed lures to deliver information stealers and remote access trojans (RATs) to recipients.

The discovery of the Zaraza bot and GuLoader coincides with the increased use of techniques such as malvertising and search engine poisoning to spread malware. These techniques involve tricking users into downloading fake installers containing stealer payloads.


rule Uptycs_Zarazabot_v1
        malware_name = "Zarazabot"
        description = "Zarazabot is a credential stealer that is capable of stealing login credentials from web browsers."
        author = "Uptycs Inc"
        version = "1"

        $string_1 = "Ya Passman Data" ascii wide
        $string_2 = "GoogleChromeUser Data" ascii wide
        $string_3 = "MicrosoftEdgeUser Data" ascii wide
        $string_4 = "BraveSoftwareBrave-BrowserUser Data" ascii wide
        $string_5 = "encrypted_key" ascii wide
        $string_6 = "FromBase64String" ascii wide
        $string_7 = "" ascii wide
        $string_8 = "DownloadString" ascii wide
        $string_9 = "CopyFromScreen" ascii wide
        $string_10 = "output.txt" ascii wide
        $string_11 = "Passwords.txt" ascii wide
        $string_12 = "Screen.jpg" ascii wide

        all of them

Indicators of Compromise (IoC)

Bot Binary Hashes:

  • MD5: 41d5fda21cf991734793df190ff078ba
  • SHA-1: b50a8e2a7998e17286d2e18d1cf3f7e4e84482c6
  • SHA-256: 2cb42e07dbdfb0227213c50af87b2594ce96889fe623dbd73d228e46572f0125


  • https[:]//t[.]me/zarazaA_bot 
  • 149.154.167[.]220 

Staying Up to Date on Emerging Trends with SOCRadar

SOCRadar is a monitoring service that keeps track of threat actors and malware. It provides essential information to help you protect your organization from potential threats. The Threat Actor/Malware tab is updated regularly with the latest information on threat activities and indicators of compromise.

SOCRadar’s Threat Feed/IOC service provides customizable collections of emerging trends to keep you informed and up to date!