A guest diary recounts a honeypot incident in which a threat actor gained initial access via weak SSH credentials and immediately pivoted to credential harvesting aimed at Telegram Desktop session data, notably the tdata folder. The post argues that modern attackers are increasingly layering access with credential theft to enable persistent, multi‑stage exploitation, moving from reconnaissance to locating Telegram’s tdata directory.
Captured commands show attempts to map the system, detect existing miners, and then locate tdata, underscoring the value of Telegram session data as a long‑term asset. The author explains that copying or moving the tdata folder can grant full access to a victim’s Telegram account without needing the phone number or 2FA, and outlines scenarios such as direct import, cloud exfiltration, and portable client use.
Defences emphasise hardening SSH, monitoring for tdata access and related reconnaissance commands, and managing Telegram sessions, with a reminder that Telegram remains a target due to its architecture and popularity. According to Imperva Threat Research, the tdata threat underscores how attackers can bypass 2FA through stolen session tokens. 22 April 2026.