Trojanized Pyrogram Forks Unleash Backdoor on Telegram Bot Servers

A campaign dubbed 'Operation Navy Ghost' has been distributing trojanized Pyrogram packages on PyPI since November 2025, giving attackers remote code execution on compromised Telegram bot servers.

CSBadmin
2 Min Read

Malicious PyPI Packages and Their Hidden Danger

A long running campaign, active since November 2025, has targeted Python developers using trojanized versions of the Pyrogram library to compromise Telegram bot servers. Researchers at Checkmarx, who named the operation ‘Navy Ghost’, identified at least eight malicious packages published to the Python Package Index (PyPI). These packages include VLifeGram, pyrogram-navy, and pyrogram-styled, among others. Although the original Pyrogram project is no longer maintained, it remains widely used, with nearly 350,000 monthly downloads on PyPI and over 1,400 forks on GitHub.

How the Backdoor Operates

The trojanized packages contain the legitimate Pyrogram source code but add a hidden backdoor file named secret.py within the helpers module. When an infected bot starts, this backdoor registers hidden Telegram command handlers. Attackers can then send commands like `/asu print(os.environ)` to execute arbitrary Python code, or `/asi cat /etc/passwd` to run shell commands on the victim’s server. The output is returned via Telegram messages, and if data exceeds 4096 bytes, it is sent as a document attachment. The backdoor includes a hardcoded list of Telegram IDs that grant exclusive control to the threat actor and also prevents activation on the attacker’s own systems.

Impact and Scope

The malware is designed to activate only on Telegram bot accounts, which typically run in production environments, giving attackers access to databases, credentials, cloud APIs, and other sensitive infrastructure. Checkmarx attributes the campaign to a single threat actor based on shared code, command names, and overlapping infrastructure across the different packages. Developers who installed any of the listed packages should remove them immediately, rotate all credentials on affected servers, and revoke their Telegram bot tokens to prevent further compromise.

Source: BleepingComputer

CSBadmin

The latest in cybersecurity news and updates.

TAGGED:
Share This Article
Follow:
The latest in cybersecurity news and updates.