Telegram, once a haven for secure communications, is now at the heart of a disturbing cybercrime campaign. Kaspersky experts have highlighted a global operation infiltrating the fintech world with a cleverly concealed espionage Trojan. A renowned threat actor, “DeathStalker,” has presumably orchestrated this vast offensive, distributing malicious files via Telegram channels focused on trading and financial services. The malware maliciously targets sensitive data while covertly spreading everywhere, from Europe to Asia, through the Middle East and Latin America.
Kaspersky recently shed light on a large-scale cybercrime campaign using Telegram to distribute spyware of the Trojan type. This global attack primarily targets the fintech and trading industries, seeking to steal sensitive data and take control of users’ devices.
Behind this operation is believed to be DeathStalker, an APT (Advanced Persistent Threat) actor known for its specialized hacking services. By exploiting Telegram channels focused on fintech, they disseminated the DarkMe malware, a remote access Trojan designed to steal information and execute commands remotely.
The attackers were using archives on Telegram to conceal harmful files, which, once executed, triggered the installation of the malware in question. This inventive method underscores the need for heightened vigilance, even with instant messaging applications.
Table of Contents
ToggleKaspersky detects a global threat
The renowned cybersecurity company Kaspersky recently discovered a vast cybercrime campaign targeting fintech and trading industries. These attacks, fueled by Trojan-type spyware, have been distributed via Telegram, a messaging app favored for its robust encryption. According to Kaspersky, this campaign could potentially affect victims in over twenty countries, covering regions like Europe, Asia, Latin America, and the Middle East. Cybercriminals cleverly used dedicated Telegram channels to approach their targets.
The hackers’ modus operandi revealed
Instead of traditional phishing methods, cybercriminals opted for Telegram to deliver their malware. Often, seemingly harmless archives were included in the posts, but these files contained malicious software capable of stealing sensitive information and taking control of devices. The pirates’ strategy relies on the trust placed in instant messaging channels, often perceived as more secure than traditional download platforms. Additionally, files downloaded via these apps trigger fewer security alerts, providing a strategic advantage for these malicious actors.
DeathStalker: mercenaries of cyberspace?
The campaign appears to be the work of DeathStalker, a group of cybermercenaries known for their on-demand hacking activities. Active since at least 2018, they primarily target small and medium enterprises in the financial and legal sectors. DeathStalker stands out for its ability to develop sophisticated tools and its deep understanding of the advanced persistent threat ecosystem. However, their main goal does not seem to be stealing funds, but rather collecting business and financial information for third-party clients, making them particularly insidious and difficult to trace.