Kaspersky’s researchers have uncovered a sophisticated cyber campaign that uses the messaging app Telegram to spread spyware targeting individuals and organizations in the fintech and trading sectors.
According to the cybersecurity solutions provider, the spyware, a Trojan known as DarkMe, allows attackers to steal sensitive data, including passwords, and remotely control devices.
The campaign, reportedly linked to the hack-for-hire group DeathStalker, employed Telegram channels to deliver malicious software to a wide range of targets across more than 20 countries. The threat actors used Telegram to mask their activity and avoid traditional security warnings.
“Instead of using traditional phishing methods, threat actors relied on Telegram channels to deliver the malware,” said Maher Yamout, lead security researcher from GReAT. “In earlier campaigns, we also observed this operation using other messaging platforms, such as Skype, as a vector for initial infection.”
DeathStalker
The malware was likely spread through harmful files disguised as common formats like RAR or ZIP, shared in Telegram groups focused on trading and finance topics. When users opened these files, the malware quietly installed itself, ultimately giving attackers remote control over infected systems.
DeathStalker, an experienced hacker-for-hire group active since at least 2018, is believed to specialize in collecting sensitive information for business and financial intelligence rather than stealing funds. Their use of Telegram for malware distribution marks a significant shift in tactics, suggesting a more discreet approach to targeting victims.
Kaspersky advises fintech users to remain vigilant, even on familiar apps.
“This campaign highlights the need for caution when dealing with instant messaging apps like Skype and Telegram,” warned Yamout.