Malicious PyPI packages give hackers control of Telegram bot servers

Jul 01, 2026 - 01:11

0 0

A campaign active since last November has been targeting Python developers building Telegram bots with trojanized Pyrogram forks that allow attackers to read arbitrary files on compromised servers.

At least eight packages have been published on the Python Package Index (PyPI) with a hidden backdoor that is activated by helper modules when importing Pyrogram or when the bot starts.

Although the Pyrogram project is no longer maintained, it remains popular, with nearly 350,000 monthly downloads on PyPI (last updated in April 2023) and more than 1,400 forks on GitHub (last updated in December 2024).

Pyrogram is described as "elegant, modern and asynchronous Telegram MTProto API framework in Python for users and bots." In simpler terms, it allows developers to create automated bots or usersbots.

According to researchers at application security company Checkmarx, who dubbed the campaign 'Operation Navy Ghost', the threat actor published on PyPI between November 2025 and June 2026 the following malicious Pyrogram forks:

VLifeGram (nine versions counting 4,150 downloads)
VLife-Gram (five versions with 1,030 downloads)
pyrogram-navy (six versions with 2,530 downloads)
pyrogram-styled (more than 16 versions with 15,370 versions)
pyrogram-zeeb (one version counting 432 downloads)
kelragram (three versions downloaded 1,041 times)
sepgram (one version downloaded 264 times)
pyrogram-kelra (one version with 672 downloads)

All the packages are forks of the legitimate Pyrogram project as they include the original source code. However, the threat actor also added a backdoor called secret.py, hidden in the helpers module.

The malicious file registers hidden Telegram command handlers when an infected bot launches, which enables the execution of attacker-supplied Python code or shell commands.

“When the attacker sends /asu print(os.environ) to the victim’s bot, this function compiles and executes that Python code on the victim’s machine — with full access to the live Telegram client, session, chats, contacts, and environment variables,” Checkmarx explains.

“When the attacker sends /asi cat /etc/passwd, this runs /bin/bash -c “cat /etc/passwd” on the victim’s server and returns the output,” the researchers say.

“This is repeatable with any shell command and runs under the infected application’s authority, meaning the malware can access and exfiltrate whatever the infected application could legitimately access.”

The command output is then returned via Telegram messages, and if it exceeds 4096 bytes, it is sent as a document attachment to the attackers.

The backdoor contains a hardcoded ‘OWNERS’ list with Telegram IDs that give the threat actors exclusive control. This list also helps deactivate the backdoor when it launches on the attacker’s system.

The malware specifically targets Telegram bot accounts and is designed to operate silently, suppressing errors and disabling logging.

Checkmarx researchers noticed that the backdoor activates only on Telegram bot accounts, which typically run in production environments, a deliberate function indicating that the attacker seeks "access to databases, credentials, cloud APIs, and sensitive infrastructure."

Once the bot is active, the threat actor can read any file on the server, dump secrets, access the victim’s Telegram chats, download the database, and install a persistent backdoor.

Despite the packages being published from different PyPI accounts, Checkmarx attributes the campaign to a single threat actor. The conclusion is based on the shared OWNERS list across the various packages, the identical backdoor code, the command names, and the overlapping infrastructure.

Developers who might have installed the listed packages should remove them immediately, rotate all credentials on the affected server, and revoke their Telegram bot tokens.

Checkmarx has published indicators of compromise for the malicious Telegram IDs along with the attacker's profile URLs.