Matkap - hunt down malicious Telegram bots

2025-02-22

Warnings

Keep in mind that your Telegram account might get banned while using this tool. For completely safe usage, you can use the website instead: https://matkap.cti.monster
In this blog, I would like to introduce my tool “Matkap”. Nowadays, many malicious software and phishing websites use Telegram bots as command and control (C2) centers to manage logs gathered from victims. The bot token and chat id are embedded in their source code (even if obfuscated). Matkap was developed to capture and analyze these bot details.

Before using Matkap, let’s review how some malicious campaigns use Telegram bots to collect victim information:

  1. New Variant Snake Keylogger
    Source: https://dailyinfosec.net/snake-keyloggers-autoit-trick-bypassing-av/
  2. Xworm
    Source: https://www.vmray.com/analyses/_vt/df07b378a833/report/overview.html
  3. X (formerly Twitter) phishing campaign
    Source: https://www.youtube.com/watch?v=CFjATtMAm8A

These examples demonstrate how commonly Telegram bots are used in such attacks.

Features

FOFA and URLScan Integration: Search for leaked bot tokens or chat IDs on websites.
export logs: export hunt logs

Matkap

Installation

Requirements

  • Python 3.7+ must be installed.
  • Obtain Telegram API credentials by creating a new application at my.telegram.org/apps (i.e. api_id, api_hash, phone_number).
  • (Optional) FOFA and URLScan accounts:
    • For FOFA: FOFA_EMAIL and FOFA_KEY
    • For URLScan: URLSCAN_API_KEY

Adding Telegram API Credentials (.env File)

  1. Go to my.telegram.org/apps and log in using your phone number.
  2. Create a new application and note down the api_id, api_hash, and phone_number.
  3. Create a .env file in your project folder and add your credentials as shown below:
TELEGRAM_API_ID=123456
TELEGRAM_API_HASH=example_api_hash
TELEGRAM_PHONE=+900000000000

# (Optional) FOFA & URLScan credentials:
[email protected]
FOFA_KEY=example_fofa_key
URLSCAN_API_KEY=example_urlscan_key

Installation Steps:

# Clone the repository
>> git clone https://github.com/0x6rss/matkap.git

# Enter the project folder
>> cd matkap

# Create your .env file with the required credentials

# Install dependencies
>> pip install -r requirements.txt

# Start Matkap
>> python matkap.py

Usage Video

Watch the video below to see a basic demonstration of Matkap:

Matkap GitHub Link

Access the source code and detailed information at: https://github.com/0x6rss/matkap

Defending Against Real Attacks Using Matkap

Watch the video below to see an analysis example performed using Matkap:

Disclaimer (Legal and Ethical Use)

Matkap is intended solely for educational and research purposes. This tool is designed to help cybersecurity professionals analyze Telegram bot interactions and identify potential security risks.

  • Do not use this tool for illegal activities or unauthorized access.
  • You assume full responsibility for any actions performed using this tool. The developers and contributors are not liable for misuse, damage, or legal consequences.
  • Ensure compliance with Telegram's API Terms of Service and all applicable local laws.
  • If you do not agree to these terms, do not use the tool.
me

0x6rss. Malware and CTI analyst.

Recent Posts: