Kaspersky Lab researchers have uncovered a sophisticated cyber attack campaign utilizing Telegram as a distribution vector for the dangerous DarkMe trojan. The operation, spanning more than 20 countries including Russia, specifically targets users of financial-focused Telegram channels, marking a significant evolution in social platform-based malware delivery techniques.
Advanced Malware Distribution Tactics
The attackers have implemented a sophisticated delivery mechanism, embedding malicious files with various extensions (.lnk, .com, .cmd) in Telegram posts. These seemingly innocent attachments serve as the initial infection vector, deploying the DarkMe trojan upon execution. The malware enables complete remote access to compromised systems and facilitates the theft of sensitive information, presenting a severe security risk to affected users.
Sophisticated Evasion Techniques
The malware exhibits advanced anti-detection capabilities that demonstrate the attackers’ technical sophistication. Upon successful installation, the trojan automatically eliminates its deployment files and employs code padding to evade antivirus detection. The malware’s ability to clean up post-exploitation artifacts and remove registry traces makes it particularly challenging to detect and analyze.
Attribution to DeathStalker APT Group
Technical analysis has linked this campaign to the DeathStalker advanced persistent threat (APT) group, previously known as Deceptikons. Operating since 2018, this threat actor specializes in mercenary cyber espionage operations, primarily focusing on financial intelligence gathering and corporate surveillance.
Target Profile and Industry Impact
The campaign predominantly targets small and medium-sized enterprises in the financial technology sector, along with financial services and legal firms. DeathStalker’s selection of Telegram as an attack vector represents a strategic shift, exploiting the platform’s widespread adoption and users’ inherent trust in its content sharing capabilities.
Security experts emphasize that this attack campaign represents a significant evolution in social platform-based threats. The exploitation of legitimate messaging platforms like Telegram creates a particularly dangerous scenario, as users typically maintain a higher level of trust in content shared through these channels. Organizations and individuals are strongly advised to implement strict file download policies, enable advanced security controls, and maintain updated security solutions to protect against this emerging threat vector. Regular security awareness training focusing on social platform security should be considered essential for all users handling sensitive financial information.
