A large-scale fraud and malware operation called FEMITBOT that abuses Telegram Mini Apps to steal cryptocurrency and infect Android devices. The campaign shows how trusted in-app web experiences can be turned into powerful tools for social engineering and credential theft. Telegram Mini Apps are lightweight web applications that run inside Telegram, offering seamless login, payments, […]

The post FEMITBOT Network Exploits Telegram Mini Apps to Spread Crypto Scams and Android Malware appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A massive fraud network called FEMITBOT uses Telegram Mini Apps and fake brand names like Apple, Disney, and…

What happened CTM360 researchers have uncovered a large-scale fraud operation using Telegram’s Mini App feature to run cryptocurrency scams, impersonate major brands, and distribute Android malware. The platform behind the operation, dubbed FEMITBOT based on a string found in API responses, uses Telegram bots and embedded Mini Apps to create convincing app-like experiences within the […]

The post Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery appeared first on CISO Whisperer.

The post Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery appeared first on Security Boulevard.

Cybersecurity researchers at Guardio Labs have uncovered a massive phishing operation dubbed AccountDumpling that has compromised more than 30,000 Facebook accounts worldwide. Unlike conventional phishing campaigns that rely on spoofed domains or compromised SMTP servers, this Vietnamese-linked operation abuses Google AppSheet to deliver fully authenticated malicious emails. Because the messages originate from legitimate Google infrastructure, […]

The post Massive Facebook Phishing Operation Leverages AppSheet, Netlify, and Telegram appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Hackers are experimenting with a new Telegram‑focused session stealer that hides in a Pastebin‑hosted PowerShell script posing as a Windows telemetry update, giving defenders a rare view into how such tools are built and tested. The script does not attempt to grab passwords or browser credentials; instead, it focuses entirely on Telegram’s desktop client data […]

The post Hackers Exploit Pastebin PowerShell Script to Hijack Telegram Sessions appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The post Bot Revolution: How Telegram’s New “Manager Mode” Lets AI Agents Spawn Their Own Sub-Bots appeared first on Daily CyberSecurity.

The post 108 Coordinated Chrome Extensions Hijack Your Private Telegram Sessions appeared first on Daily CyberSecurity.

APT37 is running a new targeted intrusion campaign that abuses Facebook, Telegram, and a tampered Wondershare PDFelement installer to gain stealthy access and exfiltrate sensitive data, likely from defense‑related targets. The operation shows a continued evolution of APT37’s social engineering and evasion tradecraft, and demands behavior‑based EDR capable of spotting process injection, abused cloud storage, […]

The post APT37 Uses Facebook, Telegram, and Trojanzied Installer in New Targeted Cyberattack appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The post The AI Collective: Telegram Unlocks Autonomous “Bot-to-Bot” Dialogue for Multi-Agent Workflows appeared first on Daily CyberSecurity.

The post Trolling as a Service: How the New CrystalX RAT Uses “Prankware” to Torture Its Victims appeared first on Daily CyberSecurity.

Hackers are actively promoting a new malware-as-a-service (MaaS) platform called CrystalX RAT through private Telegram channels, offering cybercriminals a powerful toolkit that combines remote access, data theft, surveillance, and even prank-based disruption features. Security researchers identified the campaign in March 2026, noting that the malware is being sold under a subscription model with three pricing […]

The post CrystalX Malware-as-a-Service Spreads via Telegram With Stealer, RAT Tools appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A critical Telegram flaw could allow zero-click remote code execution on devices, but Telegram denies it.

Researcher Michael DePlante (@izobashi) of TrendAI Zero Day disclosed a new Telegram vulnerability through Zero Day Initiative (ZDI).

The vulnerability, tracked as ZDI-CAN-30207 (CVSS score of 9.8) allows attackers to execute code on targeted devices without any user interaction. This vulnerability is especially dangerous because an attacker can exploit it simply by sending a malicious animated sticker, with no action required from the victim. The vulnerability lies in how Telegram automatically processes media to generate previews, allowing crafted files to trigger code execution.

The flaw poses a serious security risk, especially as no patch is currently available, raising concerns across the cybersecurity community.

The vulnerability affects Telegram on Android and Linux; if exploited, it allows attackers to take full control of a device.

At this time it is unclear if threat actors have already exploited it in attacks in the wild.

The Zero Day Initiative did not disclose technical details about the vulnerability to give the company time to address it by July 24, 2026.

The Italian National Cybersecurity Agency (ACN) reported that Telegram has denied the disclosed zero-click vulnerability, stating it does not exist. The company says all stickers are validated server-side before delivery, preventing malicious files from being used as an attack vector and making code execution via stickers technically impossible.

