DarkMe Trojan Spreads via Financial Telegram Channels
Cybersecurity researchers have discovered a campaign distributing the DarkMe trojan through Telegram channels focused on finance and trading. This malware allows attackers to gain remote access to victims’ devices and steal sensitive data. Attacks have been recorded in more than 20 countries, including Russia.
How the Attack Works
According to Kaspersky Lab experts, cybercriminals attach archives containing malicious files (with extensions like .lnk, .com, and .cmd) to posts in Telegram channels. If a user opens one of these files, the malware is downloaded onto their device, enabling remote command execution from the attackers’ server and data theft.
The attackers take significant steps to hide their tracks. For example, after installation, the malware deletes the files used to deliver DarkMe. The size of the implant file is also increased by adding junk code and strings, making attribution and detection more difficult.
Additionally, the attackers remove other traces after completing their tasks, such as deleting files, tools, and registry keys used during post-exploitation, to hinder detection and investigation.
Who Is Behind the Attacks?
Researchers link this campaign to the DeathStalker group (formerly known as Deceptikons). This group has been active since at least 2018 (and possibly as early as 2012) and operates as a hacker-for-hire service. They conduct financial intelligence operations, collecting various types of commercial, financial, and personal information—sometimes on behalf of competitors.
DeathStalker primarily targets small and medium-sized businesses, fintech companies, financial institutions, and legal organizations. The group is believed to include skilled cybercriminals capable of developing their own tools and possessing a deep understanding of the cyber threat landscape.
Why Telegram?
“Instead of traditional phishing methods, the attackers used Telegram channels to distribute their malware. In earlier campaigns, they also infected devices through other communication platforms, such as Skype. Messaging apps may inspire more trust in potential victims than phishing websites. Additionally, downloading files from such apps can seem less risky than downloading from the internet,” explains Tatyana Shishkova, lead expert at Kaspersky GReAT.