Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Fortinet Patches Critical, High Vulnerabilities in FortiOS, FortiProxy
July 14, 2026
Microsoft Patch Tuesday fixes 570 flaws including 3 zero-days
July 14, 2026
Critical Flaw: OAuth Client ID Spoofing Exposes 2 Million Entra ID Users
July 14, 2026
Home/Threats/FEMITBOT Network Leverages Telegram Mini Apps for Crypto Fraud, Android Malware
Threats

FEMITBOT Network Leverages Telegram Mini Apps for Crypto Fraud, Android Malware

Key Takeaways A sophisticated network, dubbed FEMITBOT, is leveraging Telegram Mini Apps for global cryptocurrency fraud and Android malware distribution. The operation mimics legitimate crypto...

Sarah simpson
Sarah simpson
May 7, 2026 4 Min Read
59 0

Key Takeaways

  • A sophisticated network, dubbed FEMITBOT, is leveraging Telegram Mini Apps for global cryptocurrency fraud and Android malware distribution.
  • The operation mimics legitimate crypto exchanges, streaming services, and financial platforms, luring victims with promises of passive income.
  • FEMITBOT seamlessly integrates fake apps within Telegram’s native browser, making scams difficult for users to identify.
  • The network employs social media advertising, unsolicited Telegram invites, and a multi-level referral system to expand its reach.
  • Beyond financial scams, FEMITBOT infrastructure also serves malicious Android APK files, disguised as legitimate applications.

A highly organized and extensive fraud network, identified as FEMITBOT, has emerged, exploiting Telegram’s Mini App functionality to conduct widespread cryptocurrency scams and disseminate Android malware globally. This operation, first detected in April 2026, targets users by presenting fake applications designed to impersonate legitimate cryptocurrency exchanges, popular streaming services, financial platforms, and AI tools. Victims are typically enticed through deceptive social media advertisements and unsolicited Telegram invitations promising effortless passive income, as detailed in a recent report.

Table Of Content

  • Key Takeaways
  • How FEMITBOT Exploits Telegram Mini Apps
  • Android Malware Distribution Tactics
  • What You Should Do

The fraudulent applications engage users with a meticulously crafted deceptive sequence. Upon interacting with one of these malicious bots, users encounter a polished interface that closely resembles well-known brands. The illusion is further reinforced by fake earnings dashboards, countdown timers, and prompts for VIP upgrades, all designed to create a false sense of urgency and legitimacy. Subsequently, victims are prompted to make a small initial deposit to supposedly unlock their accumulated winnings, a tactic that has successfully siphoned real funds from unsuspecting users worldwide.

CTM360 analysts were able to pinpoint the malicious infrastructure, tracing it to a unified backend platform. A critical finding was the consistent API response, “Welcome to join the FEMITBOT platform,” across dozens of seemingly unrelated domains. This shared digital fingerprint, observed across more than 60 active domains, confirmed that all campaigns were powered by a single, professional-grade kit, indicating a well-resourced operation with clear commercial objectives.

The sheer scale of the FEMITBOT network is noteworthy. Researchers uncovered over 146 active Telegram bots, more than 30 impersonated brands, and over 100 tracking pixel IDs linked to Meta and TikTok advertising systems. These tracking pixels were strategically deployed by the threat actors to analyze the effectiveness of various lures, enabling them to refine their tactics in real-time. Furthermore, a multi-level referral system actively engaged victims, turning them into unwitting participants in the network’s expansion.

How FEMITBOT Exploits Telegram Mini Apps

FEMITBOT’s effectiveness stems from its seamless integration within Telegram’s ecosystem. The fake applications operate within Telegram’s native browser window, diminishing user suspicion. The entire kit is designed for global reach, supporting over 22 languages and utilizing Cloudflare’s network to obscure its true origin. The FEMITBOT toolkit primarily leverages the legitimate functionality of Telegram Mini Apps, which are lightweight web applications capable of handling logins, payments, and interactive features directly within the Telegram interface. While convenient by design, this very convenience has been weaponized for large-scale fraud.

