Not‑so‑personal messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets

ESET researchers analyzed Android and Home windows clippers that may tamper with immediate messages and use OCR to steal cryptocurrency funds

ESET researchers have found dozens of copycat Telegram and WhatsApp web sites focusing on primarily Android and Home windows customers with trojanized variations of those immediate messaging apps. A lot of the malicious apps we recognized are clippers – a sort of malware that steals or modifies the contents of the clipboard. All of them are after victims’ cryptocurrency funds, with a number of focusing on cryptocurrency wallets. This was the primary time we’ve got seen Android clippers focusing particularly on immediate messaging. Furthermore, a few of these apps use optical character recognition (OCR) to acknowledge textual content from screenshots saved on the compromised units, which is one other first for Android malware.

Key factors of this blogpost:

  • ESET Analysis has discovered the primary occasion of clippers constructed into immediate messaging apps.
  • Risk actors are going after victims’ cryptocurrency funds utilizing trojanized Telegram and WhatsApp functions for Android and Home windows.
  • The malware can swap the cryptocurrency pockets addresses the sufferer sends in chat messages for addresses belonging to the attacker.
  • Among the clippers abuse optical character recognition to extract textual content from screenshots and steal cryptocurrency pockets restoration phrases.
  • Along with clippers, we additionally discovered distant entry trojans (RATs) bundled with malicious Home windows variations of WhatsApp and Telegram.

Previous to the institution of the App Defense Alliance, we found the primary Android clipper on Google Play, which led to Google bettering Android safety by restricting system-wide clipboard operations for apps working within the background for Android variations 10 and better. As is sadly proven by our newest findings, this motion didn’t reach weeding the issue out fully: not solely did we determine the primary immediate messaging clippers, we uncovered a number of clusters of them. The principle objective of the clippers we found is to intercept the sufferer’s messaging communications and substitute any despatched and acquired cryptocurrency pockets addresses with addresses belonging to the attackers. Along with the trojanized WhatsApp and Telegram Android apps, we additionally discovered trojanized Home windows variations of the identical apps.

In fact, these usually are not the one copycat functions to go after cryptocurrencies – simply initially of 2022, we recognized menace actors targeted on repackaging reputable cryptocurrency functions that attempt to steal restoration phrases from their victims’ wallets.

Overview of the trojanized apps

As a result of completely different structure of Telegram and WhatsApp, the menace actors had to decide on a distinct strategy to create trojanized variations of every of the 2. Since Telegram is an open-source app, altering its code whereas retaining the app’s messaging performance intact is comparatively simple. Alternatively, WhatsApp’s supply code is just not publicly obtainable, which implies that earlier than repackaging the appliance with malicious code, the menace actors first needed to carry out an in-depth evaluation of the app’s performance to determine the particular locations to be modified.

Regardless of serving the identical common objective, the trojanized variations of those apps comprise numerous further functionalities. For higher ease of research and clarification, we cut up the apps into a number of clusters primarily based on these functionalities; on this blogpost, we’ll describe 4 clusters of Android clippers and two clusters of malicious Home windows apps. We won’t go into the menace actors behind the apps, as there are a number of of them.

Earlier than briefly describing these app clusters although, what’s a clipper and why would cyberthieves use one? Loosely, in malware circles, a clipper is a bit of malicious code that copies or modifies content material in a system’s clipboard. Clippers are thus engaging to cybercriminals excited about stealing cryptocurrency as a result of addresses of on-line cryptocurrency wallets are composed of lengthy strings of characters, and as a substitute of typing them, customers have a tendency to repeat and paste the addresses utilizing the clipboard. A clipper can make the most of this by intercepting the content material of the clipboard and surreptitiously changing any cryptocurrency pockets addresses there with one the thieves can entry.

Cluster 1 of the Android clippers additionally constitutes the primary occasion of Android malware utilizing OCR to learn textual content from screenshots and pictures saved on the sufferer’s machine. OCR is deployed with a purpose to discover and steal a seed phrase, which is a mnemonic code comprised of a sequence of phrases used for recovering cryptocurrency wallets. As soon as the malicious actors pay money for a seed phrase, they’re free to steal all of the cryptocurrency straight from the related pockets.

In comparison with Cluster 1’s use of superior expertise, Cluster 2 could be very simple. This malware merely switches the sufferer’s cryptocurrency pockets tackle for the attacker’s tackle in chat communication, with the addresses both being hardcoded or dynamically retrieved from the attacker’s server. That is the one Android cluster the place we recognized trojanized WhatsApp samples along with Telegram.