“Following direct discussions, Telegram Messenger has formally denied the existence of the previously reported zero-click vulnerability, stating that the flaw does not exist. The vendor claims that every sticker uploaded to the platform undergoes mandatory validation on its servers before being distributed to client applications.” reads an update published on the ACN’s advisory. “According to this official position, the centralized filtering process prevents corrupted stickers from being used as an attack vector, making it technically impossible to execute malicious code through this method.”

As a mitigation measure, Telegram Business users can limit incoming messages from new contacts. In Settings → Privacy and Security → Messages, they can restrict messages to saved contacts or Premium users only.

Exploits targeting popular platforms like Telegram can be worth millions on underground markets, and threat actors can quickly weaponize them.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

Hackers are deploying a new Windows malware called ResokerRAT, a Telegram‑based Remote Access Trojan (RAT) that gives attackers stealthy remote control over infected systems. Instead of relying on a traditional command‑and‑control (C2) server, ResokerRAT abuses the Telegram Bot API to receive commands and exfiltrate data, blending in with legitimate encrypted traffic. When the user runs Resoker.exe, […]

The post Telegram-Based ResokerRAT Adds Screenshot Capture and Persistence appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The post Telegram Denies “Zero-Click” Sticker Exploit as 9.8 CVSS Security Alert Ignites a Global Standoff appeared first on Daily CyberSecurity.

A fast-evolving information‑stealing malware dubbed “Torg Grabber” that has shifted from simple Telegram‑based exfiltration to a hardened, encrypted REST API command‑and‑control (C2) channel fronted by Cloudflare. The operation surfaced when a 747 KB 64‑bit sample initially tagged as Vidar was found to be fundamentally different from known Vidar builds, exposing an internal debug string “grabber […]

The post Torg Grabber Malware Shifts from Telegram Exfiltration to Encrypted REST API for C2 appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Iran-linked actors use Telegram as C2 to spread malware targeting dissidents and journalists, enabling surveillance and data theft.

The FBI warns that Iran’s Ministry of Intelligence and Security (MOIS) runs cyber campaigns using Telegram as a command-and-control infrastructure to deliver malware. Threat actors target Iranian dissidents, journalists, and opposition groups worldwide.

Once deployed, the malware enables surveillance, data theft, and reputational damage against victims. The activity reflects ongoing Iranian cyber operations amid rising geopolitical tensions in the Middle East.

The FBI released this alert to raise awareness and help defenders understand the tactics used in these campaigns, urging organizations and individuals to adopt mitigation measures to reduce the risk of compromise.

The FBI says Iran’s MOIS has used multiple malware variants since late 2023 to target Windows systems linked to dissidents, journalists, and opposition groups, though any person of interest could be targeted. Attackers rely on social engineering to disguise malware as legitimate software, then deploy multi-stage payloads that connect infected devices to Telegram-based command-and-control, enabling remote access, screen capture, and data theft.

In 2025, the group “Handala Hack” claimed hack-and-leak operations against critics of Iran, likely using this malware. The FBI links it to MOIS and to “Homeland Justice.” These actors combine APT tactics with disinformation, stealing and selectively leaking data to cause reputational and political damage, supporting Iran’s broader geopolitical goals.

The FBI analyzed malware used in Iran-linked campaigns and identified a multi-stage infection chain. Stage 1 malware disguises itself as legitimate apps like Telegram, KeePass, or WhatsApp and delivers the next payload. Once executed, it installs a persistent implant (stage 2) that connects to a Telegram-based command-and-control system, enabling two-way communication with infected devices.

“The persistent implant malware spawned following the masquerading malware’s execution and possible user interaction with the malicious application. At this stage, the Iran MOIS cyber actors configured a command and control (C2) using a Telegram bot, allowing bidirectional communication between the compromised device and api.telegram[.]org.” reads the Flash alert published by FBI. “FBI considered the masquerading malware and persistent implant to be core functionality for the malware campaign.”

Attackers use social engineering, posing as trusted contacts or support staff, to convince victims to download these files. They often tailor the malware to the victim’s behavior, suggesting prior reconnaissance.

“The Iranian cyber actors then convinced the victim to accept a file transfer consisting of the masquerading stage 1 malware. When the victim opened the file, the malware infected the victim’s device and launched the persistent implant stage 2 malware.” continue the report. “Based on multiple observations, stage 1 of the malware appeared to be tailored to the victim’s pattern of life to increase likelihood of victim downloading the malware, which indicates the Iranian cyber actors likely performed target reconnaissance prior to engaging with the victim.”

After initial access, additional tools are deployed to maintain persistence and avoid detection, including registry changes and PowerShell abuse.

The malware can record screens and audio, capture data, compress files, and exfiltrate them via Telegram, giving attackers long-term access and control over compromised systems.

