CySecurity News - Latest Information Security and Hacking Incidents: Telegram

Data Leak Illicit Activity Mobile Security Telegram User Privacy Vietnam

Vietnam Blocks Telegram Messaging App

Vietnam's technology ministry has ordered telecommunications service providers to ban the messaging app Telegram for failing to cooperate in the investigation of alleged crimes committed by its users, a move Telegram described as shocking.

In a document dated May 21 and signed by the deputy head of the telecom department at the technology ministry, telecommunications firms were asked to start steps to block Telegram and report back to the ministry by June 2.

In the document seen by Reuters, the ministry was acting on behalf of the nation's cybersecurity department after police revealed that 68% of Vietnam's 9,600 Telegram channels and groups were breaking the law. They cited drug trafficking, fraud, and "cases suspected of being related to terrorism" as some of the illicit activities conducted through the app.

According to the document, the ministry requested that telecom companies "deploy solutions and measures to prevent Telegram's activities in Vietnam.” Following the release of the Reuters piece, the government announced the measures against Telegram on its website.

"Telegram is surprised by those statements. We have responded to legal requests from Vietnam on time. This morning, we received a formal notice from the Authority of Communications regarding a standard service notification procedure required under new telecom regulations. The deadline for the response is May 27, and we are processing the request," the Telegram representative noted.

According to a technology ministry official, the move was prompted by Telegram's failure to share customer information with the government when requested as part of criminal investigations.

The Vietnamese police and official media have regularly cautioned citizens about potential crimes, frauds, and data breaches on Telegram channels and groups. Telegram, which competes globally with major social networking apps such as Facebook's (META.O), WhatsApp and WeChat, remain available in Vietnam on Friday.

Vietnam's ruling Communist Party maintains strict media censorship and tolerates minimal opposition. The country has regularly asked firms such as Facebook, Google (GOOGL.O), YouTube, and TikTok to work with authorities to remove "toxic" data, which includes offensive, misleading, and anti-state content.

According to the document, Telegram has been accused of failing to comply with regulations requiring social media platforms to monitor, remove, and restrict illegal content. "Many groups with tens of thousands of participants were created by opposition and reactionary subjects spreading anti-government documents" based on police information.

The free-to-use site, which has about 1 billion users globally, has been embroiled in scandals over security and data breaches, particularly in France, where its founder, Pavel Durov, was temporarily detained last year.

Data Security Alert as Novel Exfiltration Method Emerges



 

Cyberhackers Cybersecurity CyberThreat Data Breach Data Loss Global Security Telegram WhatsApp

Data Security Alert as Novel Exfiltration Method Emerges

Global cybersecurity experts are raising serious concerns over the newly identified cyber threat known as Data Splicing Attacks, which poses a significant threat to thousands of businesses worldwide. It seems that even the most advanced Data Loss Prevention (DLP) tools that are currently being used are unable to stop the sophisticated data exfiltration technique.

A user can manipulate sensitive information directly within the browser, enabling the attacker to split, encrypt or encode it into smaller fragments that will remain undetected by conventional security measures because they can manipulate data directly within the browser. By fragmenting the data pieces, they circumvent the detection logic of both Endpoint Protection Platforms (EPP) and network-based tools, only to be reassembled seamlessly outside the network environment in which they were found.

As a further contributing factor to the threat, malicious actors are using alternatives to standard communication protocols, such as grpc and Webrtc, and commonly used encrypted messaging platforms, such as WhatsApp and Telegram, as a means of exfiltrating data. As a result of these channels, attackers can obscure their activities and evade traditional SSL inspection mechanisms, making it much more difficult to detect and respond to them.

An important shift in the threat landscape has taken place with the introduction of Data Splicing Attacks, which require immediate attention from both enterprises and cybersecurity professionals. Data exfiltration, a growing concern within the cybersecurity industry, refers to the act of transferring, stealing, or removing a specific amount of data from a computer, server, or mobile phone without authorisation.

Several methods can be used to perform this type of cyberattack, including a variety of cyberattacks such as data leakage, data theft, and information extrusion. The kind of security breach posed by this type of company poses a serious threat to the company, since it can result in significant financial losses, disruptions to operations, and irreparable damage to their reputation. This lack of adequate safeguarding of sensitive information under such threats emphasises the importance of developing effective data protection strategies.

There are two primary means by which data can be exfiltrated from an organisation's network: external attacks and insider threats. Cybercriminals infiltrate an organisation's network by deploying malware that targets connected devices, which can be the result of a cybercriminal attack. A compromised device can serve as a gateway to broader network exploitation once compromised.

Some types of malware are designed to spread across corporate networks in search of and extracting confidential information, while others remain dormant for extended periods, eschewing detection and quietly collecting, exfiltrating, and exchanging data in small, incremental amounts as it grows. As well as insider threats, internal threats can be equally dangerous in stealing data.

A malicious insider, such as a disgruntled employee, may be responsible for the theft of proprietary data, often transferring it to private email accounts or external cloud storage services for personal gain. Furthermore, employees may inadvertently expose sensitive information to external parties due to negligent behaviour, resulting in the disclosure of sensitive information to outside parties.

The insider-related incidents that take place at a company underscore the importance of robust monitoring, employee training, and data loss prevention (DLP) to safeguard the company's assets from outside threats. As a rule, there are many ways in which data exfiltration can be executed, usually by exploiting technological vulnerabilities, poor security practices, or human error in order to carry out the exfiltration.

When threat actors attempt to steal sensitive data from corporate environments, they use sophisticated methods without raising suspicion or setting off security alarms, to do so covertly. For organisations that wish to improve their security posture and reduce the risk of data loss, they must understand the most common tactics used in data exfiltration.

Infiltrating a system using malware is one of the most prevalent methods, as it is malicious software that is intentionally installed to compromise it. When malware is installed, it can scan a device for valuable data like customer records, financial data, or intellectual property, and send that information to an external server controlled by the attacker, which makes the process stealthy, as malware is often designed to mask its activity to evade detection by a company.

Data exfiltration is often accompanied by trojans, keyloggers, and ransomware, each of which is capable of operating undetected within a corporate network for extended periods. A similar method, phishing, relies on social engineering to trick users into revealing their login information or downloading malicious files. A cybercriminal can trick employees into granting them access to internal systems by craftily crafting convincing emails or creating false login pages.

When attackers gain access to a network, they can easily move across the network laterally and gain access to sensitive information. Phishing attacks are particularly dangerous because they rely heavily on human error to exploit human error, bypassing even the most sophisticated technological safeguards. The insider threat represents a challenging aspect of an organisation.

It can involve malicious insiders, such as employees or contractors, who deliberately leak or sell confidential information for monetary, strategic, or personal gain. As an example, insiders can also compromise data security unintentionally by mishandling sensitive data, sending information to incorrect recipients, or using insecure devices, without realising it. No matter what the intent of an insider threat is, it can be very difficult to detect and prevent it, especially when organisations do not have comprehensive monitoring and security controls in place.

Lastly, network misconfigurations are a great source of entry for attackers that requires little effort. When an internal system is compromised, it can be exploited by an attacker to gain unauthorised access by exploiting vulnerabilities such as poorly configured firewalls, exposed ports, and unsecured APIS. Once the attacker is inside, he or she can navigate the network by bypassing the traditional security mechanisms to locate and steal valuable information.

Often, these misconfigurations don't become apparent until a breach has already occurred, so it is very important to conduct continuous security audits and vulnerability assessments. In order to safeguard critical information assets better, organizations must understand these methods so that they may be able to anticipate threats and implement targeted countermeasures. Increasingly, web browsers have become an integral part of workplace productivity, creating a significant threat surface for data leaks.

