Threat actors are leveraging Telegram's Mini App feature and bots to create convincing, in-app phishing experiences for large-scale cryptocurrency scams and Android malware distribution. The FEMITBOT operation impersonates major brands and uses a shared backend infrastructure to deploy campaigns that steal funds via fake deposit requirements or distribute malicious APK files. The attack vector exploits user trust within the Telegram platform, utilizing its built-in browser to host fraudulent pages and tracking scripts to optimize campaign performance.
Phishing , Application security , Malware Telegram mini apps used in large-scale crypto scams and malware distribution May 4, 2026 Share By SC Staff (Adobe Stock) A large-scale fraud operation is leveraging Telegram's Mini App feature to conduct cryptocurrency scams, impersonate well-known brands, and distribute Android malware. This operation, identified as FEMITBOT, utilizes Telegram bots and embedded Mini Apps to create convincing, app-like experiences directly within the messaging platform, with further coverage provided by Bleeping Computer. The FEMITBOT platform facilitates various scams, including fake cryptocurrency, financial services, AI tools, and streaming sites. Threat actors impersonate major brands like Apple, Coca-Cola, and Disney to enhance credibility. The operation uses a shared backend infrastructure with consistent API responses, allowing for easy switching of branding and languages across different campaigns. Users interacting with malicious bots are presented with phishing pages within Telegram's built-in browser, often displaying fake balances and urgent offers. To withdraw funds, victims are prompted to deposit money or complete referral tasks. Some campaigns also distribute Android malware disguised as legitimate applications, urging users to download APK files or install progressive web apps. Tracking scripts from Meta and TikTok are employed to monitor user activity and optimize campaign performance. Source: Bleeping Computer SC Staff Related Phishing New ConsentFix v3 attack automates Microsoft Azure account hijacking SC Staff May 4, 2026 ConsentFix v3 targets Microsoft Azure environments by first identifying valid tenant IDs and gathering employee details for impersonation. Threat Intelligence Vietnamese operation uses Google AppSheet for Facebook phishing, targets 30,000 accounts SC Staff May 1, 2026 The AccountDumpling campaign targets Facebook Business account owners with emails impersonating Meta Support, creating a false sense of urgency to prompt users to click on links leading to fake credential harvesting pages. Email security Commercial spam and phishing attacks increasingly leverage trusted platforms SC Staff May 1, 2026 Commercial spam now constitutes 46% of all spam globally, with a significant portion originating from compromised accounts and free email services, according to VIPRE Security Group's Q1 2026 Email Threat Trends Report. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Adware Banner Browser Cache Cramming Common Gateway Interface (CGI) Client Cookie DLL Injection Dynamic Link Library You can skip this ad in 5 seconds