MalwareBotReplayer

MalwareBotReplayer is a toolchain to extract Telegram malware bots from VirusTotal telemetry, invite them into your own Telegram group, and automatically mirror their messages there.

It consists of four main steps:

1. Download VirusTotal pages (get_tg_connection_files.py)
2. Extract malware bots and save them in PocketBase (get_bot.py)
3. Invite bots to a group & forward messages (prepare_bot.py)
4. Forward messages forward_message.py

⚠️ Note: With a standard VirusTotal license (500 requests/day), processing all bots/files can take a very long time (months to years) depending on the amount of data. The scripts respect the rate limits and work sequentially.

---

Contents

• Features
• Architecture / How it works
• Setup
• Usage – step-by-step
• Limitations & notes

---

Features

• Searches VirusTotal file analyses for stealer/keylogger indicators
• Fetches /contacted_urls of samples from VirusTotal API
• Extracts Telegram Bot API URLs (https://api.telegram.org/bot...)
• Validates bot tokens with Telegram (getMe, can_join_groups)
• Saves recognized bots in a PocketBase collection
• Uses a Telegram user account (Telethon) to invite bots to your target group
• Forwards messages from bot source chats to your group via Bot API

---

Architecture / How it works

High-level workflow:

1. Getting contected Files from telegram api url: get_tg_connections_files.py

   • gets all the files which contacted telegram.api.org
   • use /contacted_urls?limit=40 so allways 40 files/json
   • uses next_url to make sure not file is downloaded twice.
   • Saves each page as page_<n>.json in VT_OUTPUT_DIR.

2. get botid and chat id:
   get_bot.py processes each file:

   • parses all the json files in lexicographical order
   • Extracts the filid from the json
   • getting contacted urls from the file from VT
   • parses botid/chat
   • check with getme if bot can be used
   • Stores valid bots as records in PocketBase

3. Preparation:
   prepare_bot.py:

   • Loads records from PocketBase with state='detected'
   • check with getme if bot can be used (yes again)
   • Removes webhook temporarily if needed
   • Invites the bot into your specified Telegram group via Telethon
   • Updates PocketBase record with state='preparing_successful_done' and targetchatid
   • invites max 30 Bots per run

4. Forwarding:
   forward_message.py:

   • Loads records with state='preparing_successful_done' and notworking != true
   • Uses Bot API forwardMessages to mirror messages from sourcechatid to your target group
   • Works in message ID blocks, respects 429 rate limits
   • Saves progress in lastmessageid
   • Updates record state='forwarding'

---

Setup

PocketBase setup

You need a running PocketBase instance.

1. Download PocketBase binary from https://pocketbase.io
2. Start it, e.g. ./pocketbase serve (adjust for your OS)
3. Open the admin UI (usually http://127.0.0.1:8090/_/)
4. Create a collection named e.g. TI

PocketBase database structure

Create a collection (e.g. TI) with the following fields:

Field	Type	Required	Description
id	String	optional	Auto-generated if not set
botname	String	optional	Telegram username of the bot
bottoken	String	optional	Bot token, stored as bot<token>
malwarefilehash	String	optional	Hash of the VT sample (e.g. SHA256)
lastmessageid	String	optional	Last message ID that was forwarded
sourcechatid	String	optional	Original chat ID where the bot was seen
targetchatid	String	optional	Target group chat ID (your group)
state	String	optional	Workflow state (e.g. detected, preparing_successful_done, forwarding)
notworking	Boolean	optional	Marks invalid or defunct bots

setting up the API Rules wisely to get a connection to the Database

get an app id and hash from telegram

Obtaining api_id

.env configuration

Create a .env file in your project folder with the following settings:

PB_URL=""            # pocketbase url "http://127.0.0.1:8090
PB_COLLECTION=""     # pocketbase collection name
PB_AUTH_TOKEN=""     # pb auth token
TG_API_ID=           # telegram ap id
TG_API_HASH=         # telegram api hash
TG_SESSION_NAME=     # session name from telegram
VT_API_KEY=""        # VirusTotal API Key 
VT_OUTPUT_DIR=""     # where the json from get_tg_connections_files.py will be saved
VT_FIN_FOLDER=""     # where the processed json will be saved  should not be the same as the output folder

Python installation

python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

curl --request GET \
     --url 'https://www.virustotal.com/api/v3/domains/api.telegram.org/communicating_files?limit=10' \
     --header 'accept: application/json' \
     --header 'x-apikey: <your key> -o page_1.json

• save the file to the VT_OUTPUT_DIR Directory

1. Download VirusTotal pages

python get_tg_connection_files.py

2. Get Bot Information

python get_bot.py

3. Invite bots to target group preparation

• create some telegram groups !Take care by this, allways check the anonym button in the admin setting in the group setting - its off by default!
• get the invite link from a group

python3 prepare_bot.py <groupname-or-invite-link>

4. Automatically forward messages

python3 forward_message.py

Limitations & notes

• Can have dublicates in db -> todo
• inviting only works well by invivte link -> todo with group name
• Standard API key limits to 500 requests/day from VirusTotal
• Full processing of all pages & contacted URLs can take months depending on data volume.
• Flood wait errors from Telegarm may cause long delays during bot additions.
• This project is intended for research, incident response, and threat intelligence purposes only.
• Inviting and forwarding malware bot messages should only be done in controlled environments and in compliance with applicable laws.