Malicious PyPI Packages Give Hackers Control of Telegram Bot Servers

Related

Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery

What happened CTM360 researchers have uncovered a large-scale fraud operation...

FBI Warns of Handala Hackers Using Telegram in Malware Attacks

What happened The FBI issued a warning that Iran-linked hackers...

Telegram Phishing Attack Abuses Authentication Workflows to Harvest Credentials

What happened Researchers at Cyfirma have uncovered a phishing campaign...

Handala Hackers Targeted Israeli Officials via Telegram

What happened Handala hackers targeted Israeli officials via Telegram, compromising...

Share

What happened

A malware campaign active since November 2025 has been targeting Python developers who build Telegram bots.

Researchers at Checkmarx dubbed the campaign Operation Navy Ghost. The attackers published at least eight malicious packages on the Python Package Index, all posing as forks of Pyrogram, a Python framework used to create Telegram bots and userbots.

The malicious packages include VLifeGram, VLife-Gram, pyrogram-navy, pyrogram-styled, pyrogram-zeeb, kelragram, sepgram, and pyrogram-kelra.

The packages include the original Pyrogram source code, which helps them appear functional and legitimate. However, the attackers added a hidden backdoor file named secret.py inside the helpers module.

When an infected Telegram bot launches or imports Pyrogram, the backdoor registers hidden Telegram command handlers. These handlers allow the attacker to send commands to the victim’s bot and execute Python code or shell commands on the server running the bot.

The attacker can use one hidden command to execute Python code with access to the live Telegram client, session, chats, contacts, and environment variables. Another hidden command can run shell commands on the victim’s server and return the command output through Telegram messages.

If the command output is too large to send as a normal Telegram message, the malware sends it back as a document attachment.

The backdoor includes a hardcoded list of Telegram owner IDs that gives the attackers exclusive control. That same list also helps deactivate the backdoor when the malware runs on the attacker’s own systems.

The malware is designed to operate silently. It suppresses errors, disables logging, and activates only on Telegram bot accounts, which are more likely to run in production environments.

Once active, the attacker can read files on the server, dump secrets, access the victim’s Telegram chats, download databases, and install additional persistent backdoors.

Checkmarx said the packages were published from different PyPI accounts, but the shared owner list, identical backdoor code, matching command names, and overlapping infrastructure point to a single threat actor.

Who is affected

Python developers who installed the malicious PyPI packages are directly affected.

The campaign specifically targets developers building Telegram bots with Pyrogram forks. Telegram bot servers are especially exposed because they often run in production environments and may have access to databases, credentials, cloud APIs, secrets, chats, contacts, and infrastructure.

Organizations may also be affected if internal automation, customer support, notification workflows, or business processes rely on Telegram bots built with one of the malicious packages.

Affected users should remove the packages, rotate credentials on impacted servers, and revoke Telegram bot tokens.

Why CISOs should care

This campaign shows how attackers can abuse open-source package ecosystems to compromise production automation servers. The malicious packages were not obvious standalone malware. They were functional forks of a legitimate project with a hidden backdoor added into helper code.

For CISOs, the Telegram bot angle is important because bots often act as automation bridges. They may have access to internal systems, databases, customer conversations, environment variables, API keys, cloud services, and operational alerts.

The backdoor also turns Telegram itself into a command channel. Attackers can issue Python and shell commands through hidden bot handlers and receive results through Telegram messages or document attachments, making activity harder to notice if teams are not monitoring bot behavior closely.

The case also reinforces a broader supply chain lesson: abandoned or unmaintained open-source projects can become attractive targets for malicious forks. Pyrogram remains popular even though the original project is no longer maintained, creating an opening for attackers to publish lookalike alternatives.

3 practical actions

  1. Remove the malicious packages and revoke bot tokens: Developers should immediately remove VLifeGram, VLife-Gram, pyrogram-navy, pyrogram-styled, pyrogram-zeeb, kelragram, sepgram, and pyrogram-kelra from affected environments. Telegram bot tokens should be revoked and regenerated.
  2. Rotate credentials stored on affected servers: The backdoor can read arbitrary files, environment variables, chats, contacts, and databases. Security teams should rotate cloud keys, database passwords, API tokens, SSH keys, package registry credentials, and any secrets exposed to the compromised bot process.
  3. Audit Telegram bot servers for hidden command handlers: The malware registers hidden Telegram commands that execute Python and shell commands. Defenders should review bot code, dependencies, runtime logs, outbound Telegram activity, unusual document attachments, and shell execution from bot processes.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.