NEWS
Cambodia Warns One Telegram File Can Hijack Your Whole Computer
Cambodian officials warn malware hidden in Telegram file attachments is hijacking accounts, the latest alert in a pattern stretching back to 2023.
A single file opened inside a Telegram chat can let a hacker steal a password, hijack an account or seize a computer, Cambodian authorities warned this week. The alert follows a spike in Telegram account thefts nationwide, with cybersecurity experts saying attackers are now writing the bait in Khmer to fool local users.
It is not the first such alert. Cambodian regulators have flagged Telegram based scams repeatedly since 2023, each one describing a slightly different trick, while Telegram’s own bot infrastructure has become a hacking shortcut that global security researchers now want blocked outright.
Seven File Extensions Cambodia Wants You to Avoid
Chea Vandeth, Cambodia’s minister of post and telecommunications, posted the warning to Facebook on July 11. Files ending in .exe, .bat, .vbs, .ps1, .sh, .msi and .scr, he said, can carry code that steals passwords and banking details or hands an attacker remote control of a device.
His advice was blunt: open files only from contacts you actually trust, check the extension before clicking anything, never hit “Run” or “Install” unless you are certain of the source, and keep antivirus software current. Put simply, the message boiled down to one click, total control.
| File Extension | What It Typically Does |
|---|---|
| .exe / .msi | Installs a program directly onto the device, often disguised as a legitimate installer |
| .bat / .vbs / .ps1 / .sh | Runs a script that can download more malware or open remote access to the machine |
| .scr | Masquerades as a screensaver file while executing hidden code in the background |
The General Department of Digital Technology and Education Dissemination said it has recorded a sharp increase in attempts to hijack Telegram accounts. Spokesperson Iv Veasna said attackers are increasingly targeting accounts linked to desktop computers, distributing the malware disguised as ordinary files.
Desktop clients are a specific target for a technical reason. Telegram’s desktop app stores session data locally in a folder nicknamed tdata, and malware that copies that folder off a victim’s machine can clone an active session without ever needing a password or a verification code.
“This technique has existed for years, but scammers are now taking advantage of Telegram’s growing popularity to reach more victims. Our investigations also suggest many of these attacks originate overseas,” Veasna said.

The Scam Bait Now Comes in Khmer
Chy Sophat, an information technology and digital security expert, said the government’s warning reflects cybercriminals growing more aggressive toward Telegram users generally. “Opening one of these files can do far more than lock someone out of Telegram. It can infect a computer with malware, expose sensitive information and spread the attack to other users,” Sophat said.
The tactic itself is not new, and versions of it have surfaced worldwide. What stood out to Sophat was how closely the bait now fits Cambodian habits. “What caught my attention is that scammers appear to be targeting Cambodian users by naming files and writing messages in Khmer to convince people the attachments are legitimate,” he said.
Sophat said many Cambodians also store passwords and other sensitive material directly inside Telegram, which raises the value of a hijacked account to a criminal. “If attackers gain access to a Telegram account, they can steal personal information and passwords, then use those credentials to break into other online accounts for financial gain or other criminal purposes,” he said.
Citing Kaspersky, a cybersecurity company, Veasna said stolen Telegram accounts are commonly used for investment scams, fake technical support schemes, job scams, impersonation, distributing malicious links and promoting fraudulent advertisements. Kaspersky researchers have traced comparable campaigns elsewhere: a spyware operation the company calls DarkMe reached victims in more than 20 countries after attackers hid the payload inside archives posted to Telegram channels aimed at fintech and trading users.
Elsewhere, Kaspersky has documented attackers overlaying malicious QR codes on top of legitimate ones or sending fake Telegram Premium gift links, tricks that hand over an account the moment a victim scans or taps without realizing they just approved a new device.
A Warning Cambodia Keeps Repeating
This week’s message is at least the fourth time in three years that Cambodian officials have asked the public to be careful on Telegram. Each version names a new twist.
- August 2023: The Ministry of Post and Telecommunications warned hacking attacks had reached an alarming level, describing fraudsters who posed as Telegram’s own management team to steal login codes.
- September 2025: Digital security expert Ngeth Moses told Khmer Times that the number of Telegram users being targeted was rising by the month, as regulators logged a wave of investment and prize scams.
- April 2026: The Telecommunication Regulator of Cambodia flagged scammers impersonating officials and business leaders to promote fake investment schemes promising fast returns.
- July 2026: The ministry’s warning shifted from phishing links to malware hidden inside file attachments, the alert at the center of this story.