Cluster 3 displays Telegram communication for sure key phrases associated to cryptocurrencies. As soon as such a key phrase is acknowledged, the malware sends the total message to the attacker server.

Lastly, the Android clippers in Cluster 4 not solely swap the sufferer’s pockets tackle, however additionally they exfiltrate inside Telegram knowledge and primary machine info.

Relating to the Home windows malware, there was a cluster of Telegram cryptocurrency clippers whose members merely intercept and modify Telegram messages with a purpose to swap cryptocurrency pockets addresses, identical to the second cluster of Android clippers. The distinction is within the supply code of the Home windows model of Telegram, which required further evaluation on the a part of the malicious actors, to have the ability to implement inputting their very own pockets tackle.

In a departure from the established sample, the second Home windows cluster is just not comprised of clippers, however of distant entry trojans (RATs) that allow full management of the sufferer’s system. This manner, the RATs are in a position to steal cryptocurrency wallets with out intercepting the appliance circulate.


Based mostly on the language used within the copycat functions, it appears that evidently the operators behind them primarily goal Chinese language-speaking customers.

As a result of each Telegram and WhatsApp have been blocked in China for a number of years now, with Telegram being blocked since 2015 and WhatsApp since 2017, individuals who want to use these companies must resort to oblique technique of acquiring them. Unsurprisingly, this constitutes a ripe alternative for cybercriminals to abuse the scenario.

Within the case of the assaults described on this blogpost, the menace actors first arrange Google Advertisements resulting in fraudulent YouTube channels, which then redirect the unlucky viewers to copycat Telegram and WhatsApp web sites, as illustrated in Determine 1. On prime of that, one explicit Telegram group additionally marketed a malicious model of the app that claimed to have a free proxy service outdoors of China (see Determine 2). As we found these fraudulent advertisements and associated YouTube channels, we reported them to Google, which promptly shuttered all of them.

Determine 1. Distribution diagram

Determine 2. Trojanized Telegram app provided in Telegram group

At first look, it may appear that the way in which these copycat apps are distributed is sort of convoluted. Nonetheless, it’s attainable that with Telegram, WhatsApp, and the Google Play app all being blocked in China, Android customers there are used to leaping via a number of hoops in the event that they need to get hold of formally unavailable apps. Cybercriminals are conscious of this and attempt to ensnare their victims proper from the get-go – when the sufferer searches Google for both a WhatsApp or a Telegram app to obtain. The menace actors bought Google Advertisements (see Determine 3) that redirect to YouTube, which each helps the attackers to get to the highest of search outcomes, and in addition avoids getting their pretend web sites flagged as scams, because the advertisements hyperlink to a reputable service that Google Advertisements presumably considers very reliable.

Determine 3. Paid commercial when looking for Chinese language Telegram

The hyperlinks to the copycat web sites can often be discovered within the “About” part of the YouTube channels. An instance of such an outline might be seen in a really tough translation in Determine 4.

Determine 4. Fraudulent WhatsApp YouTube channel that factors to a pretend web site

Throughout our analysis, we discovered tons of of YouTube channels pointing to dozens of counterfeit Telegram and WhatsApp web sites – some might be seen in Determine 5. These websites impersonate reputable companies (see Determine 6) and supply each desktop and cell variations of the app for obtain. Not one of the analyzed apps have been obtainable on the Google Play retailer.

Determine 5. Faux channels obtainable on YouTube

Determine 6. Web sites mimicking Telegram and WhatsApp


We discovered numerous sorts of malicious code being repackaged with reputable Telegram and WhatsApp apps. Whereas the analyzed apps have sprung up at roughly on the similar time utilizing a really comparable sample, it appears that evidently they weren’t all developed by the identical menace actor. Apart from many of the malicious apps having the ability to substitute cryptocurrency addresses in Telegram and WhatsApp communications, there are not any indications of additional connections between them.

Whereas the pretend web sites supply obtain hyperlinks for all working techniques the place Telegram and WhatsApp can be found, all Linux and macOS hyperlinks, in addition to most iOS hyperlinks, redirect to the companies’ official web sites. Within the case of the few iOS hyperlinks that do result in fraudulent web sites, the apps have been not obtainable for obtain on the time of our evaluation. Home windows and Android customers thus represent the primary targets of the assaults.

Android trojans

The principle objective of the trojanized Android apps is to intercept victims’ chat messages, and both swap any cryptocurrency pockets addresses for these belonging to the attackers, or exfiltrate delicate info that might enable attackers to steal victims’ cryptocurrency funds. That is the primary time we’ve got seen clippers that particularly goal immediate messaging.