“The malware campaign used multiple malware samples to exfiltrate data.” concludes the report. “These included the following samples:

• MicDriver.exe/MicDriver.dll
• Winappx.exe
• MsCache.exe
• RuntimeSSH.exe
• smqdservice.exe

Functionality of the above-mentioned malware samples included: Screen recordings and audio, cache captures, perform file compression with a password, perform file deletion, and stage compressed files to be sent to api.telelgram[.]org.”

The FBI urges caution with unexpected or unusual messages, even from known contacts. Keep devices updated, download software only from trusted sources, use antivirus tools, and enable strong passwords with MFA. Report suspicious activity to providers or authorities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

Malicious ‘Pyronut’ is a trojanized Python package that backdoors Telegram bots and userbots, giving attackers remote code execution over both the Telegram session and the underlying host system.​ The malicious package , pyronut , was uploaded to PyPI as a fake alternative to pyrogram, a widely used Telegram MTProto API framework with around 370,000 monthly downloads. Instead of […]

The post Pyronut Package Backdoors Telegram Bots With RCE appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The evolution of Iranian cyber operations in broad context: from custom wiper malware to misuse of legitimate admin tools and more.

The post Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization appeared first on Unit 42.

A fake purchase order attachment turned out to be a phishing page designed to harvest your login details.

The post Purchase order attachment isn’t a PDF. It’s phishing for your password appeared first on Security Boulevard.

A major stolen credit card data trafficking case has drawn international attention after a Chilean national was extradited to the United States for allegedly selling tens of thousands of compromised payment card details through online channels. According to the U.S. Department of Justice, Alex Rodrigo Valenzuela Monje, also known as “VAL4K,” was extradited from Chile to the United States on February 25, 2026, and arraigned in federal court in Salt Lake City. The 24-year-old faces charges tied to stolen credit card data trafficking and unlawful transfer of identification information to facilitate criminal activity. The indictment alleges that between May 2021 and August 2023, Valenzuela Monje operated an illegal online card shop that distributed unauthorized access devices—commonly referred to in cybercrime circles as “dumps”—through Telegram channels.

Telegram Carding Marketplace Allegedly Distributed Over 26,000 Stolen Cards

Court documents claim that the accused managed Telegram channels named MacacoCC Collective and Novato Carding, offering payment card data linked to thousands of U.S. consumers. Investigators allege that under just one credit card brand alone, the operation trafficked information tied to approximately 26,528 cards. The stolen credit card data trafficking operation reportedly included sensitive data such as account numbers, cardholder names, expiration dates, and CVV codes, details that can enable fraudulent transactions and identity-based financial crimes. Authorities say the use of Telegram reflects a broader trend in carding cybercrime, where threat actors rely on encrypted messaging platforms to evade detection while running scalable digital marketplaces. This model has become increasingly common across dark web ecosystems, allowing cybercriminals to reach global buyers without maintaining traditional web infrastructure.

International Cybercrime Extradition Signals Stronger Enforcement Push

The extradition process began after a sealed indictment was issued by a federal grand jury in 2023. The United States formally requested extradition, which was initially approved by the Chilean Supreme Court in April 2025. Following appeals, Valenzuela Monje was arrested in January 2026 before being transferred to U.S. authorities. The case was investigated by the Federal Bureau of Investigation (FBI) with support from international partners, highlighting the growing coordination behind international cybercrime extradition efforts. “I want to thank our federal partners for their dedication in investigating individuals in foreign countries who use the internet to commit crimes against our citizens,” said U.S. Attorney Melissa Holyoak of the District of Utah. “Individuals may believe they can hide behind foreign borders, but the United States is committed to investigating and prosecuting these cybercrimes targeting Americans.” “This extradition sends a clear message to cybercriminals everywhere that geography will not shield you from accountability,” said Special Agent in Charge Robert Bohls of the Salt Lake City FBI. “Even when operating from abroad, those who exploit technology to victimize American companies and citizens will be identified, located, and brought to justice. Our international partnerships, alongside our work with the Utah Department of Public Safety, remain among the FBI's most powerful tools in targeting and dismantling cyber threats.

Stolen Credit Card Data Trafficking Continues to Scale Through Digital Platforms

The stolen credit card data trafficking case reflects a larger cybersecurity reality: digital financial crime is no longer limited by geography. Messaging platforms, cryptocurrency payments, and automated data distribution tools have significantly lowered the barrier for cybercriminal operations. While law enforcement actions like this extradition demonstrate progress, the persistence of carding marketplaces suggests that enforcement alone may not be enough. Financial institutions, technology platforms, and consumers must all play a role in reducing the value of stolen data through stronger fraud detection and identity verification controls. Valenzuela Monje has pleaded not guilty, and the case will proceed through the U.S. judicial system. As investigations continue, the incident serves as a reminder that stolen credit card data trafficking remains one of the most active—and profitable—forms of cybercrime in today’s digital economy.