Attackers have increasingly started using Telegram as a control server (C2). One example is the Lazy Koala group, which Positive Technologies researchers recently discovered and set out to study.
While researching bots on Telegram, Positive Technologies team found that many are from Indonesia. The researchers were struck by the huge numbers of messages and victims, and how new bots and chats seem to appear on Telegram by the day, so they decided to get to the bottom of this “Indonesian tsunami.” In doing so, Positive Technologies found a couple chat-related SMS stealers from Indonesia. The researchers named them SMS Webpro and NotifySmsStealer because of the string stealers in the body. Sporadic attacks against Bangladesh and India were also detected.
Read more…
Source: Positive Technologies
Related:
- Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
May 6, 2026
Researchers at Rapid7 say that they have spotted what they believe was an Iranian intelligence cyber unit masquerading as the Chaos ransomware gang to hide a state-sponsored espionage operation. The intrusion was spotted earlier this year, and investigators say breadcrumbs left behind give them “medium confidence” in saying it was the work of MuddyWater, which has ...
- Pro-Iran crew turns DDoS into shakedown as Ubuntu com stays down
May 1, 2026
Canonical says its web infrastructure is under attack after a pro-Iran hacktivist group instructed its members to target the open source giant. “I can confirm that Canonical’s web infrastructure is under a sustained, cross-border Distributed Denial of Service (DDoS) attack” a Canonical spokesperson told The Register. “Our teams are working to restore full availability to all ...
- Silver Fox uses new ABCDoor backdoor to target organisations in Russia and India
April 30, 2026
In December 2025, Kaspersky researchers detected a wave of malicious emails designed to look like official correspondence from the Indian tax service. A few weeks later, in January 2026, a similar campaign began targeting Russian organizations. Kaspersky have attributed this activity to the Silver Fox threat group. Both waves followed a nearly identical structure: phishing emails ...
- Void Dokkaebi uses fake job interview lure to spread malware via code repositories
April 21, 2026
Void Dokkaebi, also tracked as Famous Chollima, is a North Korea-aligned intrusion set that systematically targets software developers who hold cryptocurrency wallet credentials, signing keys, and access to continuous integration/continuous delivery (CI/CD) pipelines and production infrastructure. As previously documented by TrendAI Research, the group poses as recruiters from cryptocurrency and AI firms, luring developers into cloning ...
- Russian hacking group targets home and small office routers to spy on users
April 8, 2026
British security officials found that a group linked to the Russian military is spying on users of compromised Small Office/Home Office (SOHO) routers in a broad cyber espionage campaign. A Microsoft blog goes into the technical details of these attacks. The group, which researchers will refer to as APT28, but is also known under names like ...
- Iranian “Charming Kitten” hackers used old Cold War methods to steal tech secrets and plant malware
April 5, 2026
Iran-linked cyber operations are drawing renewed attention for relying less on advanced code and more on human manipulation to gain access to sensitive systems. At the centre of this activity is Charming Kitten, a group associated with Iran’s security apparatus which has spent years targeting officials, researchers, and corporate employees. Instead of exploiting technical vulnerabilities, operatives ...