Home Cyber Security News Triton RAT Leveraging Telegram To Remotely Access & Control Systems

Triton RAT Leveraging Telegram To Remotely Access & Control Systems

March 31, 2025

A sophisticated Python-based Remote Access Tool (RAT) named Triton has emerged as a significant threat, utilizing Telegram as its command and control infrastructure.

This malware enables attackers to remotely access and control compromised systems, with particular emphasis on harvesting Roblox credentials and security cookies that can bypass two-factor authentication.

The RAT begins operation by retrieving its Telegram Bot token and chat ID from Pastebin through Base64-encoded URLs, establishing a covert communication channel.

Telegram token and chat ID encoded in Base64 (Source – CADO Security)

Once deployed, Triton RAT offers comprehensive system control capabilities including keylogging, password theft, screen recording, webcam access, and clipboard data exfiltration.

Cado Security researchers identified this threat while investigating a series of compromises, noting the RAT’s extensive feature set makes it particularly dangerous in targeted attacks.

Triton RAT Analysis

Analysis revealed the malware’s code contains functions that systematically extract saved credentials from multiple browsers and specifically targets Roblox security cookies (.ROBLOSECURITY) from Chrome, Brave, and Firefox profiles.

Function used to search for and exfiltrate Roblox security cookies (Source – CADO Security)

The infection leverages social engineering techniques to gain initial access, after which it collects extensive system information including hardware specifications, network configurations, and user account details.

All collected data is efficiently transmitted to the attacker via Telegram, allowing for real-time monitoring and control of the compromised system.

The RAT demonstrates sophisticated persistence tactics by creating multiple components that work together to maintain access.

Scheduled tasks (Source – CADO Security)

The malware generates a VBScript file named “updateagent.vbs” that disables Windows Defender and creates scheduled tasks, while a separate BAT script “check.bat” retrieves a binary named “ProtonDrive.exe” from DropBox.

Secondary payload retrieved from DropBox (Source – CADO Security)

This secondary payload is stored in a hidden folder structure at “C:\Users\user\AppData\Local\Programs\Proton\Drive” and executed with administrator privileges.

def robloxl(message):
    data = []
    try:
        cookies = browser_cookie3.chrome(domain_name='roblox.com')
        for cookie in cookies:
            if cookie.name == '.ROBLOSECURITY':
                data. Append(cookie. Value)

Triton further employs anti-analysis techniques by checking for “blacklisted” processes including debugging tools and antivirus products, demonstrating its creators’ intent to evade detection while maintaining persistent control over compromised systems.

Are You from SOC/DFIR Team? - Try Free Malware Research with ANY.RUN - Start Now

Triton RAT Leveraging Telegram To Remotely Access & Control Systems

Triton RAT Analysis

Supply Chain Attack Prevention

Recent Posts

Hackers Actively Exploiting Critical Exchange & SharePoint Server Vulnerabilities

How to Implementing SOAR To Reduce Incident Response Time Effectively

How To Prioritize Threat Intelligence Alerts In A High-Volume SOC

Detecting And Responding To New Nation-State Persistence Techniques

Leaked KeyPlug Malware Infrastructure Contains Exploit Scripts to Hack Fortinet Firewall and VPN