As more than 60% of enterprise data is now stored on cloud-based platforms and is accessed primarily through browsers, ensuring browser-level security has become an extremely important concern. However, many existing security solutions have fallen short in addressing this challenge as recent research has revealed. It is very hard for proxy-based protections incorporated into enterprise browsers to identify sophisticated threats because they lack visibility.

Nevertheless, these solutions are not capable of understanding user interactions, monitoring changes to the Document Object Model (DOM), or accessing deeper browser context, which makes them easily exploitable to attackers. The traditional Data Loss Prevention (DLP) systems on endpoints are also not without limitations. As a result of their dependence on browser-exposed APIs, they are unable to determine the identity of the user, track browser extensions, or control the flow of encrypted content in the browser.

The constraints are creating a blind spot, which is increasingly being exploited by insider threats and advanced persistent attacks as a result of these constraints. It is especially problematic that these attacks are so adaptable; adversaries can develop new variants with very little coding effort, which will further widen the gap between modern threats and outdated security infrastructure, as well as allowing adversaries to build new variants that bypass existing defences.

A new toolkit developed specifically for reproducing the mechanics of these emerging data splicing attacks has been developed by researchers to address this growing concern. The tool has been developed to respond to this growing concern. It is designed for security teams, red teams, and vendors to test and evaluate their current defences in a realistic threat environment rigorously to determine whether their current defences are adequate.

It is the objective of Angry Magpie to help companies discover hidden vulnerabilities by simulating advanced browser-based attack vectors in order to evaluate how resilient their DLP strategies are. It is becoming increasingly apparent that enterprises need a paradigm shift in their approach to browser security, emphasizing proactive assessment and continuous adaptation in order to deal with rapidly changing cyber threats in the future.

As data splicing attacks have become increasingly prevalent and current security solutions have become increasingly limited, enterprise cybersecurity is at a critical inflexion point. As browser-based work environments become the norm and cloud dependency becomes more prevalent, traditional Data Loss Prevention strategies need to evolve both in scope and sophistication, as well as in scale. As organisations, we need to move away from legacy solutions that do not offer visibility, context, or adaptability that are necessary for detecting and mitigating modern data exfiltration techniques.

For cybersecurity professionals to remain competitive in the future, they must adopt a proactive and threat-informed defence strategy that includes continuous monitoring, advanced browser security controls, and regular stress testing of their systems through tools such as Angry Magpie. By taking this approach, organisations can identify and close vulnerabilities before they become exploitable, as well as ensure that there is a culture of security awareness throughout the workforce to minimise human error and insider threats.

Security infrastructures must keep up with the rapidly growing threats and innovations in cyberspace as well to maintain a competitive advantage. Businesses need to acknowledge and commit to modern, dynamic defence mechanisms to increase their resilience and ensure the integrity of their most valuable digital assets is better protected as a result of emerging threats.

Android Spyware Concealed in Mapping App Targets Russian Military



 

Android Spyware Malicious Campaign malware Russian Military Telegram

Android Spyware Concealed in Mapping App Targets Russian Military

Doctor Web researchers discovered a new spyware, tracked as Android. Spy.1292.origin, targets Russian military people. The malicious code was concealed in a trojanized Alpine Quest app and distributed via Russian Android catalogues. The malware acquires contacts, geolocation, and file data, and it can also download additional modules to exfiltrate stored data when directed.

“Alpine Quest is topographic software that allows different maps to be used both in online and offline mode. It is popular among athletes, travelers, and hunters but also widely used by Russian military personnel in the Special Military Operation zone—and this is what the malware campaign organizers decided to exploit.” reads the report published by researchers at Doctor Web. Threat actors embedded Android.Spy.1292.origin into one of the older Alpine Quest app versions and distributed the trojanized variant under the guise of a freely available version of Alpine Quest Pro, a program with advanced functionality.”

To propagate the trojanized Alpine Quest software, threat actors developed a fraudulent Telegram channel. They shared an app download link from a Russian app store, and then they used the same route to push a malicious update. To evade detection, Android.Spy.1292.origin is embedded within a real copy of the Alpine Quest app, causing it to seem and behave just like the original.

When the app is activated, the trojan discreetly collects and sends information to a command-and-control server, including the user's phone number, accounts, contact list, current date, geolocation, stored file details, and app version. Simultaneously, it transmits some of this information, such as updated geolocation, with the attackers' Telegram bot whenever the device's position changes.

Once the trojan has gathered file information, attackers can command it to download and execute other modules to steal specific data. The attackers behind the malicious app appear to be interested in confidential information transmitted via Telegram and WhatsApp, as well as the locLog file generated by Alpine Quest. This allows Android.Spy.1292.origin to track user whereabouts and extract sensitive data. Its modular design enables it to broaden its capabilities and engage in a wider range of malicious actions.

“As a result, Android.Spy.1292.origin not only allows user locations to be monitored but also confidential files to be hijacked. In addition, its functionality can be expanded via the download of new modules, which allows it to then execute a wider spectrum of malicious tasks.” the researchers added.

The researchers recommend installing Android apps only from trustworthy sources, such as official app stores, and avoiding Telegram groups and dodgy websites, particularly those providing free versions of commercial apps. Users should also verify app distributors, as cybercriminals frequently copy legitimate developers using identical names and logos.

Telegram Says It Will Quit Markets That Demand User Data Access



 

data breach data access Encryption Government Telegram

Telegram Says It Will Quit Markets That Demand User Data Access

Telegram, the popular messaging app, has made it clear that it will never allow anyone to read users’ private chats. Its founder, Pavel Durov, recently said that if any government forces the app to break its privacy rules, Telegram will simply stop operating in that country.

Durov shared this message with users through his official Telegram channel on April 21, 2025. He said that, unlike some other tech companies, Telegram refuses to trade privacy for profit. Since it started 12 years ago, the app has never given out private messages to anyone.

This strong response comes after many European countries, especially France, have been pushing for laws that would give police and other authorities access to encrypted messages. Encrypted chats are protected by special codes that make it difficult for anyone else to read them. Governments want tech companies to build “backdoors” — hidden ways to unlock these messages — so law enforcement can look into criminal activities.

France had even proposed a new rule that would force apps like Telegram to help authorities unlock private data when asked. However, this idea was recently turned down. If it had passed, France would have been the first country to remove such privacy rights from its citizens.

Cybersecurity experts say adding backdoors to messaging apps is dangerous. If one group can access these hidden tools, so can others — including hackers or foreign governments. Once security is weakened, it can’t be limited to just one user or one case.

Durov also mentioned that creating backdoors won’t stop criminals. He explained that people with bad intentions will always find other ways to hide, such as using VPNs or less-known secure apps.

In August 2024, French officials arrested Durov and accused him of providing encrypted services to criminals. That case is still being investigated.

Even though the recent proposal was blocked in France, Durov believes that the fight for digital privacy is not over. Some French officials are still in favor of breaking encryption, and other countries, like Sweden, are thinking about passing similar laws by 2026.

The European Union is also working on a plan called ProtectEU, which aims to give authorities more power to access private data. Outside of Europe, the US state of Florida is considering a rule that would make social media apps used by children include encryption backdoors.

Switzerland, a country known for its strong privacy laws, may also change its rules and allow more surveillance. Apple has already removed end-to-end encryption for its iCloud service in the UK under pressure from the government.

Telegram, however, continues to stand its ground. The company says that if it must choose between following such rules or keeping users safe, it will walk away from that market — no matter the cost.