The tools keep changing. The advice from officials, mostly some version of enable two step verification and do not click strange links, has stayed almost the same.
Telegram’s Bot API Doubles as Hacker Infrastructure
Cambodia’s malware problem sits inside a much larger pattern. Since October 2025, researchers at the cybersecurity consulting firm NVISO have tracked four separate malware campaigns that all lean on Telegram’s own infrastructure to operate, not just to deliver a first stage file.
One group, tracked as Lunar Spider, floods the internet with fake CAPTCHA pages that trick visitors into pasting a command into their own computer, a technique researchers call ClickFix. Once infected with Latrodectus malware, the victim’s browser data flows back to the attackers through Telegram’s own messaging system. A separate infostealer called Lumma renames Telegram channels to hide encrypted commands, so taking one channel down just means the operators open another.
NVISO’s conclusion was blunt: security teams with no legitimate business need for Telegram should consider blocking traffic to api.telegram.org entirely.
Telegram’s relationship with outside researchers has been prickly on smaller issues too. In March, Italy’s national cybersecurity agency warned of a flaw in how the app’s Android and Linux clients handle animated stickers, one researchers rated severe enough to score 9.8 out of 10 on the CVSS scale, the Common Vulnerability Scoring System used across the security industry. Telegram disputed that the bug existed at all.
Using messaging platforms like Telegram builds trust, leading victims to download malware without security warnings, which are less frequent compared to standard internet downloads.
Maher Yamout, a Kaspersky security expert, made that observation about why cybercriminals gravitate toward chat apps instead of ordinary phishing email. A file arriving inside a familiar Telegram thread carries an assumption of safety that a browser download never gets, whether the sender is in Phnom Penh or anywhere else.
- Nearly 415,000 attacks using fake versions of Telegram, WhatsApp, Zoom and Microsoft Teams were blocked worldwide by Kaspersky between January and April 2026, a volume the firm called broadly consistent with the year before.
- Almost sevenfold more malware disguised as AI tools hit small and medium businesses across Southeast Asia over the same four months compared with the same period in 2025, Kaspersky reported.
- 58,000 devices worldwide were infected by an Android backdoor posing as the Telegram X app, according to Russian security firm Doctor Web, mostly in Brazil and Indonesia, with roughly 20,000 infections still active.
None of those figures are specific to Cambodia. They describe the same delivery method now showing up in Khmer, already running at a much larger scale elsewhere.
What Should You Do After Clicking a Bad File?
Anyone who has opened a suspicious attachment should assume the device is compromised and move fast. Officials outlined a short sequence: cut off unknown Telegram sessions, change the Two-Step Verification password, run a full malware scan, log out of banking and other sensitive accounts, and reinstall the operating system if the infection cannot be confirmed clean.
- Terminate any unrecognized Telegram sessions immediately
- Change the Two-Step Verification password
- Scan the computer for malware
- Log out of banking and other online accounts
- Reinstall the operating system if the infection persists
Victims whose accounts were used to impersonate them, solicit money from contacts or run other fraud should report the incident to the National Police or the nearest provincial police office.
Getting an Account Back Is a Race Against the Clock
Veasna said people locked out of Telegram should first try logging in from a device the account has used before and requesting an SMS verification code. Telegram’s own password recovery tool, tied to a registered email and phone number, is the fallback, though officials cautioned that support responses can be slow.
Speed matters because of how Telegram’s session system works. Security researchers note that a hijacker who gains access typically has to stay logged in unnoticed for roughly a day before locking every other device out of the account, which gives victims a narrow window to reclaim control first.
Cambodian police have already shown they will act on such complaints. In June, the Anti-Cyber Crime Department arrested a man accused of using fake Telegram accounts bearing officials’ photos to threaten victims into paying him, a scheme he ran roughly 50 times that extorted more than US$110,000 in total before he was forwarded to the Phnom Penh Municipal Court. Anyone facing something similar can also call the National Police hotline at 117.
-
GAMING1 month agoMicrosoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
-
NEWS1 month agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
AI3 weeks agoOracle Cuts 21,000 Jobs in a Year, Cites AI in 10-K Filing
-
NEWS1 month agoOppo’s ColorOS 17 Eligibility List Leaves A-Series Buyers Behind
-
AI3 weeks agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
-
CRYPTO2 months agoOCC Issues AML Consent Order Against Wise and Crypto.com Sponsor Bank
-
AI4 days agoMeta’s Iris AI Chip Enters Production in September, Tests Clean
-
APPS1 month agoDGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
