Telegram tdata Credential Harvesting: Risks and Mitigation Strategies

A recent shift in adversary behavior suggests that threat actors are moving away from resource-intensive activities like cryptojacking in favor of high-value credential theft. Specifically, researchers have observed a trend where attackers target the tdata directory used by Telegram Desktop. This directory serves as the local storage for session keys, user settings, and cache. When an attacker successfully exfiltrates this data, they can effectively clone a user’s active session onto a different machine, bypassing the need for credentials or multi-factor authentication.

Anatomy of the tdata Vector

Telegram Desktop stores session-related information in a folder titled tdata, typically located within the user’s application data directory. Within this folder, files such as key_datas, D877F783D5D3EF8C (and other uniquely named map files), and various subdirectories hold the encrypted local state. According to SANS Internet Storm Center, a honeypot incident revealed that once an attacker gains initial access to a system, they prioritize the discovery and exfiltration of this specific directory.

The danger of this TTP lies in the nature of Telegram’s session management. Because the tdata folder contains an already authenticated session, an attacker does not need to perform a new login. This means the victim will not receive a login notification or an SMS code, and even accounts protected by a cloud password (Telegram’s version of two-step verification) may be vulnerable if the attacker successfully mirrors the local state. This technique is often more effective for an APT or financially motivated actor than traditional Phishing, as it provides persistent access to communications and contacts.

Detecting Telegram tdata credential harvesting

Detecting the theft of session data requires a focus on file system activity and process monitoring. Defenders should configure their EDR or SIEM solutions to alert on any process other than Telegram.exe accessing files within the tdata directory. Common methods used by attackers involve using built-in utilities like tar.exe, PowerShell.exe, or 7z.exe to archive the folder before exfiltration. Monitoring for these archiving activities in the %APPDATA%\Telegram Desktop\ path is a high-fidelity IoC.

In the honeypot incident analyzed, the attacker executed a script that specifically looked for the Telegram installation path and immediately compressed the tdata folder for transfer to a C2 server. This highlights why security teams must prioritize detecting Telegram tdata credential harvesting as part of their standard endpoint threat hunting routines. If an unauthorized process creates a ZIP or RAR file containing filenames like key_datas or map*, it should trigger an immediate response from the SOC.

Mitigation and Defense-in-Depth

To improve your security posture, organizations should focus on Telegram Desktop session hijacking mitigation by restricting where the application can be installed and executed. If Telegram is not a business-approved tool, it should be blocked via application control policies. For environments where it is required, the use of AppLocker or Windows Defender Application Control (WDAC) can prevent unapproved scripts from accessing sensitive user folders.

Furthermore, understanding how to protect Telegram tdata folder requires a layered approach. While the application itself does not currently offer a native “lock to hardware” feature for these files, users can enable a local passcode within Telegram Desktop. This encrypts the local tdata files on disk, making them significantly harder for an attacker to use even if successfully stolen. Organizations should also map these activities to the MITRE ATT&CK framework—specifically focusing on T1539 (Steal Web Session Cookie) and T1555 (Credentials from Password Stores)—to ensure comprehensive coverage across the attack lifecycle.