Threat researchers at Netskope have recently identified a new and sophisticated Remote Access Trojan (RAT) crafted in Python, cleverly disguised as “Nursultan Client,” a legitimate application favored by Minecraft enthusiasts in Eastern European and Russian gaming circles. This malware utilizes the Telegram Bot API as its command-and-control (C2) channel, allowing cybercriminals to exfiltrate stolen data while maintaining persistent access to compromised systems. This finding highlights a concerning trend where cybercriminals increasingly target the gaming community through malicious modifications, cheats, and counterfeit tools.
The Python RAT was first detected during proactive threat hunting efforts, appearing as a 68.5 MB executable compiled with PyInstaller. While PyInstaller is often employed for legitimate software development, it is not uncommon for malware authors to exploit it to bundle malicious Python scripts along with their dependencies into standalone files.
Upon execution, the malware deploys deceptive tactics, presenting a counterfeit installation progress bar that bears the “Nursultan Client” name. This ruse is designed to mislead unsuspecting users into believing they are installing legitimate software. Although certain persistence and credential-stealing mechanisms are tailored for Windows, the core C2 communications and surveillance functionalities of the malware are operational across Windows, Linux, and macOS platforms, significantly broadening its potential victim pool. The use of the Nursultan Client name in both the fake installation prompts and persistence registry keys illustrates a calculated social engineering strategy aimed specifically at deceiving the gaming community.
Telegram as an Invisible C2 Highway
The operational framework of this malware hinges entirely on Telegram’s Bot API for executing commands and exfiltrating data. The persistence code is crafted for a raw Python script but incorrectly formulates the startup command for the compiled executable. Security researchers have uncovered hardcoded Telegram credentials—including a bot token and authorized user IDs—embedded within the executable. This tactic allows threat actors to obscure their malicious communications within a privacy-centric messaging platform, complicating detection efforts for security teams. Only authorized attackers can issue commands to infected machines, creating a controlled environment for executing targeted operations.
The malware boasts a range of dangerous capabilities that can be accessed through straightforward text commands. For instance, the “/tokens” command specifically targets Discord authentication tokens by scanning local storage files of the Discord client and examining major web browsers such as Chrome, Edge, Firefox, Opera, and Brave. Stolen Discord tokens can be weaponized to hijack user accounts, posing a significant risk to gaming communities. Additionally, the “/info” command conducts thorough system reconnaissance, gathering data on computer names, usernames, operating system versions, processor details, memory and disk usage, as well as both local and external IP addresses. Notably, system profiles are formatted in Russian and include the malware author’s signature “by fifetka.” Beyond credential theft, the RAT also offers surveillance capabilities through “/screenshot” and “/camera” commands, enabling attackers to capture desktop screenshots and webcam images sent directly through the Telegram channel. Furthermore, adware functionalities allow attackers to open arbitrary URLs in victims’ browsers or display pop-up messages and images, potentially facilitating phishing attacks or the dissemination of malicious advertisements.
Indicators of Lower-Tier Threat Operations
The lack of advanced anti-analysis techniques, custom code obfuscation, and the hardcoded “ALLOWED_USERS” licensing structure suggest that this operation is more aligned with a Malware-as-a-Service model aimed at lower-tier threat actors rather than an advanced persistent threat group. Despite its array of features, analysis indicates that the malware author lacks sophisticated tradecraft. The flawed persistence mechanisms are likely to fail due to incorrect Python path construction and reliance on temporary PyInstaller directories. To mitigate risks associated with this emerging threat, organizations are advised to implement deep visibility into encrypted traffic, monitor for suspicious Telegram API communications, and educate users on verifying software authenticity prior to installation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
