This threat involves a Python-based infostealer malware that focuses on exfiltrating clipboard content, including images, from infected systems. Clipboard monitoring by malware is not new, but this variant extends its capabilities to capture binary data such as screenshots or images copied to the clipboard, which are commonly used for documentation and reporting. The malware uses the Python ImageGrab library's grabclipboard() function to detect if the clipboard contains an image. If so, it converts the image to PNG format, computes an MD5 hash to avoid duplicate exfiltration, and saves the image locally. The image is then sent to a remote attacker-controlled Telegram bot via the Telegram Bot API, using a POST request to upload the image file. The presence of Vietnamese language strings in the code suggests possible origin or targeting. The malware can access clipboard data even when running inside sandboxed virtual machines if clipboard sharing is enabled, increasing the attack surface. The malware file has a low detection rate on VirusTotal, indicating it may evade many antivirus solutions. No known active exploits have been reported yet, but the technique poses a significant risk due to the sensitive nature of clipboard data, which may include passwords, confidential screenshots, or cryptocurrency wallet information. The malware’s reliance on Telegram for command and control communications also provides a covert channel that can be difficult to detect without network monitoring.

For European organizations, this malware poses a risk of sensitive data leakage through clipboard exfiltration, including confidential images, screenshots, or sensitive textual data copied to the clipboard. Organizations using virtual machines with clipboard sharing enabled are particularly vulnerable, as malware running in guest environments can access host clipboard data. This can lead to exposure of intellectual property, internal communications, credentials, or financial information such as cryptocurrency wallet details. The use of Telegram as a C2 channel complicates detection and response, as Telegram traffic is often encrypted and may blend with legitimate communications. The medium severity rating reflects the potential for confidentiality breaches without immediate system disruption, but the stealthy nature and low detection rate increase the risk of prolonged undetected data exfiltration. European sectors with high reliance on virtualized environments, such as financial services, government agencies, and technology companies, may face increased risk. Additionally, organizations with remote or hybrid work setups that use clipboard sharing between host and virtual machines or remote desktops are more exposed.

1. Disable clipboard sharing between virtual machines and host systems unless absolutely necessary, especially in environments handling sensitive data. 2. Implement endpoint detection and response (EDR) solutions capable of monitoring clipboard access and unusual file creation or network activity related to image files. 3. Monitor network traffic for unusual or unauthorized use of Telegram Bot API endpoints, particularly POST requests uploading documents or images. 4. Employ application whitelisting and restrict execution of unauthorized Python scripts or unknown binaries. 5. Educate users about the risks of copying sensitive data to the clipboard and encourage minimizing clipboard use for confidential information. 6. Regularly update antivirus and anti-malware solutions and consider behavioral detection tools that can identify suspicious clipboard monitoring or exfiltration activities. 7. Conduct threat hunting exercises focusing on clipboard data exfiltration indicators and review sandbox configurations to limit clipboard access. 8. Use network segmentation to isolate critical systems and limit outbound traffic to only approved destinations, potentially blocking Telegram API endpoints if not required.