Telegram | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have uncovered malicious packages uploaded to the Python Package Index (PyPI) repository that act as checker tools to validate stolen email addresses against TikTok and Instagram APIs. All three packages are no longer available on PyPI. The names of the Python packages are below - checker-SaGaF (2,605 downloads) steinlurks (1,049 downloads) sinnercore (3,300 downloads) "True to its name, checker-SaGaF checks if an email is associated with a TikTok account and an Instagram account," Socket researcher Olivia Brown said in an analysis published last week. Specifically, the package is designed to send HTTP POST requests to TikTok's password recovery API and Instagram's account login endpoints to determine if an email address passed as input is valid, meaning there exists an account holder corresponding to that email address. "Once threat actors have this information, just from an email address, they can threaten to dox or spam, c...

A Chinese-language, Telegram-based marketplace called Xinbi Guarantee has facilitated no less than $8.4 billion in transactions since 2022, making it the second major black market to be exposed after HuiOne Guarantee . According to a report published by blockchain analytics firm Elliptic, merchants on the marketplace have been found to peddle technology, personal data, and money laundering services. "The USDT stablecoin is the primary payment method, with the market having received $8.4 billion in transactions to date," the company said . "Some transactions can be linked to funds stolen by North Korea." Xinbi, like HuiOne, has offered its services to scammers in Southeast Asia, including those responsible for so-called romance baiting schemes (formerly referred to as "pig butchering"), which has become one of the most lucrative forms of cybercrime in recent years. What's notable about these criminal bazaars is that they are entirely run on Tele...

Cybersecurity researchers have uncovered three malicious packages in the npm registry that masquerade as a popular Telegram bot library but harbor SSH backdoors and data exfiltration capabilities. The packages in question are listed below - node-telegram-utils (132 downloads) node-telegram-bots-api (82 downloads) node-telegram-util (73 downloads) According to supply chain security firm Socket, the packages are designed to mimic node-telegram-bot-api , a popular Node.js Telegram Bot API with over 100,000 weekly downloads. The three libraries are still available for download. "While that number may sound modest, it only takes a single compromised environment to pave the way for wide-scale infiltration or unauthorized data access," security researcher Kush Pandya said . "Supply chain security incidents repeatedly show that even a handful of installs can have catastrophic repercussions, especially when attackers gain direct access to developer systems or produc...

Cheap Android smartphones manufactured by Chinese companies have been observed pre-installed with trojanized apps masquerading as WhatsApp and Telegram that contain cryptocurrency clipper functionality as part of a campaign since June 2024. While using malware-laced apps to steal financial information is not a new phenomenon, the new findings from Russian antivirus vendor Doctor Web point to significant escalation where threat actors are directly targeting the supply chain of various Chinese manufacturers to preload brand new devices with malicious apps. "Fraudulent applications were detected directly in the software pre-installed on the phone," the company said . "In this case, the malicious code was added to the WhatsApp messenger." A majority of the compromised devices are said to be low-end phones that mimic well-known premium models from Samsung and Huawei with names like S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra. At least four of the affected mod...

The Middle East and North Africa have become the target of a new campaign that delivers a modified version of a known malware called AsyncRAT since September 2024. "The campaign, which leverages social media to distribute malware, is tied to the region's current geopolitical climate," Positive Technologies researchers Klimentiy Galkin and Stanislav Pyzhov said in an analysis published last week. "The attackers host malware in legitimate online file-sharing accounts or Telegram channels set up specially for this purpose." The campaign is estimated to have claimed approximately 900 victims since the fall 2024, the Russian cybersecurity company added, indicating its widespread nature. A majority of the victims are located in Libya, Saudi Arabia, Egypt, Turkey, the United Arab Emirates, Qatar, and Tunisia. The activity, attributed to a threat actor dubbed Desert Dexter , was discovered in February 2025. It chiefly involves creating temporary accounts and news ...

Cybersecurity researchers have shed light on a new Golang-based backdoor that uses Telegram as a mechanism for command-and-control (C2) communications. Netskope Threat Labs, which detailed the functions of the malware, described it as possibly of Russian origin. "The malware is compiled in Golang and once executed it acts like a backdoor," security researcher Leandro Fróes said in an analysis published last week. "Although the malware seems to still be under development it is completely functional." Once launched, the backdoor is designed to check if it's running under a specific location and using a specific name – "C:\Windows\Temp\svchost.exe" – and if not, it reads its own contents, writes them to that location, and creates a new process to launch the copied version and terminate itself. A notable aspect of the malware is that it uses an open-source library that offers Golang bindings for the Telegram Bot API for C2 purposes. This involves...

A Russian-speaking cybercrime gang known as Crazy Evil has been linked to over 10 active social media scams that leverage a wide range of tailored lures to deceive victims and trick them into installing malware such as StealC , Atomic macOS Stealer (aka AMOS ), and Angel Drainer . "Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil employs a well-coordinated network of traffers — social engineering experts tasked with redirecting legitimate traffic to malicious phishing pages," Recorded Future's Insikt Group said in an analysis. The use of a diverse malware arsenal cryptoscam group is a sign that the threat actor is targeting users of both Windows and macOS systems, posing a risk to the decentralized finance ecosystem. Crazy Evil has been assessed to be active since at least 2021, functioning primarily as a traffer team tasked with redirecting legitimate traffic to malicious landing pages operated by other criminal cre...

