A recent SANS Internet Storm Center honeypot diary highlighted a threat pattern that deserves more attention than it is currently getting. The intrusion began in a familiar way, through weak SSH credentials, but the post-compromise activity quickly moved beyond opportunistic abuse. The attacker performed reconnaissance, searched for Telegram Desktop artifacts, and specifically targeted the tdata directory, indicating an interest in session theft rather than simple resource hijacking alone.

That distinction matters. Cryptojacking is noisy, measurable, and often operationally disruptive, but session theft is strategically more dangerous. If an attacker can steal valid application session material, they may be able to bypass normal login friction and move directly into account access, impersonation, follow-on fraud, or lateral abuse of trusted communications. In the SANS case, the commands observed on the compromised system showed a progression from initial access to system discovery and then to credential- or session-oriented collection activity.

Why Telegram tdata Matters

On Telegram Desktop, the tdata folder stores locally relevant session information that helps maintain authenticated access. According to Imperva’s threat research, attackers who obtain this folder may not need to defeat passwords or even two-factor authentication in the conventional sense. Instead, they can replicate the victim’s active session by placing the stolen tdata contents onto another system running Telegram Desktop, effectively inheriting the logged-in state. Imperva’s analysis of malicious PyPI packages described exactly this pattern: locating the Telegram Desktop data path, compressing the contents, and exfiltrating the archive to attacker-controlled infrastructure.

This is not a theoretical edge case. CYFIRMA documented a .NET-based infostealer, PupkinStealer, that explicitly copies Telegram’s tdata folder for exfiltration alongside browser credentials, desktop files, and screenshots. Their analysis notes that the stolen Telegram session files can enable potential account access without requiring the victim’s credentials directly. That moves Telegram from being just another installed application to being a high-value session target on the endpoint.

The Bigger Pattern: Telegram as an Attack Operations Layer

The SANS honeypot incident is important not just because of the local artifact theft, but because it reflects a wider operational pattern. Telegram continues to appear in threat workflows as an exfiltration channel, operator coordination layer, bot-based delivery mechanism, and session abuse target. SonicWall’s research showed phishing campaigns that captured credentials from victims and posted them to Telegram bots using the Telegram API. Their reporting also observed repeated bot usage across campaigns, indicating that Telegram-based collection is not isolated to one actor or one lure family.

Additional reporting reinforces the same direction of travel. Varonis recently described an infostealer that collects documents, screenshots, system data, and session material from applications including Telegram, Signal, and Discord. That matters because it shows how attackers are increasingly prioritizing reusable access artifacts and authenticated application state, not just usernames and passwords. In other words, modern collection logic is becoming identity-centric and session-centric at the same time.

Why This Changes the Defensive Conversation

Many security teams still frame post-compromise collection through a relatively traditional lens: browser passwords, cookies, SSH keys, local secrets, and maybe wallet data. That model is now incomplete. Session-bearing application folders deserve to be treated as privileged targets. A messaging platform with persistent authenticated state can become a pivot point for impersonation, social engineering, intelligence gathering, and trust abuse across business or personal communications. The SANS case is valuable because it shows that even a low-friction initial access path can quickly escalate into higher-value identity abuse if the endpoint contains useful session material.

From a blue-team perspective, that means the detection surface must widen. Monitoring should not stop at miner deployment, suspicious CPU usage, or commodity malware indicators. Teams should also look for access to Telegram Desktop storage paths, unusual archive creation around user profile directories, suspicious outbound transfers following local compression activity, and environments where Telegram API traffic has no legitimate business purpose. This is an inference drawn from the attack mechanics described by SANS, Imperva, CYFIRMA, and SonicWall, all of which point to the operational value of both tdata theft and Telegram-based exfiltration.

Practical Defensive Priorities

The first control is still the least glamorous one: reduce avoidable initial access. The SANS incident began with weak SSH credentials, which means basic hardening, credential policy enforcement, MFA where possible, and exposure reduction still carry outsized defensive value.

The second priority is endpoint visibility. Security teams should treat local session stores for high-value applications as sensitive data, not routine application clutter. File access monitoring, archive-creation telemetry, and suspicious process behavior around Telegram Desktop paths can materially improve detection coverage. This recommendation is grounded in the fact pattern documented by Imperva and CYFIRMA, where malicious tooling deliberately located, copied, compressed, and exfiltrated Telegram session material.

The third priority is network and egress control. If Telegram or Telegram Bot API traffic has no business justification in a given environment, restricting or alerting on such traffic can meaningfully reduce attacker freedom of action. SonicWall’s analysis showed direct use of Telegram bots for credential collection, making the platform not just a communications app but a practical exfiltration endpoint in real-world phishing operations