Kaspersky’s GReAT team has exposed a cyber-espionage campaign targeting fintech and trading industries via Telegram channels, deploying DarkMe malware through the DeathStalker group. The attack aims at sensitive data theft using sophisticated evasion tactics.
7 November 2024 – Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered a sophisticated global cyber-espionage campaign targeting individuals and businesses within the fintech and trading industries. This campaign leverages Telegram channels as a vector to deliver Trojan spyware, aiming to steal sensitive data and potentially control infected devices for surveillance purposes. At the center of the attack is DeathStalker, an advanced persistent threat (APT) group known for hack-for-hire operations that provide specialized hacking services for financial and competitive intelligence.
In this recent wave of attacks, Kaspersky observed DeathStalker using DarkMe malware, a Remote Access Trojan (RAT) engineered to extract information and execute remote commands from a control server. Distributed through Telegram channels associated with trading and financial themes, the malware reaches potential victims via attachments in posts. These attachments often appear as compressed files (e.g., RAR or ZIP) containing malicious links, which, when activated, install the final-stage malware. According to Kaspersky, the attackers’ approach, using a messaging app rather than traditional phishing emails, may increase user trust and thus the likelihood of infection. Additionally, malware delivered through Telegram may bypass some security alerts that commonly accompany internet downloads.
Kaspersky’s findings indicate that, after infection, the malware performs a series of cleanup actions, including deleting the files used for installation and clearing traces such as registry keys and post-exploitation artifacts. This operational security, combined with methods to mimic other APT groups, suggests DeathStalker’s intent to evade detection and attribution.
DeathStalker, active since at least 2018, has a reputation for collecting sensitive business and financial information, particularly targeting SMEs, law firms, and financial institutions globally, without any indications of financial theft. Kaspersky underscores the significance of heightened vigilance on messaging platforms and recommends that organizations employ advanced security solutions to protect against such sophisticated threats.
For individuals, Kaspersky advises installing trusted security software, staying informed about the latest cyber risks, and exercising caution on all messaging apps. Organizations, especially in high-risk sectors, should focus on strengthening InfoSec teams with advanced threat visibility, continuous cybersecurity training, and deploying robust EDR and XDR solutions tailored to the scale and complexity of the enterprise.
