Cado Security Labs has uncovered a sophisticated Python-based Remote Access Tool (RAT) named Triton RAT, which leverages Telegram as its command-and-control (C2) infrastructure.
This open-source malware, hosted on GitHub, allows attackers to remotely access and control infected systems, posing significant risks to users’ privacy and security.
Technical Overview
The Triton RAT begins its operation by retrieving a Telegram Bot token and chat ID from Pastebin, which are encoded in Base64.
These credentials enable the malware to communicate with its operators via Telegram, where it exfiltrates stolen data and receives commands.
The RAT boasts an extensive feature set, including:
- Keylogging
- Password theft from browsers
- Roblox security cookie extraction
- Screen and webcam recording
- Clipboard data theft
- File upload/download capabilities
- Shell command execution
- System information gathering
One of its standout features is the ability to search for Roblox security cookies (.ROBLOSECURITY) across multiple browsers, including Chrome, Firefox, Edge, and Brave.
According to the Report, these cookies store user session data, allowing attackers to bypass two-factor authentication (2FA) and gain unauthorized access to Roblox accounts.
The stolen cookies and other sensitive data are sent directly to the attacker’s Telegram bot.
Advanced Persistence Mechanisms
The malware employs several persistence techniques to maintain access to infected systems.
It generates VBScript (updateagent.vbs) and BAT script (check.bat) files, executed via PowerShell.
The VBScript disables Windows Defender, creates backups, schedules tasks for persistence, and monitors specific processes.
Meanwhile, the BAT script downloads a compiled binary named ProtonDrive.exe from Dropbox, stores it in a hidden directory (C:\Users\user\AppData\Local\Programs\Proton\Drive), and executes it with administrative privileges.
To evade detection, Triton RAT includes anti-analysis mechanisms that check for blacklisted processes such as debugging tools (e.g., xdbg, OllyDbg) and antivirus software.
Additionally, the malware uses a file resizer to increase its size beyond thresholds typically scanned by some antivirus solutions.
Exploitation Through Telegram
All stolen data is transmitted to the attacker’s Telegram bot, which also serves as a platform for issuing commands to the compromised machine.
At the time of analysis, the associated Telegram channel had over 4,500 messages, though it remains unclear if this reflects the total number of infections.
The discovery of Triton RAT highlights the growing trend of leveraging legitimate platforms like Telegram for malicious purposes due to their accessibility and encryption features.
With its ability to bypass security measures like 2FA and its robust anti-detection mechanisms, this malware poses a severe threat to individual users and organizations alike.
Security teams are advised to monitor for indicators of compromise (IOCs), such as ProtonDrive.exe, and implement robust defenses against such threats.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
 named Triton RAT, which leverages Telegram.){kind=link}