Malicious Telegram Download Site Pushes Multi-Stage Loader With In-Memory Execution

A fake Telegram download site is actively spreading dangerous malware by hiding a malicious installer as a real setup file. The site, which is hosted at the domain telegrgam[. ]com, is only one letter off from the real Telegram address.

It looks like an official site and asks people to download a Windows installer called tsetup-x64.6.exe. The file looks like a normal Telegram setup, which makes it especially good at tricking people who don't pay close attention to the URL in their browser. The technical layering built into the malware itself is what makes this threat different.

Instead of using a single malicious executable, the threat uses a multi-stage loader that quietly goes through several steps, such as changing Windows Defender settings, dropping staged payload components, and loading the final code directly into system memory instead of saving it to disk. Then it connects back to its C2 server, which can send new payload updates at any time. This makes the threat adaptable and long-lasting.

Users should only get software from trusted, official sources and always double-check the URL before downloading any file. Keeping endpoint security tools up to date and watching network traffic for strange outbound connections are also good ways to find this kind of threat before it does damage.

IoCs:- Type Value Detection MD5 (tsetup-x64.6.exe) A9A5CC6B6766FEC51B281B94F5F17CCD Trojan(005cea261) MD5 (Loaded Payload) 62F8EFFC7690455ABCB300E3574F0A93 Trojan(005d198a1) C2 IP 27[.]50[.]59[. ]77:18852 — C2 Domain jiijua[. ]com — Fake Domain 1 www.telegrgam[.

]com — Fake Domain 2 www.telefgram[. ]com — Fake Domain 3 www.tejlegram[. ]com —, LinkedIn, and X to Get More Instant Updates, Set ZeroOwl as a Preferred Source in Google.