Found 12 bookmarks
Newest
How Adversary Telegram Bots Help to Reveal Threats: Case Study  - ANY.RUN's Cybersecurity Blog
How Adversary Telegram Bots Help to Reveal Threats: Case Study  - ANY.RUN's Cybersecurity Blog
Discover how to intercept data stolen by cybercriminals via Telegram bots and learn to use it to clarify related threat landscape. While analyzing malware samples uploaded to ANY.RUN’s Interactive Sandbox, one particular case marked as “phishing” and “Telegram” drew the attention of our security analysts. Although this analysis session wasn’t attributed to any known malware family or threat actor group, the analysis revealed that Telegram bots were being used for data exfiltration. This led us to apply a message interception technique for Telegram bots, previously described on the ANY.RUN blog. The investigation resulted in a clear and practical case study demonstrating how intercepting Telegram bot communications can aid in profiling the threat actor behind a relatively obscure phishing campaign. Key outcomes of this analysis include: Examination and technical analysis of a lesser known phishing campaign Demonstration of Telegram API-based data interception techniques Collection of threat intelligence (TI) indicators to help identify the actor Recommendations for detecting this type of threat
#any.run#EN#2025#Telegram#analysis#malware#indicators#bots
·any.run·
How Adversary Telegram Bots Help to Reveal Threats: Case Study  - ANY.RUN's Cybersecurity Blog
Inside FireScam : An Information Stealer with Spyware Capabilities
Inside FireScam : An Information Stealer with Spyware Capabilities
  • FireScam is an information stealing malware with spyware capabilities. It is distributed as a fake ‘Telegram Premium’ APK via a phishing website hosted on the GitHub.io domain, mimicking the RuStore app store. The phishing website delivers a dropper that installs the FireScam malware disguised as the Telegram Premium application. The malware exfiltrates sensitive data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint. FireScam monitors device activities such as screen state changes, e-commerce transactions, clipboard activity, and user engagement to gather valuable information covertly. Captures notifications across various apps, including system apps, to potentially steal sensitive information and track user activities. It employs obfuscation techniques to hide its intent and evade detection by security tools and researchers. FireScam performs checks to identify if it is running in an analysis or virtualized environment. The malware leverages Firebase for command-and-control communication, data storage, and to deliver additional malicious payloads. Exfiltrated data is temporarily stored in the Firebase Realtime Database, filtered for valuable content, and later removed. The Firebase database reveals potential Telegram IDs linked to the threat actors and contains URLs to other malware specimens hosted on the phishing site. By exploiting the popularity of messaging apps and other widely used applications, FireScam poses a significant threat to individuals and organizations worldwide.
#cyfirma#EN#2025#FireScam#Telegram#Premium#analysis#fake#apk#android#malware
·cyfirma.com·
Inside FireScam : An Information Stealer with Spyware Capabilities