Man-in-the-Malware: Intercepting Adversarial Communications

Presented at DEF CON 33 (2025), Aug. 9, 2025, 11 a.m. (45 minutes).

In this talk, the speaker details how a threat actor’s OPSEC slip—testing their own keylogger and infostealer on their hacking machine—provided a real-time view into a cybercrime operation. By intercepting Telegram-based command-and-control (C2) communications, the speaker obtained hundreds of screenshots and keylogs of the threat actors desktop, revealing the entire cybercrime operation. The session also covers the creation of Telegram bot tokens, which were then embedded in malware to enable covert data exfiltration and remote control. Through automated analysis techniques, including VirusTotal and custom YARA rules, the speaker tracked samples communicating with Telegram’s API, extracted thousands of bot tokens that were used to forward stolen data, used these to intercept communications, and mapped backend infrastructure through screenshots of the threat actors desktop. This process led to the discovery of links to broader phishing and malware campaigns, underscoring how trusted platforms like Telegram can be abused by malicious actors. References: - [Analysis of the malware](https://polygonben.github.io/malware%20analysis/Nova-Analysis/) - [Analysis of the stolen C2 communications](https://polygonben.github.io/malware%20analysis/Compromising-Threat-Actor-Communications/)

Presenters:

• Ben "polygonben" Folland
  Ben Folland is a Security Operations Analyst at Huntress, where he manages hands-on-keyboard intrusions and dismantles active threats daily. Before that, he worked at one of Accenture’s SOCs, defending UK Critical National Infrastructure, gaining deep experience in high-stakes environments. He's all about DFIR, malware analysis, and threat hunting—and has a knack for exposing adversary tradecraft. Ben's spoken at over 10 conferences (including six BSides), taught SOC workshops at universities, is GIAC GCFA certified, and was a finalist for the UKs national cyber team. Whether it's CTFs or live incidents, Ben thrives on the chase and brings a hacker mindset to everything he does.

Similar Presentations:

• DEF CON 31 (2023) / The Art of Compromising C2 Servers: A Web Application Vulnerabilities Perspective
• REcon 2018 / Cloudy With a Chance of Malware: Analyzing the Links Between KASPERAGENT and Cloudy Malware
• DeepSec 2017 „Science First!“ / Security Analysis Of The Telegram IM