To have the ability to modify messages, the menace actors needed to completely analyze the unique code of each companies’ apps. Since Telegram is an open-source utility, the cybercriminals solely needed to insert their very own malicious code into an current model and compile it; within the case of WhatsApp, nonetheless, the binary needed to be modified straight and repackaged so as to add the malicious performance.

We noticed that when changing pockets addresses, the trojanized apps for Telegram behave otherwise from these for WhatsApp. A sufferer utilizing a malicious Telegram app will hold seeing the unique tackle till the appliance is restarted, whereupon the displayed tackle would be the one which belongs to the attacker. In distinction, the sufferer’s personal tackle might be seen in despatched messages if utilizing a trojanized WhatsApp, whereas the message recipient will obtain the attacker tackle. That is proven in Determine 7.

Determine 7. Malicious WhatsApp (left) changed despatched pockets tackle in message for recipient (proper)

Cluster 1

Cluster 1 is probably the most intriguing, since its members represent the primary recognized occasion of OCR abuse in any Android malware. On this case, trojanized Telegram apps use a reputable machine studying plugin known as ML Kit on Android to look the sufferer’s machine for photos with .jpg and .png extensions, the commonest screenshot codecs on Android. The malware seems to be for screenshots of cryptocurrency pockets restoration phrases (often known as mnemonics) that the sufferer may need saved on the machine as a backup.

Malicious performance that iterates via information on the machine and runs them via the OCR recognizeText operate might be seen in Determine 8.

Determine 8. Malicious code chargeable for retrieving photos and footage from the machine and OCR’ing them

As proven in Determine 9, if the recognizeText finds the string mnemonic or 助记词 (mnemonic in Chinese language) within the textual content extracted from the picture, it sends each the textual content and the picture to the C&C server. In choose instances we’ve got seen the record of key phrases expanded to eleven entries, particularly 助记词, Mnemonic, memorizing, Memorizing, restoration phrase, Restoration Phrase, pockets, METAMASKA, Phrase, secret, Restoration phrase.

Determine 9. Picture and the acknowledged textual content inside are despatched to the attacker’s C&C server

Cluster 2

In distinction with Cluster 1, which employs superior strategies to help in its malicious actions, the second cluster of Android clippers is the least sophisticated among the many 4: these malicious apps merely swap pockets addresses, with out additional malicious performance. The trojans in Cluster 2 principally substitute addresses for bitcoin, Ethereum, and TRON coin wallets, with a couple of of them additionally having the ability to swap wallets for Monero and Binance. The best way the messages are intercepted and modified might be seen in Figures 10 and 11.

Determine 10. Telegram message interception by malicious code

Determine 11. Malicious code chargeable for changing pockets addresses in Telegram messages

Cluster 2 is the one Android cluster the place we discovered not solely Telegram, but in addition WhatsApp samples. Each sorts of trojanized apps both have a hardcoded record of attacker pockets addresses (as seen in Determine 11) or dynamically request them from a C&C server, as seen in Determine 12.

Determine 12. Bitcoin, Ethereum and TRON pockets addresses acquired from C&C server

Cluster 3

This cluster displays Telegram communication for explicit key phrases in Chinese language, corresponding to “mnemonic”, “financial institution”, “tackle”, “account” and “Yuan”. Among the key phrases are hardcoded, whereas others are acquired from the C&C server, which means they may very well be modified or expanded at any time. As soon as a Cluster 3 clipper acknowledges a key phrase, the entire message, together with the username, group or channel title, is distributed to the C&C server, as might be seen in Determine 13.

Determine 13. Clipper exfiltrates a message if key phrase was detected

Cluster 4

The final recognized cluster of Android clippers, Cluster 4, cannot solely substitute cryptocurrency addresses, but in addition exfiltrate the sufferer’s Telegram knowledge by acquiring their configuration information, telephone quantity, machine info, footage, Telegram username, and the record of put in apps. Logging into these malicious variations of the Telegram app implies that all the private inside knowledge saved inside, corresponding to messages, contacts, and configuration information, grow to be seen to the menace actors.

To exhibit, let’s give attention to this cluster’s most intrusive trojanized app: this malware combs the interior Telegram storage for all information smaller than 5.2 MB and and not using a.jpg extension and steals them. Moreover, it might additionally exfiltrate primary details about the machine, the record of put in functions, and telephone numbers. All of the stolen information are archived in an file, which is then exfiltrated to the C&C. All malware inside this cluster makes use of the identical ZIP filename, suggesting  a standard creator or codebase. The record of the information exfiltrated from our evaluation machine might be seen in Determine 14.