Malware Alert as Desert Dexter Strikes Over 900 Victims Worldwide



 

Crypto CyberCrime Cyberhackers Cybersecurity CyberThreat Desert Dexter IT malware Telegram

Malware Alert as Desert Dexter Strikes Over 900 Victims Worldwide

Several countries in the Middle East and North Africa have been targeted by an advanced Trojan named Desert Dexter, identified by security experts at Positive Technologies. This malware campaign has compromised nearly 900 victims as a result of its sophisticated campaign. The AsyncRAT malware campaign began in September 2024 to spread a modified variant of the malware using social media platforms and geopolitical tensions in an attempt to exploit these platforms.

Using deceptive tactics to lure unsuspecting users, hackers exploit the vulnerabilities in the Internet, highlighting the growing threat posed by cyber espionage and political cyberattacks. The Positive Technologies Expert Security Center (PT ESC) has discovered and analyzed a new malware campaign that has been orchestrated to target individuals in the Middle East and North Africa (MENA) region with the primary aim of infecting their systems and exfiltrating sensitive data as a result.

The campaign has been active since September 2024 and has been using a modified version of AsyncRAT to compromise victims' systems and steal sensitive information. On social media, attackers disguised themselves as legitimate news outlets to spread malware, crafting misleading promotional posts containing links to file-sharing services and Telegram channels, which allowed them to spread malware.

Once executed, the malware extracts cryptocurrency wallet credentials and establishes communications with a Telegram bot, enabling remote data theft and control over cryptocurrency wallets. About 900 individuals have been reported to be affected by this malware, primarily everyday users. The investigation indicates a significant number of victims are employees from key industries, including oil and gas, construction, information technology, and agriculture. This raises concerns about espionage and financial fraud, which could occur in these industries.

Based on a geographical analysis of the infections, Libya (49%) has been the worst hit, followed by Saudi Arabia (17%), Egypt (10%), Turkey (9%), the UAE (7%), and Qatar (5%) with additional cases reported across other regions. This attack is widespread, which shows that cybercriminals are evolving their tactics, and enhanced cybersecurity measures are necessary to keep them from harm. This malicious campaign was orchestrated by the Desert Dexter threat group, a group that is named after a single employee suspected of running it.

It was discovered by cybersecurity researchers that hackers were using temporary accounts and fake news channels to evade advertising filters and disseminate malicious content on Facebook, which enabled them to evade ad filtering mechanisms. There was a similar campaign reported in 2019, however this latest operation seems to incorporate enhancements aimed at improving the efficiency and impact of the malware.

According to Denis Kuvshinov, Head of Threat Intelligence at Positive Technologies, the attack follows a multi-stage approach that involves several steps and attacks. The initial victim is lured to a file-sharing service or Telegram channel, where a RAR archive containing malicious files is downloaded unintentionally, causing them to unknowingly download them.

After the files are executed, they install a modified version of AsyncRAT, which gathers data about the system, transmits it to the threat actors' Telegram bot, and then distributes it to them. This variant of AsyncRAT contains the upgraded IdSender module specifically designed for cryptocurrency wallet extensions, two-factor authentication plugins, and wallet management software that are specifically targeted by the latest version.

Although Desert Dexter's campaign's success has been largely attributed to the use of social media advertising and legitimate online services, which are not highly technical, the tools used by the organization have not been highly sophisticated. There is an attack underway by malicious actors targeting both individuals and high profile officials within the Middle East and North Africa (MENA) region as a result of geopolitical tensions within the region.

Due to ongoing political instability throughout the MENA region, cyber threats remain a top priority, with phishing campaigns increasingly focusing on politically charged themes to deceive and compromise victims in the region. While the majority of individuals involved in the cyberattack seem to be everyday consumers, cybersecurity researchers have identified individuals across a wide variety of industries, including those involved in oil production, construction, technology, and agriculture, who have also been affected by the cyberattack.

With the widespread scale of these infections, it is clear that social engineering techniques are effective at deceiving victims and geopolitical narratives. Through the application of these tactics, the attackers managed to successfully infiltrate multiple devices in multiple countries, even though they utilized relatively simple tools. There is a malware campaign that is continuing to succeed, and cybersecurity experts are urging everyone to exercise caution when confronted with unverified links or attachments, particularly those that claim to contain sensitive political material.

Several organizations operating within the affected regions are advised to adopt proactive cybersecurity strategies, enhance employee awareness regarding cybersecurity threats, and implement robust security protocols for mitigating the risks posed by this and similar emerging threats that are being faced by these organizations.

2FA Under Attack as Astaroth Phishing Kit Spreads



 

Yahoo

Astaroth Phishing Authentication Cyber Attacks CyberCrime Cybersecurity CyberThreat Dark Web Gmail PHaas Telegram URL Yahoo

2FA Under Attack as Astaroth Phishing Kit Spreads

Astaroth is the latest phishing tool discovered by cybercriminals. It has advanced capabilities that allow it to circumvent security measures such as two-factor authentication (2FA) when used against it. In January 2025, Astaroth made its public debut across multiple platforms, including Gmail, Yahoo, and Office 365, with sophisticated technologies such as session hijacking and real-time credentials interceptions, which compromise user accounts across multiple platforms.

SlashNext researchers claim Astaroth makes use of a reverse proxy called an evilginx-style proxy to place itself between legitimate login pages and users. As a result, the tool is capable of intercepting and capturing sensitive credentials, such as usernames, passwords, 2FA tokens, and session cookies, without triggering security alerts, thereby making the tool effective.

It has been demonstrated that attackers who have obtained these session cookies will be able to hijack authenticated sessions, bypass additional security protocols, and gain unauthorized access to user accounts once they have acquired these cookies. Astaroth demonstrates the evolution of cyber threats and the sophistication of phishing techniques that compromise online security. This development highlights how cybercriminals have been evolving their methods of phishing over the years.

Clearly, Astaroth highlights how cybercriminals' tactics have evolved over the last decade, as phishing has evolved into a lucrative business. The sophistication of sophisticated attacks has now reached a point where it is now marketed like commercial software products, with regular updates, customer support, and testing guarantees attached to them.

The attacker can intercept real-time credentials and use reverse proxy techniques in order to hijack authenticated sessions in order to bypass even the most robust phishing defences, such as Multi Factor Authentication (MFA), which are designed to protect against phishing attacks. Due to the widespread availability of phishing kits such as Astaroth, which significantly reduces the barrier to entry, less experienced cybercriminals are now capable of conducting highly effective attacks given that the barriers to entry have been significantly lowered.

The key to mitigating these threats is to adopt a comprehensive, multilayered security strategy that is both comprehensive and multifaceted. It must have a password manager, endpoint security controls, real-time threat monitoring, and ongoing employee training to ensure that employees are aware of cybersecurity threats in real time.

As an additional consideration, implementing Privillege Access Management (PAM) is equally vital, since it prevents unauthorized access to critical systems, even if login credentials are compromised, through the use of PAM. Business owners remain vulnerable to increasingly sophisticated phishing techniques that can circumvent the traditional defenses of their organisations without appropriate proactive security measures.

The Astaroth phishing kit has been developed to enable a more effective method of bypassing multi-factor authentication (MFA). By using an evilginx reverse proxy, it intercepts authentication processes in real time as they are happening. By using Astaroth, attackers will be able to steal authenticated sessions and hack them seamlessly with no technical knowledge. Astaroth is different from traditional phishing tools, which capture only static credentials; instead, it dynamically retrieves authorization tokens, 2FA tokens, and session cookies. This tool is a man-in-the-middle attack that renders conventional anti-phishing defenses and multi-factor authentication protections ineffective by acting as an intermediary.

