Kaspersky’s Global Research and Analysis Team (GreAT) has discovered a global malicious campaign in which attackers used the Telegram application to send Trojan horse spyware, which could target individuals and companies in the financial technology and trading sectors across several countries in Europe, Asia, Latin America. , and the Middle East. The malware is designed to steal sensitive data, such as passwords, and take control of users’ devices for spying purposes.
The campaign is believed to be linked to the infamous DeathStalker group involved in the Advanced Persistent Threat (APT) space, a spy-for-hire business providing specialized investigative services and financial intelligence. In the recent wave of attacks analyzed by Kaspersky, threat sources tried to infect victims with DarkMe malware; It is a remote access Trojan (RAT) designed to steal information and execute commands remotely from a server controlled by the perpetrators.
The threat sources behind the campaign seem to have targeted victims in the commerce and financial technology sectors, as technical indicators indicate that the malware was spread through Telegram channels that could to focus on these subjects. The campaign had a global dimension, with Kaspersky identifying victims in more than 20 countries in Europe, Asia, Latin America, and the Middle East.
Analysis of the infection chain indicates that attackers likely attached malicious archive files to posts in Telegram channels. These archive files, including RAR or ZIP files, were not malicious in themselves, but they contained malicious files with extensions such as .lnk, .com, and .cmd, and if executed -possible victims of these files, they would install the downstream malware, DarkMe, under a series of actions.