Determine 14. Personal Telegram person information which might be exfiltrated to the C&C server

Home windows trojans

Versus the trojanized Android apps we found, the Home windows variations consist not solely of clippers, but in addition of distant entry trojans. Whereas the clippers focus primarily on cryptostealing, the RATs are able to a greater variety of malicious actions corresponding to taking screenshots and deleting information. A few of them may manipulate the clipboard, which might enable them to steal cryptocurrency wallets. The Home windows apps have been discovered on the similar domains because the Android variations.

Cryptocurrency clippers

We found two samples of Home windows cryptocurrency clippers. Identical to Cluster 2 of the Android clippers, these intercept and modify messages despatched through a trojanized Telegram shopper. They use the identical pockets addresses because the Android cluster, which means that they most likely come from the identical menace actor.

The primary of the 2 clipper samples is distributed as a transportable executable with all the mandatory dependencies and knowledge embedded straight in its binary. This manner, no set up takes place after the bug is executed, retaining the sufferer unaware that one thing is amiss. The malware intercepts not solely messages between customers, but in addition all saved messages, channels, and teams.

Much like the associated Android Cluster 2, the code chargeable for modifying the messages makes use of hardcoded patterns to determine the cryptocurrency addresses inside messages. These are highlighted in yellow in Determine 15. If discovered, the code replaces the unique addresses with the corresponding addresses belonging to the attacker (highlighted in pink). This clipper focuses on bitcoin, Ethereum, and TRON.

Determine 15. Decompiled code with hardcoded patterns and pockets addresses

The second clipper makes use of a normal set up course of, the identical because the reputable Telegram installer. Nonetheless, even when the method outwardly seems harmless, the put in executable is much from benign. In comparison with reputable Telegram, it accommodates two further information encrypted utilizing a single byte XOR cipher with the important thing 0xff. The information comprise a C&C server tackle and an agent ID used to speak with the C&C.

This time, no hardcoded addresses are used. As a substitute, the clipper obtains each the message patterns and the corresponding cryptocurrency pockets addresses from the C&C through an HTTP POST request. The communication with the C&C works in the identical means as proven in Cluster 2 of Android clippers (Determine 12).

Along with swapping cryptocurrency pockets addresses, this clipper may steal the sufferer’s telephone quantity and Telegram credentials. When an individual compromised by this trojanized app tries to log in on a brand new machine, they’re requested to place within the login code despatched to their Telegram account. As soon as the code arrives, the notification is mechanically intercepted by the malware, and the verification code together with the elective password find yourself within the fingers of the menace actors.

Much like the primary Home windows clipper pattern, any message despatched utilizing this malicious model of Telegram containing bitcoin, Ethereum, or TRON cryptocurrency pockets addresses might be modified to interchange the addresses for these supplied by the attacker (see Determine 16). Nonetheless, in contrast to the Android model, the victims won’t be able to find that their messages have been tampered with with out evaluating chat histories: even after restarting the app, the sender will at all times see the unique model of the message because the related a part of the code is executed once more on utility begin; the recipient, alternatively, will solely obtain the attacker pockets.

Determine 16. Respectable Telegram shopper (left) and trojanized one (proper)

Distant entry trojans

The remainder of the malicious apps we found are distributed within the type of Telegram and WhatsApp installers bundled with distant entry trojans. As soon as the RATs have gained entry to the system, neither Telegram nor WhatsApp must run for the RATs to function. Within the noticed samples, malicious code was principally executed not directly by utilizing DLL Side-loading, thus permitting the attackers to cover their actions behind the execution of reputable functions. These RATs differ considerably from the clippers, since they don’t explicitly give attention to stealing cryptocurrency wallets. As a substitute, they comprise a number of modules with a variety of functionalities, permitting the menace actors to carry out actions corresponding to stealing clipboard knowledge, logging keystrokes, querying Home windows Registry, capturing the display, acquiring system info, and performing file operations. Every RAT we found used a barely completely different mixture of modules.

With one exception, all of the distant entry trojans we analyzed have been primarily based on the infamous Gh0st RAT, malware that’s incessantly utilized by cybercriminals as a result of its public availability. As an attention-grabbing apart, Gh0st RAT’s code makes use of a particular packet flag set to Gh0st by default, a worth that menace actors wish to customise. In altering the flag, they’ll use one thing that makes extra sense for his or her model of the malware, or they’ll use no flags in any respect. They’ll additionally, as in a single case noticed throughout our evaluation, reveal their deepest needs by altering the flag to lambo (as in, the nickname for the Italian luxurious automotive model; see Determine 17).

