ShadowMap

Appearance

Telegram Conversations

ShadowMap monitors Telegram channels and groups used by threat actors for mentions of your organization, brand, domains, or key personnel. Telegram has become one of the most important platforms for threat intelligence because of its accessibility, encrypted messaging, and minimal moderation -- making it the preferred communication channel for a wide range of cybercriminal activity.

Overview

Telegram Conversations

Why Telegram Matters for Threat Intelligence

Unlike traditional dark web forums that require Tor access and vetting, Telegram is:

  • Easily accessible -- Available on mobile and desktop with no special software required
  • Fast-moving -- Messages are shared in real-time, making Telegram a faster source of intelligence than forums
  • High volume -- Channels can have tens of thousands of subscribers, amplifying the reach of leaked data
  • Organized by specialty -- Channels exist for specific threat types: credential dumps, stealer logs, carding, ransomware victim announcements, and hacktivist coordination
  • Difficult to shut down -- Channels that are banned often reappear under new names within hours

Threat actors use Telegram to share stealer log dumps, announce ransomware victims, sell initial access, distribute malware, coordinate DDoS attacks, and publish data leaks. Monitoring Telegram is essential for timely threat detection.

What You See

Each conversation card displays:

FieldDescription
Channel NameThe Telegram channel's display name (with a tooltip showing the full channel description)
Channel HandleThe @username of the channel (clickable link to the Telegram channel)
Message ContentExcerpt of the message text (click "Read more" for the full content)
KeywordsBrand keywords that matched in this message, displayed as tags
DateWhen the message was posted
ActionsComment, share via integration, takedown request, and workflow status

What to Look For

  • Your domains or IPs in paste dumps -- Credential lists shared directly in channels often include your employee data
  • Ransomware victim announcements -- Groups like LockBit, BlackCat, and others announce victims on Telegram before or alongside their leak sites
  • Access sales -- Initial access brokers advertise VPN, RDP, or web shell access on Telegram
  • Hacktivist targeting -- Hacktivist groups use Telegram to coordinate DDoS campaigns and announce targets
  • Stealer log distribution -- Raw stealer log output is frequently shared in Telegram channels, sometimes before it reaches traditional dark web markets

Filters

  • Full-text search -- Search within message content
  • Date range -- Focus on recent messages
  • Category filters -- Filter by source channel, risk level, or keyword
  • Export -- Download filtered conversations in Excel format

Actions

  • Comment -- Add internal notes for investigation tracking
  • Share via Integration -- Push findings to Slack, Teams, Jira, or other connected tools
  • Takedown Request -- Report the channel or message (limited effectiveness but worth attempting for branded impersonation)
  • Workflow Status -- Mark as Action Taken, False Positive, or revert to Needs Action

Responding to Telegram Findings

  1. Assess the content -- Is this a credential dump, access sale, vulnerability disclosure, or general mention?
  2. Determine urgency -- Active credential dumps and access sales require immediate response. General mentions may only need monitoring.
  3. Cross-reference -- Check if the same data appears in Compromised Users or Data Breaches. Telegram posts often precede or accompany stealer log distribution.
  4. Monitor the channel -- A single mention may be the start of a broader campaign. Track the channel for follow-up posts.
  5. Document -- Use comments and integration sharing to create a paper trail for your incident response team.

ShadowMap by Security Brigade

Copyright 2024-present Security Brigade