When a victim interacts with one of these malicious bots, the Mini App covertly collects their Telegram user ID, display name, and authentication data via the initData feature. This information is then transmitted to the attacker’s server, which automatically logs the victim in without requiring a password. The server dynamically loads the appropriate brand theme—whether it mimics Binance, Netflix, or an AI mining platform—based on a predefined skin configuration setting. The fraudulent scheme then unfolds through a progressive script: fabricated earnings appear on the dashboard, countdown timers instill urgency, and warnings about limited VIP slots pressure the user. Ultimately, the victim is prompted to make a deposit to “unlock” their supposed withdrawals, at which point real funds are stolen.

Android Malware Distribution Tactics

Beyond its financial fraud operations, FEMITBOT also functions as a sophisticated delivery mechanism for Android malware. Specific sites within the network contain a dormant feature flag that, when activated, directly serves malicious Android Package Kit (APK) files to visitors. These files are deceptively named to resemble legitimate applications, making initial detection difficult for users. The malware is delivered through several methods: a direct file download initiated by a button, an in-app browser experience designed to appear trustworthy, or a Progressive Web App (PWA) prompt encouraging users to add the page to their home screen. Each delivery method is engineered to minimize friction and ensure the malicious software is installed on the device as smoothly as possible.

What You Should Do

  • Exercise Extreme Caution: Be highly suspicious of any app or service promoted through Telegram links, especially those promising guaranteed returns or requiring upfront deposits for “winnings.”
  • Verify App Sources: Only download and install applications from official and trusted app stores (e.g., Google Play Store, Apple App Store). Avoid installing APK files or apps from direct links or unverified sources.
  • Review Permissions: Before installing any application, carefully review the permissions it requests. Be wary of apps asking for excessive or unusual permissions that are not relevant to their stated function.
  • Enable Two-Factor Authentication (2FA): Implement 2FA on your Telegram account and any cryptocurrency platforms to add an extra layer of security.
  • Educate Yourself: Stay informed about common phishing and scam tactics. If an offer seems too good to be true, it likely is.
  • For Organizations: Block known FEMITBOT-linked domains and monitor outbound network traffic for any connections to the identified malicious infrastructure.

Indicators of Compromise (IoCs):-

Type Indicator Description
Domain zerocap[.]vip FEMITBOT phishing domain impersonating crypto platform
Domain spiderpool[.]app FEMITBOT phishing domain linked to crypto fraud
Domain btcaimining[.]xyz FEMITBOT phishing domain for fake BTC mining pool
Domain btcpoolok[.]cloud FEMITBOT phishing domain for fake BTC mining pool
Domain cineotv[.]one FEMITBOT phishing domain impersonating BBC streaming
Telegram Bot @Zerocap01_bot Telegram bot tied to zerocap[.]vip phishing domain
Telegram Bot @SpiderPool01_bot Telegram bot tied to spiderpool[.]app phishing domain
Telegram Bot @AiSuperBtc Telegram bot tied to btcaimining[.]xyz phishing domain
Telegram Bot @AiSuperBtcVIP01 Telegram bot tied to btcpoolok[.]cloud phishing domain
Telegram Bot @BBC_Serve Telegram bot tied to cineotv[.]one phishing domain
URL /api/public/init Unauthenticated FEMITBOT API endpoint exposing full config including malware URLs
URL /api/public/telegramLogin FEMITBOT authentication endpoint used for session hijacking via initData

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarephishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

DarkHub Hacking-for-Hire Portal Advertises Crypto Fraud and Message Interception

Next Post

Phishing Attack Abuses Event Invitations to Steal Login Credentials

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical FortiSandbox CVE-2023-34981 Exposes VNC Server to Attackers
July 14, 2026
SOC Efficiency: Cut Alert Overload and MTTR by 21 Minutes Per Case
July 14, 2026
Miasma Malware Creates Backdoors in npm Packages, Targets Dev Machines
July 14, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us