Determine 17. Hex-rays decompiled code with flag lambo

The one RAT among the many group that wasn’t fully primarily based on Gh0st RAT used the code from the HP-socket library to speak with its C&C server. In comparison with the opposite RATs, this one makes use of considerably extra anti-analysis runtime checks throughout its execution chain. Whereas its supply code definitely differs from the remainder of the trojans found, its performance is principally equivalent: it’s able to performing file operations, acquiring system info and the record of working applications, deleting profiles of generally used browsers, downloading and working a probably malicious file, and so forth. We suspect that this can be a customized construct that may very well be impressed by the Gh0st implementation.

Prevention and uninstallation


Set up apps solely from reliable and dependable sources such because the Google Play retailer.

In case you are sharing cryptocurrency pockets addresses through the Android Telegram app, double test whether or not the tackle you despatched matches the tackle that’s displayed after restarting the appliance. If not, warn the recipient to not use the tackle and attempt to take away the message. Sadly, this system can’t be utilized to trojanized WhatsApp for Android.

Remember that the earlier tip doesn’t apply within the case of trojanized Telegram; because the recipient of the pockets tackle solely sees the attacker pockets, they are going to be unable to inform whether or not the tackle is real.

Don’t retailer unencrypted footage or screenshots containing delicate info, corresponding to mnemonic phrases, passwords, and personal keys, in your machine.

For those who consider you may have a trojanized model of Telegram or WhatsApp, manually take away it out of your machine and obtain the app both from Google Play, or straight from the reputable web site.

Home windows

In case you aren’t certain whether or not your Telegram installer is reputable, test if the file’s digital signature is legitimate and issued to Telegram FZ-LLC.

For those who suspect that your Telegram app is malicious, we advise that you simply use a safety answer to detect the menace and take away it for you. Even when you don’t personal such software program, you may nonetheless use the free ESET Online Scanner.

The one official model of WhatsApp for Home windows is at present obtainable within the Microsoft retailer. For those who put in the appliance from every other supply, we advise you to delete it after which to scan your machine.


Throughout our analysis of trojanized Telegram and WhatsApp apps distributed via copycat web sites, we found the primary cases of Android clippers that intercept immediate messages and swap victims’ cryptocurrency pockets addresses for the attacker’s tackle. Moreover, among the clippers abused OCR to extract mnemonic phrases out of photos saved on the victims’ units, a malicious use of the display studying expertise that we noticed for the primary time.

We additionally discovered Home windows variations of the wallet-switching clippers, in addition to Telegram and WhatsApp installers for Home windows bundled with distant entry trojans. By their numerous modules, the RATs allow the attackers management over the victims’ machines.



