Full Report
Cybersecurity researchers have uncovered a large-scale fraud operation that uses Telegram's Mini App feature to run crypto scams, impersonate well-known brands, and distribute Android malware. [...]
Analysis Summary
# Tool/Technique: FEMITBOT
## Overview
FEMITBOT is a large-scale fraud and malware distribution platform that leverages Telegram’s Mini App feature (built-in WebView) to conduct cryptocurrency scams, host phishing interfaces, and distribute malicious Android APKs. The platform provides a unified backend infrastructure that allows threat actors to rapidly deploy fraudulent "app-like" experiences impersonating global brands directly within the Telegram messaging ecosystem.
## Technical Details
- **Type**: Fraud Framework / Malware Delivery Platform
- **Platform**: Android (APK delivery), Cross-platform (Phishing via Telegram WebView)
- **Capabilities**: Brand impersonation, fake investment dashboards, automated Telegram bot interaction, malware hosting, and conversion tracking.
- **First Seen**: Reported May 2026 (CTM360)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.003 - Phishing: Spearphishing Service] (Abuse of Telegram Bots)
- **[TA0011 - Command and Control]**
- [T1102.001 - Web Service: Dead Drop Resolver] (Using Telegram as a communication channel)
- **[TA0002 - Execution]**
- [T1204.001 - User Execution: Malicious Link]
- [T1204.002 - User Execution: Malicious File]
- **[TA0007 - Discovery]**
- [T1418 - Software Discovery] (Identifying mobile platform for APK delivery)
## Functionality
### Core Capabilities
- **Mini App Integration**: Utilizes Telegram’s lightweight web application framework to display phishing sites without leaving the Telegram app, increasing the perceived legitimacy of the scam.
- **Dynamic Brand Impersonation**: A shared backend infrastructure allows attackers to switch themes and branding (e.g., Apple, NVIDIA, Coca-Cola) while maintaining the same underlying API calls.
- **Fraudulent Financial Logic**: Implements fake balance dashboards, countdown timers, and "task-based" withdrawal systems (Advance-fee fraud).
### Advanced Features
- **Conversion Tracking**: Employs Meta and TikTok tracking pixels to monitor user engagement and optimize campaign performance.
- **Contextual APK Hosting**: Malicious APKs are hosted on the same domains as the API to ensure TLS certificate validity and bypass "mixed-content" warnings in mobile browsers.
- **Infrastructure Scalability**: Features a "Welcome to join the FEMITBOT platform" API response consistent across diverse phishing domains, indicating a Platform-as-a-Service (PaaS) model.
## Indicators of Compromise
*Note: Specific hashes were not provided in the source article text; behavioral indicators are emphasized.*
- **Network Indicators (Defanged)**:
- `femitbot[.]com` (Generic platform domain)
- Various phishing domains mimicking: `nvidia`, `apple`, `disney`, `moonpay`, `cclerk-api[.]com` (Example of common fraud API patterns)
- **File Names**:
- `BBC.apk`
- `NVIDIA.apk`
- `CineTV.apk`
- `Coreweave.apk`
- `Claro.apk`
- **Behavioral Indicators**:
- Launching Telegram Mini Apps from unsolicited bots.
- API responses containing the string: `"Welcome to join the FEMITBOT platform"`.
- Prompts to sideload APKs directly from a Telegram WebView session.
## Associated Threat Actors
- **FEMITBOT Operators**: An unidentified group or collective providing this fraud-as-a-service infrastructure to multiple affiliates.
## Detection Methods
- **Behavioral Detection**: Monitor for Telegram processes (`org.telegram.messenger`) initiating downloads of APK files or interacting with known fraud-related API endpoints.
- **Network Metadata**: Identifying the specific FEMITBOT API response string in unencrypted or inspected web traffic.
- **Heuristics**: Flagging Telegram bots that immediately request users to launch a "Mini App" or "Web App" upon the `/start` command, especially those linked to cryptocurrency keywords.
## Mitigation Strategies
- **User Education**: Training users to recognize that legitimate brands rarely conduct official business or "investments" through third-party Telegram Mini Apps.
- **Platform Hardening**: Disable "Install Unknown Apps" on Android devices to prevent the sideloading of APKs delivered via Telegram.
- **MDM Policies**: For corporate environments, restrict the use of Telegram or monitor for excessive data transfer to non-standard cloud storage/API domains.
- **Content Filtering**: Block known FEMITBOT backend domains at the DNS or Gateway level.
## Related Tools/Techniques
- **Telekopye**: A similar Telegram-based toolkit used for large-scale phishing and automated scamming.
- **Classiscam**: An automated "Scam-as-a-Service" operation focusing on marketplace fraud.
- **Progressive Web App (PWA) Phishing**: Using web technologies to mimic native app behavior for credential harvesting.