Cybersecurity researchers have detailed a new adversary-in-the-middle (AitM) phishing kit that's capable of Microsoft 365 accounts with an aim to steal credentials and two-factor authentication (2FA) codes since at least October 2024. The nascent phishing kit has been dubbed Sneaky 2FA by French cybersecurity company Sekoia, which detected it in the wild in December. Nearly 100 domains hosting Sneaky 2FA phishing pages have been identified as of this month, suggesting moderate adoption by threat actors. "This kit is being sold as phishing-as-a-service (PhaaS) by the cybercrime service 'Sneaky Log,' which operates through a fully-featured bot on Telegram," the company said in an analysis. "Customers reportedly receive access to a licensed obfuscated version of the source code and deploy it independently." Phishing campaigns have been observed sending payment receipt-related emails to entice recipients into opening bogus PDF documents containing QR co...

The Telegram-based online marketplace known as HuiOne Guarantee and its vendors have cumulatively received at least $24 billion in cryptocurrency, dwarfing the now-defunct Hydra to become the largest online illicit marketplace to have ever operated. The figures, released by blockchain analytics firm Elliptic, show that monthly inflows have increased by 51% since July 2024. Huione Guarantee, part of the HuiOne Group of companies, came under spotlight mid-last year when it was exposed as a hub for online fraudsters, advertising money laundering services, stolen data, and even electrified shackles meant for use against people who are trafficked into scam compounds under the pretext of high paying jobs to conduct romance baiting scams . The development led to cryptocurrency company Tether freezing $29.62 million of its stablecoin connected to the marketplace. Established in 2021 ostensibly to facilitate the sale of cars and real estate, it's said to have strong links with Camb...

An Android information stealing malware named FireScam has been found masquerading as a premium version of the Telegram messaging app to steal data and maintain persistent remote control over compromised devices. "Disguised as a fake 'Telegram Premium' app, it is distributed through a GitHub.io-hosted phishing site that impersonates RuStore – a popular app store in the Russian Federation," Cyfirma said , describing it as a "sophisticated and multifaceted threat." "The malware employs a multi-stage infection process, starting with a dropper APK, and performs extensive surveillance activities once installed." The phishing site in question, rustore-apk.github[.]io, mimics RuStore, an app store launched by Russian tech giant VK in the country, and is designed to deliver a dropper APK file ("GetAppsRu.apk"). Once installed, the dropper acts as a delivery vehicle for the main payload, which is responsible for exfiltrating sensitive data,...

Europol on Thursday announced the shutdown of a clearnet marketplace called Manson Market that facilitated online fraud on a large scale. The operation, led by German authorities, has resulted in the seizure of more than 50 servers associated with the service and the arrest of two suspects. More than 200 terabytes of digital evidence have been collected. In addition, over 80 data storage devices, cell phones, computers, as well as cash and crypto assets worth more than €63,000 ($66,500) have been confiscated. Manson Market ("manson-market[.]pw") is believed to have launched in 2022 as a way to peddle sensitive information that was illegally obtained from victims as part of phishing and vishing (voice phishing) schemes. One such criminal activity involved calling victims under the guise of bank employees to trick them into revealing their addresses and security answers. In another instance, a network of fake online shops was employed to deceive visitors into entering th...

The administrators of the Python Package Index (PyPI) repository have quarantined the package " aiocpa " following a new update that included malicious code to exfiltrate private keys via Telegram. The package in question is described as a synchronous and asynchronous Crypto Pay API client. The package, originally released in September 2024, has been downloaded 12,100 times to date. By putting the Python library in quarantine, it prevents further installation by clients and cannot be modified by its maintainers.  Cybersecurity outfit Phylum, which shared details of the software supply chain attack last week, said the author of the package published the malicious update to PyPI, while keeping the library's GitHub repository clean in an attempt to evade detection. It's currently not clear if the original developer was behind the rogue update or if their credentials were compromised by a different threat actor. Signs of malicious activity were first spotted i...

Threat hunters are warning about an updated version of the Python-based NodeStealer that's now equipped to extract more information from victims' Facebook Ads Manager accounts and harvest credit card data stored in web browsers. "They collect budget details of Facebook Ads Manager accounts of their victims, which might be a gateway for Facebook malvertisement," Netskope Threat Labs researcher Jan Michael Alcantara said in a report shared with The Hacker News. "New techniques used by NodeStealer include using Windows Restart Manager to unlock browser database files, adding junk code, and using a batch script to dynamically generate and execute the Python script." NodeStealer , first publicly documented by Meta in May 2023, started off as JavaScript malware before evolving into a Python stealer capable of gathering data related to Facebook accounts in order to facilitate their takeover. It's assessed to be developed by Vietnamese threat actors, who...

Bank customers in the Central Asia region have been targeted by a new strain of Android malware codenamed Ajina.Banker since at least November 2023 with the goal of harvesting financial information and intercepting two-factor authentication (2FA) messages. Singapore-headquartered Group-IB, which discovered the threat in May 2024, said the malware is propagated via a network of Telegram channels set up by the threat actors under the guise of legitimate applications related to banking, payment systems, and government services, or everyday utilities. "The attacker has a network of affiliates motivated by financial gain, spreading Android banker malware that targets ordinary users," security researchers Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov said . Targets of the ongoing campaign include countries such as Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan. There is evidence to suggest that some aspects of...