Link: JavaScript obfuscation with Telegram bot integration

calendar Feb 25, 2026  ·
Share on: linkedin copy

Detects links containing obfuscated JavaScript code with embedded Telegram bot tokens or API references, indicating potential data exfiltration or command and control infrastructure.

Sublime rule (View on GitHub)

 1name: "Link: JavaScript obfuscation with Telegram bot integration"
 2description: "Detects links containing obfuscated JavaScript code with embedded Telegram bot tokens or API references, indicating potential data exfiltration or command and control infrastructure."
 3type: "rule"
 4severity: "high"
 5source: |
 6    type.inbound
 7    and 0 < length(body.links) < 15
 8    and length(recipients.to) == 1
 9    and recipients.to[0].email.domain.valid
10    and any(body.links,
11            // javascript obfuscator code - https://obfuscator.io/
12            regex.icontains(ml.link_analysis(.).final_dom.raw,
13                            '(?:(?:return|function|var|let|const|parseInt)\(?\s*_0x[a-f0-9]{6}.{0,50}){5}'
14            )
15            and regex.icontains(ml.link_analysis(.).final_dom.raw,
16                                // telegram bot token struct
17                                '[\x22\x27][0-9]{10}:[a-z0-9_-]{20,35}[\x22\x27]',
18                                // telegram strings
19                                '(?:telegram(?:chatid|BotToken)|TELEGRAM_(?:BOT_TOKENS|CHAT_IDS)|api\.telegram\.org/bot|telegramToken)'
20            )
21    )    
22attack_types:
23  - "Credential Phishing"
24tactics_and_techniques:
25  - "Evasion"
26  - "Scripting"
27detection_methods:
28  - "Content analysis"
29  - "Javascript analysis"
30  - "URL analysis"
31id: "032a4485-be40-5f61-843c-1e5c6400eedb"
to-top