▲ 32 r/threatintel
I recently tracked down the operator behind the "TdataS" Telegram session stealer. How? Because he tested his own malware on his own computer.
His stealer performed perfectly. It packaged up his own personal data, snapped a screenshot of his desktop (exposing his source code), and exfiltrated it straight to a public drop zone I was monitoring.
Using 100% passive OSINT-no exploits, no bypassed authentication, I traced his Gofile tokens and Telegram sessions to unmask his entire operation.
It's the ultimate OpSec fail, and a goldmine for Threat Intel analysts.
Dive into the full case study:
https://maordayanofficial.medium.com/tdatas-stealer-from-c2-discovery-to-operator-attribution-via-operational-security-failures-d11d78cc8e85
u/Fun_Bug_1462 — 22 days ago