
A sophisticated supply chain campaign dubbed Operation Navy Ghost targets Python developers building Telegram bots. Trojanized PyPI packages containing a hidden backdoor allow remote threat actors to run shell commands, exfiltrate files, and compromise enterprise production environments.


Attacker publishes trojanized clones of Pyrogram on PyPI (e.g., vlifegram, kelragram).
Developer installs package; backdoor triggers on import or client start.
Checks if runtime is a bot (self.me.is_bot) and not an attacker test ID (OWNERS list).
Bypasses normal bot routing; listens for attacker commands (/asu, /asi) via MTProto.
Large files (>4096 bytes) sent as 'reply_document' attachments natively over Telegram.
If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.
A newly identified malware campaign named ChocoPoC is targeting cybersecurity researchers and enterprise vulnerability management teams. By burying malicious PyPI transitive dependencies in proof-of-concept exploit repositories, the threat actors execute remote commands and exfiltrate browser credentials.

June 24, 2026
A substantial data leak involving Be Call Group, a contact center BPO partner of TIGO Colombia, has exposed 1 GB of data containing 9.7 million records and direct connection credentials. Discover how attackers abuse third-party trust relationships and how to protect your enterprise network.

June 15, 2026
Unauthorized actors successfully leveraged compromised third-party contractor credentials to access administrative systems of a major Canadian wireless telecommunications carrier. We analyze the attack mechanics of these supply chain breaches, mapping behaviors to the MITRE ATT&CK framework.
Direct injection of a malicious Python file named secret.py inside the helper modules of popular Python Package Index (PyPI) packages has allowed attackers to gain total host shell control over production Telegram bot servers. Known as Operation Navy Ghost, this sophisticated supply chain campaign targeting developers has compromised numerous systems by distributing trojanized clones of the Pyrogram library. Although the legitimate Pyrogram framework has been unmaintained since early 2023, its high popularity makes it an ideal vehicle for attackers looking to infiltrate developer workflows and enterprise infrastructure. For organizations operating across the GCC, where automation and custom integrations are rapidly expanding, this campaign underscores the critical importance of vetting open-source dependencies.
For organisations that require rapid, offensive validation of their software delivery pipelines, FemtoSec provides specialized security services designed to discover and eliminate software supply chain vulnerabilities before they can be exploited by advanced threat actors.
The campaign, which has been active since November 2025 and continued through mid-2026, exploits the trust developers place in open-source registries. The threat actor published at least eight malicious packages under different publisher profiles on PyPI. These packages were designed as fully functional clones of the legitimate Pyrogram project, meaning they could be imported without causing immediate errors, thereby avoiding suspicion during basic functionality tests. The malicious clones identified during security investigations include the following packages:
vlifegram (including multiple versions with thousands of downloads)
vlife-gram (representing parallel naming configurations to capture typos)
pyrogram-navy (explicitly named to align with the threat actor's campaign theme)
pyrogram-styled (which garnered the highest volume of installations)
pyrogram-zeeb (a specialized target variant)
kelragram (targeting specific developer communities)
sepgram (a lightweight variant targeting specialized userbots)
pyrogram-kelra (a targeted package mapping closely to known developer aliases)
By blending malicious execution logic into legitimate, functional codebase copies, the threat actors successfully bypassed standard dependency monitoring checks that only look for broken or non-functional imports. Enterprises must proactively monitor for such rogue dependencies as part of a robust software pipeline strategy. Implementing rigorous Vulnerability Assessments can help identify when development teams introduce unauthorized or heavily modified clones of open-source packages into the organizational environment.
A deep dive into the code structure reveals a highly calculated execution flow. The key to the backdoor is a hidden script named secret.py, placed within the helpers directory of the modified Pyrogram structure. The entry point of this backdoor is executed through one of two distinct triggering mechanisms, depending on the specific package variation installed:
Import-Time Trigger: In packages like vlifegram, the backdoor execution is triggered the moment the package is imported into any Python script. This is achieved by embedding an import statement for secret.py directly inside the helpers/__init__.py initialization file.
Startup-Time Trigger: In other variants, such as kelragram or pyrogram-navy, the backdoor is wired into the client startup lifecycle. It executes when the bot's start() routine is invoked, allowing the backdoor to piggyback on the legitimate client connection process.
To ensure that the campaign remains stealthy and only targets high-value targets, the backdoor contains two critical gating conditions before executing its primary payloads:
First, it performs a contextual bot-exclusive check using the statement if self.me.is_bot. If the running instance is a standard user account (a userbot), the execution stops. This focuses the campaign strictly on production Telegram bots, which are typically hosted on cloud servers, virtual machines, or local enterprise databases, where access to secrets and production databases is common.
Second, the backdoor contains a self-exclusion guard that checks the bot's numeric account ID against a hardcoded array of integer IDs labeled OWNERS. If the bot's ID is found in this list, the execution immediately terminates. This ensures that when the attacker runs the backdoor code on their own testing environments, the payload does not trigger, preventing self-infection and reducing the risk of accidental exposure during development.
