Threats Tagged 'telegram exfiltration'
View all threats tagged with 'telegram exfiltration'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'telegram exfiltration'
Click on any threat for detailed analysis and mitigation recommendations
Uncovering a Global Android Carrier Billing Fraud Campaign 0 A sophisticated Android malware campaign has been identified conducting carrier billing fraud through premium SMS abuse across Malaysia, Thailand, Romania, and Croatia. The operation comprises nearly 250 malicious applications that selectively target users based on their mobile operators, silently subscribing victims to premium services without consent. The malware demonstrates advanced capabilities including precise regional targeting with hardcoded SIM operator validation, automated subscription workflows using WebView manipulation and JavaScript injection, OTP interception via abuse of Google's SMS Retriever API, and Telegram-based exfiltration of device metadata. The campaign impersonates popular applications including Facebook, Instagram, TikTok, Minecraft, and Grand Theft Auto to lure victims. Active from March 2025 through January 2026, the operation employs three distinct variants with increasing levels of sophistication, utilizing distributed command and control infrastructure and systematic refer... Join the discussion | AlienVault OTX General | 05/20/2026, 22:37:47 UTC Added: 05/21/2026, 16:59:45 UTC |
Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files 0 This analysis examines new obfuscation techniques employed by Gremlin stealer malware to conceal malicious payloads within embedded resources. A variant protected by sophisticated commercial packing utility uses instruction virtualization, transforming code into custom bytecode executed by a private virtual machine. The malware siphons sensitive information including payment card details, browser cookies, session tokens, cryptocurrency wallet data, and FTP/VPN credentials from compromised systems. It exfiltrates data to attacker-controlled servers at hxxp[:]194.87.92[.]109 for potential publication or sale. Recent iterations incorporate expanded Discord token extraction, active financial fraud through crypto clipper functionality that replaces cryptocurrency wallet addresses in real-time, and WebSocket-based session hijacking to bypass modern cookie protections. The malware employs advanced anti-analysis techniques including XOR-encoded payloads in .NET resource sections, identifier renaming, string encryp... Join the discussion | AlienVault OTX General | 05/15/2026, 15:23:31 UTC Added: 05/15/2026, 18:51:38 UTC |
Mach-O Man Malware: What CISOs Need to Know 0 Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called "Mach-O Man". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss. Join the discussion | AlienVault OTX General | 04/22/2026, 01:40:36 UTC Added: 04/22/2026, 08:46:13 UTC |
Fake Dropbox Phishing Campaign via PDF and Cloud Storage 0 A sophisticated phishing campaign has been detected that utilizes a multi-stage approach to evade detection. The attack begins with a procurement-themed email containing a PDF attachment. This PDF redirects victims to another PDF hosted on trusted cloud storage, which then leads to a fake Dropbox login page. The attackers exploit trusted platforms and harmless file formats to bypass security measures. The campaign uses social engineering tactics to harvest credentials, which are then exfiltrated to attacker-controlled infrastructure via Telegram. This method proves effective by leveraging legitimate business processes, trusted file types, and reputable cloud services to appear authentic and bypass automated security checks. Join the discussion | AlienVault OTX General | 02/02/2026, 18:31:08 UTC Added: 02/02/2026, 20:15:08 UTC |
OCTALYN STEALER UNMASKED 0 The Octalyn Forensic Toolkit, a publicly available GitHub project, presents itself as a research tool but functions as a sophisticated credential stealer. It consists of a C++ payload module and a Delphi-based builder interface, allowing even low-skilled actors to generate functional binaries. The toolkit extracts browser data, Discord and Telegram tokens, VPN configurations, gaming account data, and cryptocurrency wallet artifacts. It establishes persistence, organizes stolen data, and exfiltrates it via Telegram. The malware's modular design, ease of use, and active exfiltration capability pose significant risks if misused. It employs obfuscation techniques, Windows persistence methods, and structured data theft, demonstrating a deliberate effort to evade detection and maximize impact. Join the discussion | AlienVault OTX General | 07/16/2025, 08:06:09 UTC Added: 07/16/2025, 08:16:10 UTC |
Showing 1 to 5 of 5 results