What happened
CTM360 researchers have uncovered a large-scale fraud operation using Telegram’s Mini App feature to run cryptocurrency scams, impersonate major brands, and distribute Android malware. The platform behind the operation, dubbed FEMITBOT based on a string found in API responses, uses Telegram bots and embedded Mini Apps to create convincing app-like experiences within the messaging platform without requiring users to leave it.
Telegram Mini Apps are lightweight web applications that run inside Telegram’s built-in browser, enabling payments, account access, and interactive tools. FEMITBOT abuses this feature by deploying bots that, when a user clicks Start, launch phishing pages directly in Telegram’s WebView, making them appear as part of the app itself. Victims are shown dashboards with fake balances or earnings, paired with countdown timers and limited-time offers to create urgency. When they attempt to withdraw funds, they are prompted to make deposits or complete referral tasks, classic advance-fee and investment scam mechanics.
The operation impersonates widely recognized brands to increase credibility, including Apple, Coca-Cola, Disney, eBay, IBM, MoonPay, NVIDIA, and YouKu. A shared backend infrastructure serves multiple phishing domains, all returning the same API response containing the FEMITBOT platform identifier, indicating centralized control across campaigns. The infrastructure is designed to switch branding, languages, and themes easily, and uses Meta and TikTok tracking pixels to measure campaign performance.
Some Mini Apps also distribute Android APKs impersonating brands including the BBC, NVIDIA, CineTV, Coreweave, and Claro. The APKs are hosted on the same domains as the phishing API and use TLS certificates to avoid browser warnings. Users are prompted to download APK files, open links in the in-app browser, or install progressive web apps mimicking legitimate software.
Who is affected
Any Telegram user who interacts with FEMITBOT-linked bots faces exposure to investment fraud and potential Android malware installation. The impersonation of major consumer and enterprise brands means the lures are broadly credible across demographics. Organizations whose brands are being impersonated face reputational and customer trust exposure from the fraudulent use of their identities.
Why CISOs should care
FEMITBOT demonstrates how Telegram’s Mini App architecture can be weaponized to deliver convincing phishing experiences within a trusted messaging environment, bypassing the user’s instinct to check URLs or verify sources. The in-app WebView display makes the phishing page appear as a native part of Telegram rather than an external site, reducing the visual cues that typically help users identify fraud.
The use of legitimate ad tracking pixels from Meta and TikTok to optimize campaign performance reflects a level of operational sophistication more typical of legitimate marketing operations than traditional cybercrime. For security leaders, the broader signal is that threat actors are increasingly building fraud infrastructure on top of legitimate platform features rather than relying on traditional phishing infrastructure.
3 practical actions
- Brief employees on Telegram Mini App phishing and the risks of bots promoting cryptocurrency investments: Users interacting with Telegram bots that launch Mini Apps displaying investment dashboards, fake earnings, or deposit prompts should treat these as high-confidence scam indicators. Security awareness training should explicitly cover this delivery mechanism as it becomes more widely adopted by threat actors.
- Enforce MDM policies that block sideloaded APK installation on managed Android devices: FEMITBOT distributes malware through APK files outside the Google Play Store. Mobile device management policies that restrict APK sideloading on corporate and BYOD devices directly mitigate this distribution method and should be validated as part of your current mobile security posture.
- Monitor for brand impersonation on Telegram and other messaging platforms as part of your threat intelligence program: The FEMITBOT infrastructure impersonates well-known brands through bots and Mini Apps. Organizations should include Telegram bot and Mini App monitoring in their brand protection and threat intelligence coverage, particularly those in financial services, technology, and media where impersonation risk is elevated.
Also in the news today:
-
- Ubuntu and Canonical Web Services Hit by DDoS Attack
- Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware
- Threat Actors Use AI to Automate Zero-Day Discovery and Exploitation at Machine Speed
- Salt Typhoon Suspected in Breach of IBM Italy Subsidiary Managing Public Infrastructure
- Frost Bank Hit With Class-Action Lawsuits Over Data Breach Affecting More Than 100,000 Customers
- Sandhills Medical Foundation Ransomware Breach Draws Class Action Investigation Nearly a Year Later
