Cybersecurity experts found a large-scale fraud campaign that used Telegram’s Mini App feature to launch crypto attacks, mimic famous brands and spread Android malware.
FEMITBOT malware
Research by CTM360 has dubbed the platform as FEMITBOT, it is based on a string present in API responses and uses Telegram bots and integrated Mini Apps to make believable, app-like experiences directly inside the messaging platform.
These Mini Apps are lightweight web apps that run within Telegram’s built-in browser, allowing services like payments, interactive tools, and account access without needing users to leave the application.
Exploiting Telegram Mini apps
Exploiting Telegram Mini apps
The FEMITBOT platform is used for various scams such as financial frauds, AI tools, streaming sites, and fake cryptocurrency platforms.
In a few campaigns, hackers imitated famous brands to boost engagement and credibility, while having the same backend infrastructure with multiple Telegram bots and different domains.
Brands impersonated
Brands copied in this campaign are Disny, eBay, YouKu, NVIDIA, Moon Pay, Apple, and Coco-Cola.
The campaign used a common backend, different phishing domains used the same API response: “Welcome to join the FEMITBOT platform,” indicating they are all using the same infrastructure.
The campaign used a common backend, different phishing domains used the same API response: “Welcome to join the FEMITBOT platform,” indicating they are all using the same infrastructure.
Telegram bots compromised
Campaign used Telegram bots to show phishing websites directly inside the social media site. Once a user interacts with a Telegram bot and opens “Start,” the bot starts a Mini App that shows a phishing page inside Telegram’s default WebView. The user is tricked into thinking it’s part of the application itself.
Tricking users via phishing tactics
After entering the system, targets are displayed dashboards with fake balances with fake countdown timers or limited-time offers to bait users.
When a user tries to take money, they are asked to make a deposit or do referral work. This is a general tactic in advanced-fee scams and investments.
The infrastructure is built to be used across multiple campaigns so that hackers can easily switch among brands, themes, and languages. The campaigns also use tracking scripts like TikTok and Meta tracking pixels, to trace users’ activity, optimize performance, and measure interactions.
Malware distribution via mini apps
Additionally, some Mini Apps tried to spread malware by posing as companies like the BBC, NVIDIA, CineTV, Coreweave, and Claro in Android APKs.
“Built on a modular, template-driven architecture, FEMITBOT enables rapid deployment, brand impersonation, and campaign optimization using real-time tracking and analytics. This reflects a shift toward scalable, marketing-like fraud operations designed to maximize user conversion and financial gain,” the report said.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: