03-19-2026 11:56 PM
Hello everyone! I'm Arsen, Junior SOC Analyst and I've got some questions regarding the detection Evasive HTTP C2 Traffic Detection(89950). Recently, I have received several alerts, where the Destination IP was 91.108.56.132, which is related to AS 62014 (T. Messenger Inc). The user claimed that he used a T. Desktop Application and it seems to be a normal practice in our company, so I don't understand why Palo Alto triggers on this IP.
03-25-2026 06:24 PM
Hi @A.Tsadzikidze ,
Threat ID 89950 is an Anti-Spyware detection and appears to be based on behavioral analysis rather than just the destination IP itself. In other words, Palo Alto may be flagging the HTTP traffic pattern as C2-like, even if the destination belongs to Telegram.
Since you confirmed the user’s activity aligns with expected Telegram Desktop usage, it might be worh it to open a TAC case and including the threat logs and a packet capture so it can be reviewed properly.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