SHA-1 Package deal Title Detection Description
C3ED82A01C91303C0BEC36016D817E21615EAA07 org.telegram.messenger Android/Clipper.I Trojanized model of Telegram for Android in Cluster 4.
8336BF07683F40B38840865C60DB1D08F1D1789D org.telegram.messenger Android/Clipper.I Trojanized model of Telegram for Android in Cluster 4.
E67065423DA58C0025E411E8E56E0FD6BE049474 org.tgplus.messenger Android/Clipper.J Trojanized model of Telegram for Android in Cluster 1.
014F1E43700AB91C8C5983309751D952101B8ACA org.telegram.messenger Android/Clipper.Ok Trojanized model of Telegram for Android in Cluster 2 and Cluster 3.
259FE1A121BA173B2795901C426922E32623EFDA org.telegram.messenger.web2 Android/Clipper.L Trojanized model of Telegram for Android in Cluster 2.
0A79B29FC0B04D3C678E9B95BFF72A9558A632AC org.telegram.messenger Android/Clipper.M Trojanized model of Telegram for Android in Cluster 1.
D44973C623E680EE0A4E696C99D1AB8430D2A407 org.telegram.messenger Android/Clipper.N Trojanized model of Telegram for Android in Cluster 1.
88F34441290175E3AE2FE0491BFC206899DD158B org.telegram.messenger Android/Clipper.O Trojanized model of Telegram for Android in Cluster 4.
0936D24FC10DB2518973C17493B6523CCF8FCE94 Android/Clipper.V Trojanized model of WhatsApp for Android in Cluster 1.
8E98438103C855C3E7723140767749DEAF8CA263 com.whatsapp Android/Clipper.V Trojanized model of WhatsApp for Android in Cluster 1.
5243AD8BBFBC4327B8C4A6FD64401912F46886FF com.whatsapp Android/Clipper.V Trojanized model of WhatsApp for Android in Cluster 1.
SHA-1 Filename Detection Description
646A70E4F7F4502643CDB9AA241ACC89C6D6F1C0 Telegram.exe Win32/Agent.AEWM Trojanized model of Home windows Telegram within the first cluster.
858A5B578A0D8A0D511E502DE16EC2547E23B375 Telegram.exe Win64/PSW.Agent.CS Trojanized model of Home windows Telegram within the first cluster.
88AAC1C8AB43CD540E0677BAA1A023FDA88B70C4 Telegram.exe Win64/PSW.Agent.CT Trojanized model of Home windows Telegram within the first cluster.
F3D2CCB4E7049010B18A3300ABDEB06CF3B75FFA Telegram.exe Win64/PSW.Agent.CT Trojanized model of Home windows Telegram within the first cluster.
A5EB91733FD5CDC8386481EA9856C20C71254713 1.exe Win32/TrojanDownloader.Agent.GLD Malicious downloader from trojanized Telegram within the second Home windows cluster.
34FA6E6B09E08E84D3C544F9039CB14624080A19 libcef.dll Win32/Kryptik.HMVR Malicious DLL from trojanized Telegram within the second Home windows cluster.
5E4021AE96D4B28DD27382E3520E8333288D7095 1.txt Win32/Farfli.BUR Gh0st RAT variant within the second Home windows cluster.
14728633636912FB91AE00342D7C6D7050414D85 BASICNETUTILS.dll Win32/Agent.AEMT Malicious DLL from trojanized Telegram within the second Home windows cluster.
B09E560001621AD79BE31A8822CA72F3BAC46F64 BASICNETUTILS.dll Win32/Agent.AEMT Malicious DLL from trojanized Telegram within the second Home windows cluster.
70B8B5A0BFBDBBFA6BA6C86258C593AD21A89829 templateX.TXT Win32/Farfli.CUO Gh0st RAT variant within the second Home windows cluster.
A51A0BCCE028966C4FCBB1581303980CF10669E0 templateX.TXT Win32/Farfli.CUO Gh0st RAT variant within the second Home windows cluster.
A2883F344831494C605598B4D8C69B23A896B71A collec.exe Win64/GenKryptik.FZHX Malicious downloader from trojanized Home windows Telegram within the second cluster.
F8005F22F6E8EE31953A80936032D9E0C413FD22 ZM.log Win32/Farfli.DBP RAT that makes use of HP-Socket library for communication with C&C within the second Home windows cluster.
D2D2B0EE45F0540B906DE25B1269D257578A25BD DuiLib.dll Win32/Agent.AEXA Malicious DLL from trojanized Home windows Telegram within the second cluster.
564F7A88CD5E1FF8C318796127A3DA30BDDE2AD6 Telegram.msi Win32/TrojanDownloader.Agent.GLD Trojanized model of Home windows Telegram installer within the second cluster .
C5ED56584F224E7924711EF47B39505D4D1C98D2 TG_ZH.exe Win32/Farfli.CUO Trojanized model of Home windows Telegram installer within the second cluster.
2DCDAAAEF094D60BC0910F816CBD42F3C76EBEE9 TG_CN.exe Win32/Farfli.CUO Trojanized model of Home windows Telegram installer within the second cluster.
31878B6FC6F96703AC27EBC8E786E01F5AEA5819 telegram.exe Win64/PSW.Agent.CS Trojanized model of Home windows Telegram installer within the first cluster.
58F7E6E972774290DF613553FA2120871436B9AA 飞机中文版 (machine translation: Plane Chinese language Model) Win64/GenKryptik.FZHX trojan Archive containing trojanized model of Home windows Telegram installer within the second cluster.
CE9CBB3641036E7053C494E2021006563D13E1A6 Telegram.7z Win32/Agent.AEWM trojan Archive containing moveable model of trojanized Home windows Telegram executable within the second cluster.
7916BF7FF4FA9901A0C6030CC28933A143C2285F WhatsApp.exe Agent.AEUO Trojanized model of Home windows WhatsApp installer within the first Home windows cluster.
B26EC31C9E8D2CC84DF8B771F336F64A12DBD484 webview_support.dll Agent.AEUO Malicious DLL from trojanized WhatsApp within the second Home windows cluster.
366D12F749B829B436474C9040E8102CEC2AACB4 improve.xml Win32/Farfli.DCC Encrypted malicious payload within the second Home windows cluster.
A565875EDF33016D8A231682CC4C19FCC43A9A0E CSLoader.dll Win32/Farfli.DCC Shellcode injector within the second Home windows cluster.
CFD900B77494574A01EA8270194F00E573E80F94 1.dll Win32/Farfli.BLH Gh0st RAT variant within the second Home windows cluster.
18DE3283402FE09D2FF6771D85B9DB6FE2B9D05E telegram.exe Win64/PSW.Agent.CT Trojanized model of Home windows Telegram installer within the first cluster.