Once the backdoor is successfully initialized, it registers stealthy event handlers that listen for specific messages from authorized accounts. These message handlers bypass the normal bot routing logic, listening silently for commands sent by accounts that match the hardcoded OWNERS list. The primary commands identified in the backdoor include:
Python Execution Command: Triggered via /asu or /wann, this command accepts a block of Python code as a string, compiles it, and executes it using the exec(compile()) statement. This provides the attacker with full control over the running Python process, allowing them to extract active environment variables, dump memory states, and hijack session data.
Host Shell Execution Command: Triggered via /asi or /wann2, this command executes arbitrary operating system commands by spawning a subprocess through /bin/bash -c. Because the command runs with the same privileges as the parent Python bot process, the attacker can traverse the file system, read sensitive system files like /etc/passwd, or download persistent binaries.
The backdoor relies entirely on Telegram's official MTProto API to communicate with the command and control nodes. This represents a classic "living off the API" technique, making network-level detection incredibly difficult. All commands and exfiltrated data are packaged inside standard, encrypted MTProto traffic, easily passing through corporate firewall systems and network security monitors. If the output of a shell command exceeds the maximum Telegram message limit of 4,096 bytes, the backdoor automatically saves the data into a temporary text file and uploads it to the attacker's channel using the native reply_document method.
The reliance on automated Telegram bots for notifications, customer support, and system alerts is highly prevalent across GCC enterprises, particularly in retail, financial technology, and tech startups. Because these bots require continuous connectivity to internal networks and databases to serve functional queries, a compromise of the underlying bot server is equivalent to an internal network breach.
With remote shell access, threat actors can conduct lateral movement, harvest cloud provider metadata tokens, compromise Kubernetes pods, and retrieve active database connection strings. This can lead to substantial database leaks and exposure of customer data, resulting in both financial losses and severe regulatory non-compliance issues under regional data protection laws.
If you suspect that your developer environments or Telegram bot configurations have been compromised, you should immediately analyze whether any credentials or server tokens have leaked. Use FemtoSec's Dark Web Scanner to check dark web mentions, compromised account indicators, malware log signals, public breach exposure, and recent underground market activity for your domain.
Enterprises must continuously evaluate all external-facing integrations, including third-party APIs and automated bots, using comprehensive Attack Surface Management to detect exposed resources before threat actors exploit them.
Securing the enterprise against Operation Navy Ghost requires proactive threat hunting inside both active environments and development repositories. Security operations teams should execute systematic audits of all Python environments running on production or staging environments.
Run the following query on all host servers to check if any of the malicious packages have been installed via the Python package manager:
pip show vlifegram vlife-gram kelragram pyrogram-navy pyrogram-styled sepgram pyrogram-kelra pyrogram-zeebAdditionally, search historical pip installation logs to find traces of temporary or removed installations:
cat ~/.local/share/pip/pip.log 2>/dev/null | grep -E "vlifegram|vlife-gram|kelragram|pyrogram-navy|pyrogram-styled|sepgram|pyrogram-kelra|pyrogram-zeeb"You can execute a targeted system-wide search to locate any instances of the unauthorized secret.py file buried inside the Pyrogram library folder structure:
find / -path "*/pyrogram/helpers/secret.py" 2>/dev/nullDeploying static signature rules on repositories and container images can prevent these packages from reaching production. The following YARA rule is designed to flag the specific combination of client hijacking, self-exclusion, and remote execution logic used by Operation Navy Ghost:
rule OperationNavyGhost_BehaviorPattern {
meta:
description = "Detects pyrogram backdoor pattern"
author = "Checkmarx Security Research"
severity = "CRITICAL"
reference = "Operation Navy Ghost"
strings:
$handler_msg = "MessageHandler" ascii
$handler_cq = "CallbackQueryHandler" ascii
$filter_cmd = "filters.command" ascii
$filter_user = "filters.user" ascii
$add_handler = "add_handler" ascii
$exec_compile = "exec(compile(" ascii
$subprocess = "subprocess.run" ascii
$bash_shell = "/bin/bash" ascii
$reply_doc = "reply_document" ascii
$self_exclude = /if\s+\w+\.me\.id\s+in\s+\w+/ ascii
$owner_list = /\w+\s*=\s*\[\s*\d{7,10}(\s*,\s*\d{7,10})+\s*\]/ ascii
condition:
$add_handler and $handler_msg and $filter_cmd and $filter_user and $exec_compile and $subprocess and $reply_doc and ($self_exclude or $owner_list)
}If an active compromise is confirmed within your infrastructure, immediate containment is required to prevent further database harvesting or lateral movement. Follow these steps to secure your environment:
Process Termination: Locate and kill the running process ID of the compromised Telegram bot immediately. This halts active shell sessions and terminates the live C2 pipeline.
Uninstall and Purge: Force-uninstall the malicious library and clear the pip package cache to prevent accidental reinstallations:
pip uninstall -y <malicious_package_name> && pip cache purgeRevoke Bot Token: Message the official Telegram BotFather account (@BotFather) and select the compromised bot. Use the /revoke command to instantly invalidate the existing API token and generate a new one. This breaks the primary communication route of the threat actor.
Credentials Rotation: Assume all credentials, access keys, database passwords, and SSH keys accessible on the compromised host have been exfiltrated. Rotate these keys immediately across all cloud and local environments.
Persistence Audit: Inspect local cron jobs, active systemd services, and shell history logs to ensure that the threat actor did not install secondary persistent backdoors, such as rogue cron tasks, before the bot process was terminated.