The threat involves a malicious PowerShell script disguised as a Windows telemetry update that targets Telegram for Windows users. It harvests the tdata folder, which contains session authorization keys, enabling attackers to hijack Telegram accounts without needing passwords or verification codes. The script collects system information, closes Telegram to access locked files, compresses the tdata folder, and sends it to attackers via a Telegram bot. Researchers found this script on Pastebin during its prototype testing phase, with no confirmed active exploitation. The attack vector relies on social engineering or malware delivery to run the PowerShell script on victim machines. Mitigation includes user vigilance, terminating suspicious Telegram sessions, and strengthening account security settings.

If successfully executed, the script allows attackers to gain unauthorized access to Telegram accounts by stealing session data, bypassing password and two-factor authentication protections. This can lead to account hijacking, enabling attackers to impersonate users, send spam or scams, and access private communications. However, there is currently no evidence of this script being used in the wild beyond testing, limiting immediate impact.

No official patch is applicable as this is a malware script rather than a software vulnerability. Users should avoid running unknown PowerShell scripts and be cautious with email attachments and downloads from untrusted sources. Regularly monitor Telegram active sessions and immediately terminate any unrecognized sessions via Settings → Devices → Terminate all other sessions. Enable Telegram's two-step verification or passkeys for enhanced account security. Keep operating systems and applications updated and use reputable security software to detect and block malicious scripts. Kaspersky Premium is recommended for additional protection against such threats.