Discovered by SlashNext Threat Researchers on cybercrime marketplaces, Astaroth is marketed as a tool that can be used easily. It is a 2-in-1 solution that sells for $2000 and includes six months of continuous updates, which includes the newest bypass techniques, as well as pre-purchase testing to demonstrate its effectiveness in real-world attacks if the buyer wants to establish credibility within cybercriminal networks. There is no doubt that the sophistication of phishing kits such as Astaroth, as well as the implementation of behaviour-based authentication, endpoint security controls, and continuous threat monitoring, are critical to organizations in order to defend themselves from these ever-evolving cyber threats that are continually evolving.

As a means of expanding the company's customer base, Astaroth's developers have publicly revealed the methodologies they use to bypass security measures, such as reCAPTCHA or BotGuard, as a way of demonstrating the kit's effectiveness at circumventing automatic security measures. Cybercriminals in cybercrime forums and underground marketplaces are actively promoting Astaroth among their communities and are primarily distributing it through Telegram, leading to its widespread adoption among cybercriminals world-wide.

There are several advantages to using these platforms, the most important of which is their accessibility, along with the anonymity they provide. This makes monitoring, tracking, and disrupting the sale and distribution of phishing kits very challenging for law enforcement agencies. There is a particular application known as Telegram which is commonly used by cybercriminals to communicate and to distribute their illicit activities due to its end-to-end encryption, private groups, and minimal oversight. This makes it very difficult for law enforcement to trace illicit activities on Telegram.

It may not only facilitate the proliferation of Astaroth on the dark web, but also on underground marketplaces - both of which allow threat actors to engage in peer-to-peer transactions without disclosing their identities to each other. The fact that these platforms are decentralized, along with the fact that cryptocurrency payments are used in conjunction with them, adds more layers of protection for cybercriminals, making it even more difficult for authorities to take enforcement action against them. Astaroth continue to be embraced by cybercriminal communities and is lowering the barrier to entry for less-experienced attackers, which in turn is promoting phishing-as-a-service (PhaaS) models which are becoming more prevalent as a consequence.

Due to the complexities posed by sophisticated phishing kits like Astaroth, security professionals emphasize the need for proactive security measures, which include real-time threat intelligence, endpoint detection, and multi-layered authentication strategies, as well as real-time threat intelligence. Aside from offering custom hosting solutions, Astaroth also offers bulletproof hosting, which will make Astaroth more resilient against legal authorities’ efforts to take down its websites.

Cybercriminals are able to conduct attacks with minimal disruption in jurisdictions with weak regulatory oversight when using the phishing kit since it operates in jurisdictions that lack regulatory oversight. As a Field CTO of SlashNext, J Stephen Kowski believes that the emergence of Astaroth with regards to authentication is one of the most important implication that could be borne out by the fact that even the most robust authentication systems can be compromised if the attackers obtain the two-factor authentication (2FA) codes and session information during the authentication process in real time.

Thomas Richards, Principal Consultant and Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, has emphasized the sophistication and severity of the Astaroth phishing kit. According to Richards, this phishing kit demonstrates an advanced level of complexity, making it increasingly difficult for users to identify and avoid such attacks. "Traditional security awareness training often instructs users to recognize phishing attempts by looking for red flags such as suspicious URLs, grammatical errors, or lack of SSL certification.

However, Astaroth’s highly sophisticated approach significantly reduces these indicators, making detection far more challenging," Richards stated. Furthermore, the infrastructure supporting these attacks is often hosted by providers that do not cooperate with law enforcement agencies, complicating efforts to dismantle these operations. In response to this growing threat, the United States and several European nations have imposed sanctions on countries that provide bulletproof hosting services, which are frequently exploited by cybercriminals to evade legal action.

Richards advises users to exercise extreme caution when receiving emails that appear to originate from legitimate organizations and contain urgent requests for immediate action. Rather than clicking on embedded links, users should manually navigate to the official website to verify the authenticity of any alerts or account-related issues. This proactive approach is essential in mitigating the risks posed by advanced phishing campaigns like Astaroth.

Organizations must implement advanced security measures beyond traditional login protections in order to protect themselves from these threats. According to Thomas Richards, a Principal Consultant and Network and Red Team Practice Director for Black Duck, a Burlington-based company that provides applications security solutions, Astaroth's phishing kit is sophisticated and quite severe. As Richards points out, this phishing kit shows a remarkable degree of complexity, which makes it increasingly difficult for users to identify and avoid attacks such as these as they run across them.

It has always been taught to users during traditional security awareness training to look for red flags, such as suspicious URLs, grammatical errors, or a lack of SSL certification, so they can identify phishing attempts. Although these indicators are largely reduced by Astaroth's highly sophisticated approach, Richards noted that the detection of them is much more challenging as a result. The infrastructure that supports these malicious attacks is typically hosted by providers who do not cooperate with law enforcement agencies, which complicates the process of dismantling these attacks.

Several European countries and the United States have increased sanctions in response to its growing threat, increasing the chance that these countries (including the United States) will use defenseless host hosting services, which are regularly exploited by cybercriminals to avoid legal action and avoid repercussions for their crimes.

The American scientist Richards urges users to exercise extreme caution if they receive an email that appears to be coming from a legitimate organization and contains urgent requests for action that need to be taken immediately. As a precaution, users should not click on embedded links in emails, but instead should visit the official site to verify the authenticity of any alerts they receive or account-related issues. Taking a proactive approach effectively mitigates the threats posed by advanced phishing campaigns such as Astaroth.

Cyberattackers Exploit GhostGPT for Low-Cost Malware Development



 

AI Development ChatGPT Cyberattacks CyberCrime CyberThreat GhostGPT malware Telegram

Cyberattackers Exploit GhostGPT for Low-Cost Malware Development

The landscape of cybersecurity has been greatly transformed by artificial intelligence, which has provided both transformative opportunities as well as emerging challenges. Moreover, AI-powered security tools have made it possible for organizations to detect and respond to threats much more quickly and accurately than ever before, thereby enhancing the effectiveness of their cybersecurity defenses.

These technologies allow for the analysis of large amounts of data in real-time, the identification of anomalies, and the prediction of potential vulnerabilities, strengthening a company's overall security. Cyberattackers have also begun using artificial intelligence technologies like GhostGPT to develop low-cost malware.

By utilizing this technology, cyberattackers can create sophisticated, evasive malware, posing a serious threat to the security of the Internet. Therefore, organizations must remain vigilant and adapt their defenses to counter these evolving tactics. However, cybercriminals also use AI technology, such as GhostGPT, to develop low-cost malware, which presents a significant threat to organizations as they evolve. By exploiting this exploitation, they can devise sophisticated attacks that can overcome traditional security measures, thus emphasizing the dual-edged nature of artificial intelligence.

Conversely, the advent of generative artificial intelligence has brought unprecedented risks along with it. Cybercriminals and threat actors are increasingly using artificial intelligence to craft sophisticated, highly targeted attacks. AI tools that use generative algorithms can automate phishing schemes, develop deceptive content, or even build alarmingly effective malicious code. Because of its dual nature, AI plays both a shield and a weapon in cybersecurity.

There is an increased risk associated with the use of AI tools, as bad actors can harness these technologies with a relatively low level of technical competence and financial investment, which exacerbates these risks. The current trend highlights the need for robust cybersecurity strategies, ethical AI governance, and constant vigilance to protect against misuse of AI while at the same time maximizing its defense capabilities. It is therefore apparent that the intersection between artificial intelligence and cybersecurity remains a critical concern for the industry, policymakers, and security professionals alike.