Area/IP First seen Particulars
tevegram[.]com 2022-07-25 Distribution web site.
telegram[.]land 2021-09-01 Distribution web site.
x-telegram[.]app 2022-04-24 Distribution web site.
hao-telegram[.]com 2022-03-12 Distribution web site.
telegram[.]farm 2021-03-22 Distribution web site.
t-telegrm[.]com 2022-08-29 Distribution web site.
telegrmam[.]org 2022-08-23 Distribution web site.
telegramnm[.]org 2022-08-22 Distribution web site.
telegrms[.]com 2021-12-01 Distribution web site.
telegrrom[.]com 2022-09-09 Distribution web site.
telegramxs[.]com 2022-07-27 Distribution web site.
telegcn[.]com 2022-11-04 Distribution web site.
telegram[.]gs 2022-09-15 Distribution web site.
telegram-c[.]com 2022-08-11 Distribution web site.
whotsapp[.]web 2022-10-15 Distribution web site.
telegron[.]org 2022-08-10 Distribution and C&C web site.
telezzh[.]com 2022-09-09 Distribution and C&C web site.
telegramzn[.]com 2022-08-22 Distribution and C&C web site.
token.jdy[.]me 2021-10-29 C&C server.
telegrom[.]org 2020-01-02 C&C server.
coinfacai[.]com 2022-06-17 C&C server.
add.buchananapp[.]com 2022-07-18 C&C server.
137.220.141[.]13 2021-08-15 C&C server.
api.oktask88[.]com 2022-05-09 C&C server.
jk.cqbblmy[.]com 2022-11-09 C&C server.
103.212.230[.]41 2020-07-04 C&C server.
j.pic6005588[.]com 2022-08-31 C&C server.
b.pic447[.]com 2022-08-06 C&C server.
180.215.88[.]227 2020-03-18 C&C server.
104.233.144[.]130 2021-01-13 C&C server.
division.microsoftmiddlename[.]tk 2022-08-06 Malicious payload distribution web site.

Attacker wallets

Coin Pockets tackle
Bitcoin 36uqLsndC2kRJ9xy6PiuAxK3dYmqXw8G93
Bitcoin 3GekkwGi9oCizBAk6Mki2ChdmTD4LRHKAB
Bitcoin 35b4KU2NBPVGd8nwB8esTmishqdU2PPUrP
Bitcoin 3QtB81hG69yaiHkBCTfPKeZkR8i2yWe8bm
Bitcoin 396naR218NHqPGXGbgKzKcXuJD3KDmeLsR
Bitcoin 3K1f9uyae9Fox44kZ7AAZ8eJU98jsya86X
Bitcoin 1Jp8WCP5hWrvnhgf3uDxn8bHXSqt48XJ5Z
Bitcoin 32xFkwSa2U3hE9W3yimShS3dANAbZxxh8w
Bitcoin bc1q0syn34f2q4nuwwunaymzhmfcs28j6tm2cq55fw
Bitcoin bc1qvtj4z66nv85atkgs4a5veg30dc0jf6p707juns
Ethereum 0xc4C47A527FE03E92DCe9578E4578cF4d4605b1E1
Ethereum 0x2097831677A4838A63b4E4E840D1b2Be749FC1ab
Ethereum 0x8aE1B343717BD7ba43F0bB2407d5253F9604a481
Ethereum 0x276a84565dcF98b615ff2FB12c42b1E9Caaf7685
Ethereum 0x31bdE5A8Bf959CD0f1d4006c15eE48055ece3A5c
Ethereum 0xf7A84aa7F4a70262DFB4384fb9D419c14BC1DD9D
Ethereum 0x0EF13Db9Cb63Fb81c58Fb137034dA85DFE6BE020
Ethereum 0x24a308B82227B09529132CA3d40C92756f0859EE
Ethereum 0xe99A0a26184392635C5bf1B3C03D68360DE3b1Aa
Ethereum 0x59e93c43532BFA239a616c85C59152717273F528
Ethereum 0xF90acFBe580F58f912F557B444bA1bf77053fc03
Tron TQA7ggPFKo2C22qspbmANCXKzonuXShuaa
Tron TTqBt5gUPjEPrPgzmKxskCeyxGWU377YZ8
Tron TQXz8w94zVJxQy3pAaVsAo6nQRpj5chmuG
Tron TN1JVt3ix5qwWyNvJy38nspqoJXB2hVjwm
Tron TCo4xVY5m7jN2JhMSgVzvf7mKSon92cYxi
Tron TYoYxTFbSB93v4fhUSDUVXpniB3Jz7z9WA
Tron TSeCVpujFahFS31vBWULwdoJY6DqAaq1Yf
Tron TMCqjsKrEMMogeLGPpb9sdMiNZNbQXG8yA
Tron TJhqKzGQ3LzT9ih53JoyAvMnnH5EThWLQB
Binance bnb1fp4s2w96genwknt548aecag07mucw95a4z4ly0

