Kaspersky Reports Telegram Malware Hitting Fintech Sectors

DeathStalker group targeted sensitive information in the fintech and trading sectors through the exploitation of Telegram malware

Kaspersky identified a worldwide cyberespionage campaign by the DeathStalker group in a global attack targeting sensitive information in the fintech and trading sectors through the exploitation of Telegram malware.

The results of an exhaustive research investigation by Kaspersky’s Global Research and Analysis Team (GReAT) have brought to light a highly massive cyber campaign that affects both the worlds of fintech and trading in several parts of the world, including Europe, Asia, Latin America, and the Middle East.

The report stated that the Advanced Persistent Threat (APT) group DeathStalker is identified with Telegram channels used for spreading Trojan Telegram spyware, compromising sensitive data.

DeathStalker, an APT group active since at least 2012, is responsible for various cyberespionage campaigns against small and medium-sized enterprises (SMEs), with a special appetite for cyberattacks on the financial sector.

Killer Moves

The DeathStalker APT group specialized in financial intelligence gathering, that deploys a remote access Trojan (RAT) known as DarkMe, to control target devices and extract sensitive information.

According to Kaspersky, the Telegram malware focused on attacking channels related to trading and fintech, whereby the attackers post dangerous archives camouflaged as ordinary files. In this case, unsuspecting users opening those files launch the installation of DarkMe, giving DeathStalker access to their devices.

“Unlike traditional phishing, these threat actors relied on Telegram channels to deploy their malware,” said Maher Yamout, Lead Security Researcher at Kaspersky GReAT.

“In prior campaigns, we saw the same operation using other messaging platforms like Skype. This approach might make victims more inclined to trust the sender, as messaging app downloads often trigger fewer security warnings than typical internet downloads,” Yamout added.

The DeathStalker attack didn’t end with simply setting up malware from telegram. After DarkMe was deployed, the group tries to step up spyware telegram after itself by deleting the dropper files used at the beginning and by rmoving post exploitation tools and their registry keys to avoid detection. DeathStalker even continued to modify the file size of the implant to question security analysis an extremely good operational security behavior.

Telegram Malware Rise

DeathStalker exploited users’ trust in Telegram’s security, successfully bypassing conventional safeguards, and putting millions at risk. The development of Telegram malware gives proof of the difficulties of securing encrypted platforms against misuse while balancing user privacy and security.

Active since at least 2018, DeathStalker targets the financial, legal, and more recently, government sectors for intelligence gathering rather than direct theft by infiltrating spyware in finance.

Same to the DeathStalker campaign, Kaspersky cautiones on the need for extreme attentiveness with files received via instant messaging applications, considering that cyber actors have been trying unusual platforms for malware dissemination, and the change in nature of such kinds of telegram bot malware to the source of protection.


Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.