Recently introduced AI chatbot GhostGPT has emerged as a powerful tool for cybercriminals, enabling them to develop malicious software, business email compromise scams, and other types of illegal activities through the use of this chatbot. It is GhostGPT's uniqueness that sets it apart from mainstream artificial intelligence platforms such as ChatGPT, Claude, Google Gemini, and Microsoft Copilot in that it operates in an uncensored manner, intentionally designed to circumvent standard security protocols as well as ethical requirements.

Because of its uncensored capability, it can create malicious content easily, providing threat actors with the resources to carry out sophisticated cyberattacks with ease. It is evident from the release of GhostGPT that generative AI poses a growing threat when it is weaponized, a concern that is being heightened within the cybersecurity community.

A tool called GhostGPT is a type of artificial intelligence that enables the development and implementation of illicit activities such as phishing, malware development, and social engineering attacks by automating these activities. A reputable AI model like ChatGPT, which integrates security protocols to prevent abuse, does not have any ethical safeguards to protect against abuse. GhostGPT operates without ethical safeguards, which allows it to generate harmful content unrestrictedly. GhostGPT is marketed as an efficient tool for carrying out many malicious activities.

A malware development kit helps developers generate foundational code, identify and exploit software vulnerabilities, and create polymorphic malware that can bypass detection mechanisms. In addition to enhancing the sophistication and scale of email-based attacks, GhostGPT also provides the ability to create highly customized phishing emails, business email compromise templates, and fraudulent website designs that are designed to fool users.

By utilizing advanced natural language processing, it allows you to craft persuasive malicious messages that are resistant to traditional detection mechanisms. GhostGPT offers a highly reliable and efficient method for executing sophisticated social engineering attacks that raise significant concerns regarding security and privacy. GhostGPT uses an effective jailbreak or open-source configuration to execute such attacks. ASeveralkey features are included, such as the ability to produce malicious outputs instantly by cybercriminals, as well as a no-logging policy, which prevents the storage of interaction data and ensures user anonymity.

The fact that GhostGPT is distributed through Telegram lowers entry barriers so that even people who do not possess the necessary technical skills can use it. Consequently, this raises serious concerns about its ability to escalate cybercrime. According to Abnormal Security, a screenshot of an advertisement for GhostGPT was revealed, highlighting GhostGPT's speed, ease of use, uncensored responses, strict no-log policy, and a commitment to protecting user privacy.

According to the advertisement, the AI chatbot can be used for tasks such as coding, malware creation, and exploit creation, while also being referred to as a scam involving business email compromise (BEC). Furthermore, GhostGPT is referred to in the advertisement as a valuable cybersecurity tool and has been used for a wide range of other purposes. However, Abnormal has criticized these claims, pointing out that GhostGPT can be found on cybercrime forums and focuses on BEC scams, which undermines its supposed cybersecurity capabilities.

It was discovered during the testing of the chatbot by abnormal researchers that the bot had the capability of generating malicious or maliciously deceptive emails, as well as phishing emails that would fool victims into believing that the emails were genuine. They claimed that the promotional disclaimer was a superficial attempt to deflect legal accountability, which is a tactic common within the cybercrime ecosystem. In light of GhostGPT's misuse, there is a growing concern that uncensored AI tools are becoming more and more dangerous.

The threat of rogue AI chatbots such as GhostGPT is becoming increasingly severe for security organizations because they drastically lower the entry barrier for cybercriminals. Through simple prompts, anyone, regardless of whether they possess any coding skills or not, can quickly create malicious code. Aside from this, GhostGPT improves the capabilities of individuals with existing coding experience so that they can improve malware or exploits and optimize their development.

GhostGPT eliminates the need for time-consuming efforts to jailbreak generative AI models by providing a straightforward and efficient method of creating harmful outcomes from them. Because of this accessibility and ease of use, the potential for malicious activities increases significantly, and this has led to a growing number of cybersecurity concerns. After the disappearance of ChatGPT in July 2023, WormGPT emerged as the first one of the first AI model that was specifically built for malicious purposes.

It was developed just a few months after ChatGPT's rise and became one of the most feared AI models. There have been several similar models available on cybercrime marketplaces since then, like WolfGPT, EscapeGPT, and FraudGPT. However, many have not gained much traction due to unmet promises or simply being jailbroken versions of ChatGPT that have been wrapped up. According to security researchers, GhostGPT may also busea wrapper to connect to jailbroken versions of ChatGPT or other open-source language models.

While GhostGPT has some similarities with models like WormGPT and EscapeGPT, researchers from Abnormal have yet to pinpoint its exact nature. As opposed to EscapeGPT, whose design is entirely based on jailbreak prompts, or WormGPT, which is entirely customized, GhostGPT's transparent origins complicate direct comparison, leaving a lot of uncertainty about whether it is a custom large language model or a modification of an existing model.

Report: Telegram Crypto Scammers Adopt More Sophisticated Tactics



 

Crypto scams Cyber Fraud Encryption malware scams phishing tactics Telegram

Report: Telegram Crypto Scammers Adopt More Sophisticated Tactics

Telegram, a popular communications app known for encrypted messaging and calls, has become a prime target for sophisticated malware scams, according to the Web3-focused Scam Sniffer account on X. Sharing data on the platform, Scam Sniffer revealed that scammers on Telegram are now deploying malware instead of traditional phishing tactics.

The app, often considered an alternative to WhatsApp and Signal, offers privacy through encryption, making it attractive for both legitimate users and scammers. Previously, cryptocurrency scams on Telegram relied heavily on phishing techniques involving spoofed web pages and social engineering to extract sensitive information or access to crypto wallets.

However, the latest scam wave employs deceptive tools like fake verification bots, scam trading groups, and so-called “exclusive alpha groups,” as noted by Scam Sniffer. Victims are tricked into installing malware disguised as verification tools. Once installed, the malware can access passwords, wallets, clipboard data, and even browser information, leaving victims highly vulnerable.

Scammers have shifted to malware schemes partly because users are now more aware of traditional phishing tactics. Scam Sniffer pointed out that these new approaches make it harder to trace the source of the scams. The rise in cryptocurrency scams has been dramatic, with data showing over 2000% growth in dedicated scam groups. Bitcoin's soaring value, surpassing $100,000, has made cryptocurrency users more frequent targets.

Telegram has actively banned accounts involved in these scams, but managing the volume of malicious actors remains challenging. The website “Web3 is Going Great,” which tracks Web3-related scams, reports $7.84 million in losses from scams and hacks so far this year.

Telegram's TON Blockchain Embarks on US Growth Mission



 

TON

Blockchain Crypto Cyberattacks CyberCrime Cybersecurity CyberThreat Digital Privacy Technology Telegram TON

Telegram's TON Blockchain Embarks on US Growth Mission

A foundation, closely associated with Telegram, called the Open Network (TON), is pursuing ambitious expansion in the United States. A strategic move like this comes amid the expectation that Donald Trump's upcoming administration will be able to offer a more favourable regulatory environment. The TON Foundation is proud to announce a pivotal leadership transition: Manuel "Manny" Stotz, an experienced investor and blockchain advocate, has been selected as President of the organisation.

There is a new chapter in the foundation's journey to accelerate global adoption of the blockchain, emphasising expanded operations in the United States as part of a strategic expansion plan. In a statement released by a spokesperson for the TON Foundation to Cointelegraph on January 14, a spokesperson confirmed to the Cointelegraph that the US will become one of the most important markets for TON under the Trump Administration.