MITRE ATT&CK methods

This desk was constructed utilizing version 12 of the MITRE ATT&CK cell methods.

Tactic ID Title Description
Discovery T1418 Software program Discovery Android Clipper can get hold of a listing of put in functions.
Assortment T1409 Saved Utility Knowledge Android Clipper extracts information from inside storage of the Telegram app.
Command and Management T1437.001 Utility Layer Protocol: Internet Protocols Android Clipper makes use of HTTP and HTTPS to speak with its C&C server.
Exfiltration T1646 Exfiltration Over C2 Channel Android Clipper exfiltrates stolen knowledge over its C&C channel.
Affect T1641.001 Knowledge Manipulation: Transmitted Knowledge Manipulation Android Clipper exchanges cryptocurrency wallets in Telegram communication.

This desk was constructed utilizing version 12 of the MITRE ATT&CK enterprise methods.

Tactic ID Title Description
Execution T1106 Native API Trojanized Home windows Telegram makes use of Home windows API operate ShellExecuteExA to execute shell instructions acquired from its C&C.
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Trojanized Home windows Telegram copies itself to the Startup listing for persistence.
Privilege Escalation T1134 Entry Token Manipulation Trojanized Home windows Telegram adjusts token privileges to allow SeDebugPrivilege.
Protection Evasion T1070.001 Indicator Elimination: Clear Home windows Occasion Logs Trojanized Home windows Telegram is able to deleting occasion logs.
T1140 Deobfuscate/Decode Recordsdata or Info Trojanized Home windows Telegram decrypts and masses the RAT DLL into reminiscence.
T1574.002 Hijack Execution Circulation: DLL Facet-Loading Trojanized Home windows Telegram makes use of reputable functions to carry out DLL side-loading.
T1622 Debugger Evasion Trojanized Home windows Telegram checks the BeingDebugged flag of PEB to detect whether or not a debugger is current.
T1497 Virtualization/Sandbox Evasion Trojanized Home windows Telegram identifies execution in digital machine through WQL.
Credential Entry T1056.001 Enter Seize: Keylogging Trojanized Home windows Telegram has a keylogger.
Discovery T1010 Utility Window Discovery Trojanized Home windows Telegram is ready to uncover utility home windows utilizing EnumWindows.
T1012 Question Registry Trojanized Home windows Telegram can enumerate registry keys.
T1057 Course of Discovery Trojanized Home windows Telegram can record working processes on the system.
T1082 System Info Discovery Trojanized Home windows Telegram gathers system structure, processor, OS configuration, and {hardware} info.
Assortment T1113 Display Seize Trojanized Home windows Telegram captures sufferer’s display.
T1115 Clipboard Knowledge Trojanized Home windows Telegram steals clipboard knowledge from the sufferer.
Command and Management T1071.001 Utility Layer Protocol: Internet Protocols Trojanized Home windows Telegram makes use of HTTPS to speak with its C&C server.
T1095 Non-Utility Layer Protocol Trojanized Home windows Telegram makes use of encrypted TCP protocol to speak with the C&C.
T1105 Ingress Instrument Switch Trojanized Home windows Telegram can obtain further information.
T1573 Encrypted Channel Trojanized Home windows Telegram encrypts TCP communications.
Exfiltration T1041 Exfiltration Over C2 Channel Trojanized Home windows Telegram sends sufferer knowledge to its C&C server.
Affect T1529 System Shutdown/Reboot Trojanized Home windows Telegram can reboot or shutdown the sufferer’s machine.
T1565.002 Knowledge Manipulation: Transmitted Knowledge Manipulation Trojanized Home windows Telegram swaps cryptocurrency wallets in Telegram communication.
T1531 Account Entry Elimination Trojanized Home windows Telegram removes profiles of generally used browsers to drive victims to log into their net accounts.