[Guest Diary] Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector, Lessons from a Honeypot Incident, (Wed, Apr 22nd)

[This is a Guest Diary by L. Carty, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].] Introduction A few weeks ago, my honeypot logged an incident that changed how I think about modern attacks. A threat actor broke into my system using weak SSH credentials and immediately started running commands. What started as a routine resource-hijacking attempt was followed by credential harvesting targeting Telegram Desktop session data. This incident isn't just another story about cryptocurrency mining malware. It's a window into how modern threat actors are evolving their tactics - chaining initial access with credential theft to enable persistent, multi-layered exploitation. The commands I observed tell a story of methodical reconnaissance, from checking for competing miners to hunting for Telegram's tdata directory. In this post, I'll walk through what I found, explain why the tdata folder is so valuable to threat actors, and share practical ways to protect it and manage your sessions. The Attack Chain: A Conceptual Overview Before diving into the actual commands, let's establish what we're looking at. Modern attacks rarely consist of a single malicious action and instead follow a progression. Below is the attack chain and corresponding MITRE ATT CK Techniques. [2] Initial Access Weak SSH credentials, phishing, or vulnerabilities /T1110/001/ Reconnaissance System enumeration, identifying valuable targets /T1082/ /T1083/ Credential Harvesting Extracting session tokens, passwords, or authentication data /T1555/ /T1005/ Account Takeover Using stolen credentials for further access /T1078/ Exploitation Social engineering, lateral movement, or monetization /T1041/ What made this particular attack notable was the explicit targeting of Telegram's local session data. Threat actors aren't just after CPU cycles anymore they're after persistent access through compromised accounts that can be leveraged for ongoing exploitation. The Evidence: Live from the Honeypot The following commands were captured in the honeypot's SSH logs immediately after the threat actor gained access. They show the threat actor s intent to map the system, check for competition, and locate the tdata directory. Commands Captured /ip cloud print ifconfig uname -a cat /proc/cpuinfo #looks to have an issue with cloudflare ps | grep '[Mm]iner' ps -ef | grep '[Mm]iner' ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/* locate D877F783D5D3EF8Cs echo Hi | cat -n A Command Timeline Visualization [Initial SSH Access] | _________V_________________________________________________________ | RECONNAISSANCE PHASE | | /ip cloud print MikroTik RouterOS status,configuration | | ifconfig Network int