The TON Foundation has recently appointed Manuel Stotz, one of the world's leading digital asset investors, as its new president. The foundation will be able to expand its operations in the U.S. market with Stotz, the founder of Kingsway Capital Partners. Stotz stated that the U.S. would soon become a global crypto centre specialising in innovation. Steve Yun, who will remain a board member, will resign from the presidency, and he will be taking over the CEO role.

In light of the trend that a new president in the US is expected to provide a more favourable environment for cryptocurrency, this shift reflects this expectation. It is expected that his administration will address some of the most important regulatory issues on the day of his inauguration, which is scheduled for January 20, among crypto supporters. Among the concerns is how digital assets are treated by banks, with many in the crypto sector hoping that a change will happen in the rules regarding whether they will be accounted for as liabilities.

In addition to the issue of “de-banking,” which has impacted many crypto firms in the U.S., another issue that may be addressed is the issue of blockchain technology and its prospects. It has been Stotz's honour to serve as a board member of the TON Foundation since it was founded in Switzerland in 2023. With his new role at the TON Foundation, he will replace Steve Yun, who remains on the board. Stotz is a major investor in the digital asset industry and is the founder of Kingsway Capital Partners, an investment management firm.

There have been over 50 projects backed by the firm, among them Animoca Brands, Blockchain.com, CoinDCX, Toncoin, Genesis Digital Assets, and others. In the TON Foundation's opinion, the changing regulatory environment in the United States offers new opportunities for blockchain technology. Notably, several industry participants are optimistic about the incoming administration's pro-crypto stance, which includes plans for creating a national Bitcoin reserve and promoting blockchain-based economic reform.

As President-elect Trump has also indicated his desire to advance the field by appointing influential figures, such as Paul Atkins and David Sacks, to key positions in the sector, it is anticipated that these developments will lead to a surge in blockchain and artificial intelligence innovation. TON Foundation president Stotz believes that these developments may signify a turning point for the industry as a whole, and he believes that the US is an important market for accelerating blockchain adoption worldwide.

A decentralised project called TON is closely related to Telegram's TON blockchain, which was developed by the messenger and then turned into a decentralised project. The Toncoin token allows the network to provide 950 million Telegram users with services such as in-app payments and games, and with Stotz's leadership, TON plans to increase its user base and integrate blockchain-based solutions into everyday applications under Stotz's leadership.

The main objective of the fund is to use Telegram's vast global audience to promote the widespread adoption of blockchain technologies. With the TON Foundation, which is dedicated to supporting the development of the TON blockchain, Telegram's 950 million users will have access to crypto services through Telegram's platform. In 2023, Telegram formalised the foundation in Switzerland, a year after a 2020 settlement with the SEC ended Telegram's earlier fundraising efforts.

It was announced in December 2024 that the foundation would be expanding to Abu Dhabi following the ADGM's distributed ledger technology framework. This move is intended to provide legal backing for decentralised projects throughout the MENA and APAC regions, with a target of reaching 500 million users by 2028. In the crypto industry, the return of Trump to power could be considered a turning point in the market as a result. He has announced that cryptocurrencies will be treated differently in the United States of America than they were in the past, which could result in more blockchain projects coming into the country in the future and increased innovation in decentralised technologies.

Despite this change in leadership at the TON Foundation, the organisation continues to adhere to its mission and values even during this transition and continues to follow through with its objectives. As a board member of the foundation, Steve Yun provides ongoing leadership and direction and Manny Stotz plays a pivotal role in helping to make it a place for growth, collaboration, and innovation in the future. TON anticipates milestones to be achieved in the US over the coming months, which will further enhance the company's reputation as one of the leading blockchain companies in the world.

FireScam Malware Targets Android Users via Fake Telegram Premium App



 

Android Malware Fake Apps FireScam malware Social Media Telegram

FireScam Malware Targets Android Users via Fake Telegram Premium App

Android Malware 'FireScam' Poses As Telegram Premium to Steal User Data

A newly discovered Android malware, FireScam, is being distributed through phishing websites on GitHub, masquerading as a premium version of the Telegram application. These malicious sites impersonate RuStore, a Russian app marketplace, to deceive users into downloading the infected software.

How FireScam Operates

RuStore, launched by Russian tech giant VK (VKontakte) in May 2022, was developed as an alternative to Apple's App Store and Google Play following Western sanctions that restricted Russian users' access to global platforms. This marketplace hosts apps that comply with Russian regulations and operates under the oversight of the Russian Ministry of Digital Development.

According to security researchers at CYFIRMA, attackers have set up a fraudulent GitHub page mimicking RuStore. This fake website delivers a dropper module named GetAppsRu.apk. Once installed, the dropper requests extensive permissions, allowing it to scan installed applications, access device storage, and install additional software. It then downloads and executes the main malware payload, disguised as Telegram Premium.apk. This secondary payload enables the malware to monitor notifications, read clipboard data, access SMS and call information, and collect other sensitive details.

FireScam’s Advanced Capabilities

Once activated, FireScam presents users with a deceptive WebView-based Telegram login page designed to steal credentials. The malware communicates with Firebase Realtime Database, allowing stolen data to be uploaded instantly. It also assigns unique identifiers to compromised devices, enabling hackers to track them.

Stolen data is temporarily stored before being filtered and transferred to another location, ensuring that traces are erased from Firebase. Additionally, FireScam establishes a persistent WebSocket connection with the Firebase command-and-control (C2) server, enabling real-time command execution. This allows attackers to:

Request specific data from the infected device
Install additional payloads
Modify surveillance parameters
Initiate immediate data uploads

Furthermore, the malware can:

Monitor screen activity and app usage
Track changes in screen on/off states
Log keystrokes, clipboard data, and credentials stored in password managers
Intercept and steal e-commerce payment details

How to Stay Safe

While the identity of FireScam’s operators remains unknown, CYFIRMA researchers warn that the malware exhibits advanced evasion techniques and poses a serious threat to users. To minimize the risk of infection, users should:

Avoid downloading apps from unverified sources, especially those claiming to be premium versions of popular software.
Exercise caution when opening links from unknown sources.
Regularly review and restrict app permissions to prevent unauthorized data access.
Use reliable security solutions to detect and block malware threats.

As attackers continue refining their tactics, staying vigilant against phishing campaigns and suspicious downloads is essential to protecting personal and financial data.

Iran Spies on Senior Israeli Officials, Launches Over 200 Cyberattacks



 

Cyber Attacks espionage Iran Israel spying surveillance Telegram WhatsApp

Iran Spies on Senior Israeli Officials, Launches Over 200 Cyberattacks

Shin Bet, an Israeli Cybersecurity Service said recently it discovered over 200 Iranian phishing attempts targeting top Israeli diplomats to get personal information. Shin Bet believes the attacks were launched by Iranian actors through Telegram, WhatsApp, and email.

The threat actors tried to bait targets into downloading infected apps that would give them access to victim devices and leak personal data like location history and residential addresses.

Iran Targeting Israeli Officials

The targeted senior officials include academicians, politicians, media professionals, and others

ShinBet said the stolen information would be used by Iran to launch attacks against Israeli nationals “through Israeli cells they have recruited within the country.” The targets were reached out with an “individually tailored cover story for each victim according to their area of work, so the approach doesn’t seem suspicious.”

In one case, the attacker disguised as a Cabinet Secretary lured the target saying he wanted to coordinate with PM Benjamin Netanyahu. Shin Bet has tracked the targets involved in the campaign and informed them about the phishing attempts.

“This is another significant threat in the campaign Iran is waging against Israel, aimed at carrying out assassination attacks. We request heightened awareness, as cyberattacks of this type can be avoided before they happen through awareness, caution, suspicion, and proper preventative behavior online,” said a Shin Bet official.

Reasons for attack

Shin Bet “will continue to act to identify Iranian activity and thwart it in advance.” It believes the motive behind the attacks was to manage future attacks on Israeli nationals using information given by Israeli cells recruited by Iran. The campaign is a sign of an escalation between Iran and Israel, the end goal being assassination attempts.

The bigger picture

The recent discovery of phishing campaigns is part of larger targeted campaigns against Israel. In September 2024, 7 Jewish Israelis were arrested for allegedly spying on IDF and Israeli security figures for Iran.

The Times of Israel reports, “Also in September, a man from the southern city of Ashkelon was arrested on allegations that he was smuggled into Iran twice, received payment to carry out missions on behalf of Tehran, and was recruited to assassinate either Israel’s prime minister, defense minister, or the head of the Shin Bet.”

Examining Telegram’s Encryption Flaws: Security Risks and Privacy Concerns



 

Telegram Messenger

App privacy Cyber Security data security End To End Encryption Messaging Apps Secure Messenger Telegram Telegram Messenger

Examining Telegram’s Encryption Flaws: Security Risks and Privacy Concerns

Telegram is often perceived as a secure messaging app, but this perception is flawed. Unlike WhatsApp, Telegram doesn’t have end-to-end encryption by default. While Secret Chats offer end-to-end encryption, this feature must be activated by users and does not apply to group chats or the desktop versions. However, it must be noted that all chats on Telegram are encrypted in transit and at rest.

Additionally, Telegram’s apps are open source, and its encryption protocols are fully documented, allowing independent researchers to verify their integrity and implementation. To date, no vulnerabilities in Telegram’s encryption have been identified. This leaves room for potential vulnerabilities, including access by admins, authorities, and hackers. While Telegram is widely used for its innovative features like chat organization and community management, its encryption methods raise red flags among security experts. The platform encrypts data in transit, preventing message interception.

However, the majority of conversations on Telegram are not end-to-end encrypted, meaning administrators could access them if required by law enforcement. This poses risks for users discussing sensitive topics or sharing confidential information. Further, Telegram is the only messenger to offer verifiable builds on both iOS and Android, enabling researchers to confirm that the apps on app stores are built from the published source code.

Moreover, Telegram’s encryption methods are seen as complex and opaque. For example, the optional Secret Chats use a proprietary encryption algorithm, which is difficult to verify and may include hidden vulnerabilities. Cryptography professionals have criticized this, noting that unless an encryption system is open-source, it cannot be thoroughly vetted for weaknesses or backdoors. One of the significant drawbacks of Telegram’s security is its inapplicability to group chats. Group conversations cannot be encrypted, which increases the risk of unauthorized access to user messages.

For those needing strong privacy for sensitive communications, this is a serious limitation. Given that other popular messaging platforms like Signal and WhatsApp offer end-to-end encryption by default, users of Telegram may want to reconsider using the app for private or sensitive discussions. Signal, for instance, uses the highly respected Signal Protocol, which has been audited and proven to be robust. Telegram, by comparison, leaves users with limited protection due to its closed-source encryption. Despite these concerns, Telegram remains a popular app due to its versatile features, making it more than just a messaging platform. Telegram’s organizational tools, community management features, and ability to broadcast information have made it a favorite among certain groups, especially those sharing tech news or international updates.

However, for those who prioritize security, Telegram’s limited encryption may not be sufficient, making apps like Signal or even WhatsApp a safer option for encrypted messaging. While Telegram has many innovative features, its encryption limitations leave it far from being the most secure messaging app.

UN Report: Telegram joins the expanding cybercrime markets in Southeast Asia



 

UNODC

Cyber crimes Deepfake Personal Data Stolen Data Telegram UNODC

UN Report: Telegram joins the expanding cybercrime markets in Southeast Asia

According to a report issued by the United Nations Office for Drugs and Crime, dated October 7, criminal networks across Southeast Asia are increasingly turning to the messaging platform Telegram for conducting comprehensive illegal activities. It says Telegram, due to big channels and seemingly insufficient moderation, becomes the attraction of the underworld for organised crime and its resultant transformation in the ways of operating global illicit operations.

An Open Market for Stolen Data and Cybercrime Tools

The UNODC report clearly illustrates how Telegram has become a trading platform for hacked personal data, including credit card numbers, passwords, and browser histories. Cybercriminals publicly trade on the large channels of Telegram with very little interference. In addition, it has various software and tools designed to conduct cybercrime such as fraud using deepfake technology and malware used for copying and collecting users' data. Moreover, money laundering services are provided in unauthorised cryptocurrency exchanges through Telegram.

An example was an ad to be placed on Telegram stating that it was moving USDT cryptocurrency, stolen and with $3 million daily transactions, to cash in on criminal organisations involved in transnational organised crime in Southeast Asia. According to reports, these dark markets are growing increasingly omnipresent on Telegram through which vendors aggressively look to reach criminal organisations in the region.

Southeast Asia: A hub of fraud and exploitation

According to the UNODC reports, this region in Southeast Asia has become an important base for international fraudulent operations. Most criminal activities within the region relate to Chinese syndicates located within heavily fortified locations and use trafficked individuals forced into labour. It is estimated that the industry generates between $27.4 billion and $36.5 billion annually.

The move comes as scrutiny of Telegram and its billionaire founder, Russian-born Pavel Durov, is intensifying. Durov is facing legal fallout in France after he was charged with abetting crime on the platform by allowing the distribution of illegal content after he tightened his regulations in France. The case has sparked debates on the liability of tech companies for the crimes happening on their platform, and the line between free speech and legal accountability.

It responded to the increasing pressure by promising cooperation with legal authorities. The head of Telegram, Durov, stated that Telegram will share the IP addresses and phone numbers of users whenever a legal request for them is required. He further promised to cancel some features on the platform that have been widely misused for illicit activities. Currently, more than a billion people worldwide are using Telegram, and it has so far not reacted publicly to the latest report from the UNODC.

A Perfect Fertile Ground for Cybercrime

For example, as personal data becomes more and more exposed to fraudulent exploitation and fraud schemes through Telegram, for instance, the Deputy Representative for Southeast Asia and the Pacific at UNODC highlighted the perils of the consumer getting to see. In this respect, Benedikt Hofmann, free access and anonymity developed an ideal setting for criminals towards the people's data and safety.

Innovation in Criminal Networks

The growth in Southeast Asia's organised crime to higher levels may indicate criminals will be armed with new, more varying technologies-most importantly malware, generative AI tools, and deepfakes-to commit sophisticated cyber-enabled fraud. In relation to innovation and adaptability, investigation by UNODC revealed over 10 specialised service providers in the region offering deep fakes technology for use in cybercrime cases.

Expanding Investigations Across Asia

Another area of concern discussed in the UNODC report is the increasing investigation by law enforcement agencies in other parts of Asia. For example, South Korean authorities are screening Telegram for its role in the commission of cybercrimes that include deepfake pornography. Meanwhile, in India, a hacker used Telegram chatbots to leak private data from Star Health, one of the country's largest insurers. This incident disclosed medical records, IDs, and even tax details. Star Health sued Telegram.

A Turning Point in Cybersecurity

The UNODC report opens one's eyes to the extent the challenge encrypted messaging presents toward the fight against organised crime. Thus, while criminal groups will continue and take full advantage of platforms like Telegram, tech companies remain on their toes about enforcing control measures over illegal activity while trying to balance concerns to address user privacy and safety.

Mamba 2FA Emerges as a New Threat in Phishing Landscape



 

Threat Detection

2024 Authentication Cyber Fraud CyberCrime Cybersecurity Mamba 2FA MFA phishing phishing-as-a-service SEKOIA Telegram Threat Detection

Mamba 2FA Emerges as a New Threat in Phishing Landscape

In the ever-changing landscape of phishing attacks, a new threat has emerged: Mamba 2FA. Discovered in late May 2024 by the Threat Detection & Research (TDR) team at Sekoia, this adversary-in-the-middle (AiTM) phishing kit specifically targets multi-factor authentication (MFA) systems. Mamba 2FA has rapidly gained popularity in the phishing-as-a-service (PhaaS) market, facilitating attackers in circumventing non-phishing-resistant MFA methods such as one-time passwords and app notifications.

Initially detected during a phishing campaign that imitated Microsoft 365 login pages, Mamba 2FA functions by relaying MFA credentials through phishing sites, utilizing the Socket.IO JavaScript library to communicate with a backend server. According to Sekoia's report, “At first, these characteristics appeared similar to the Tycoon 2FA phishing-as-a-service platform, but a closer examination revealed that the campaign utilized a previously unknown AiTM phishing kit tracked by Sekoia as Mamba 2FA.”

The infrastructure of Mamba 2FA has been observed targeting Entra ID, third-party single sign-on providers, and consumer Microsoft accounts, with stolen credentials transmitted directly to attackers via Telegram for near-instant access to compromised accounts.

A notable feature of Mamba 2FA is its capacity to adapt to its targets dynamically. For instance, in cases involving enterprise accounts, the phishing page can mirror an organization’s specific branding, including logos and background images, enhancing the believability of the attack. The report noted, “For enterprise accounts, it dynamically reflects the organization’s custom login page branding.”

Mamba 2FA goes beyond simple MFA interception, handling various MFA methods and updating the phishing page based on user interactions. This flexibility makes it an appealing tool for cybercriminals aiming to exploit even the most advanced MFA implementations.

Available on Telegram for $250 per month, Mamba 2FA is accessible to a broad range of attackers. Users can generate phishing links and HTML attachments on demand, with the infrastructure shared among multiple users. Since its active promotion began in March 2024, the kit's ongoing development highlights a persistent threat in the cybersecurity landscape.

Research from Sekoia underscores the kit’s rapid evolution: “The phishing kit and its associated infrastructure have undergone several significant updates.” With its relay servers hosted on commercial proxy services, Mamba 2FA effectively conceals its true infrastructure, thereby minimizing the likelihood of detection.

Is Telegram Still a Safe Messaging App? An In-Depth Look



 

Child pornography communication Cyber Security Online Scams Telegram

Is Telegram Still a Safe Messaging App? An In-Depth Look

Telegram, a popular messaging app launched in 2013, has earned a reputation for its robust security features. This Dubai-based platform offers end-to-end encryption for video and voice calls and in its optional feature, Secret Chats. This encryption ensures that only the sender and recipient can access the communication, making it a secure option compared to many other messaging apps.

However, recent developments have sparked concerns about the app's safety. Telegram's CEO, Pavel Durov, was recently arrested and charged in France. The charges stem from illicit activities, such as drug trafficking, online scams, and child pornography, that were reportedly facilitated through the app. While this incident has raised questions about the app's security, it’s crucial to understand whether these events affect the app’s functionality and what precautions users should take.

Telegram's Security Measures

When evaluating Telegram's safety, it's important to recognise the app's commitment to privacy. End-to-end encryption is considered the gold standard for securing digital communications, ensuring that even the platform itself cannot access the content of the messages. This level of protection is available by default for video and voice calls and can be enabled in private text messages through Secret Chats.

However, despite these measures, Telegram is not entirely impervious to scrutiny from authorities. In past instances, the platform has been compelled to provide user data to law enforcement agencies. This highlights that while Telegram offers full proof privacy protections, users should not assume absolute immunity from official oversight.

Impact of the CEO's Arrest on Telegram

The arrest of Pavel Durov has undoubtedly raised eyebrows. Typically, tech entrepreneurs have not been held accountable for the actions of users on their platforms to this extent. The charges against Durov are linked to criminal activities conducted through Telegram, a substantial departure from the usual treatment of tech executives.

Despite these legal challenges, there is no indication that Durov's arrest will affect Telegram's core security features, including end-to-end encryption. The legal case primarily concerns the misuse of the platform by third parties, not the app’s technical infrastructure or its security protocols. Notably, some influential figures, such as Elon Musk, have criticised the arrest, arguing that it is unreasonable to hold a platform owner accountable for how the platform is used.

Tips for Staying Safe on Telegram

While Telegram provides strong security features, users should remain vigilant against potential scams. The anonymity and encryption offered by Telegram make it an attractive platform for scammers. To protect yourself, it's essential to be cautious when receiving unsolicited messages, particularly from unknown contacts. Even messages that appear to come from customer service representatives or familiar sources should be treated with scepticism until the sender’s identity is verified.

Another crucial safety tip is to avoid sharing sensitive information, such as credit card details or personal data, on Telegram, especially with strangers. Impersonation scams are increasingly sophisticated, and once your information is compromised, it can lead to significant harm.

Bottom line is while Telegram remains a secure messaging app, users must stay alert to potential risks. The app's encryption provides a strong layer of security, but it is not foolproof. By being cautious and informed, users can enjoy the benefits of Telegram while minimising their exposure to scams and other risks.

Security Analysts Observe Massive Surge in Telegram App Downloads Following Durov Arrest



 

App Store Malicious Content Mobile Security Social Media App Telegram

Security Analysts Observe Massive Surge in Telegram App Downloads Following Durov Arrest

The arrest of Telegram creator and CEO Pavel Durov in France is beginning to have an influence on the app's popularity and position.

The founder was arrested last month for allegedly allowing illicit practices to thrive on the social media platform by failing to properly monitor posts, particularly in drug trafficking, money laundering, and the spread of child sexual abuse material (CSAM).

Despite concerns regarding the app's content, Telegram is now experiencing a spike in downloads, propelling it to the No. 2 spot on the U.S. App Store's Social Networking charts and increasing global iOS downloads by 4%.

After Durov's arrest, Telegram took some time to rise. This might be the case because a lot of individuals found out about the news only after reading the stories they had missed over the weekend, or because third-party sources of app store intelligence take a little longer to report changes in rankings.

According to Appfigures, an app intelligence company, Telegram didn't rise to the No. 2 spot on the Social Networking charts on the U.S. App Store until 3 a.m. EST on Monday, suggesting that the app is just now starting to gain traction. The app had already fallen to No. 3 in Social in the U.S. as of the time of publication, so it might only be a temporary boost.

However, the app shot to the top of the App Store's Social Networking category and rose to become the third most popular app overall in France, the country where Durov was arrested. After climbing ten spots since Friday, Telegram now stands at No. 8 in the top apps chart (which does not include games). Appfigures stated that this is the highest position it has held here since at least January 1, 2023. Apple often uses a combination of measures, including download velocity and app install count, to determine app store rankings.

Nevertheless, the cliché "any press is good press" appears to hold true, at least in terms of Telegram's exposure on the App Store. As consumers downloaded the app out of curiosity — or possibly to support the founder's views about "free speech" — it began to rise in the rankings.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Showing result(s) for