VYPR
breachPublished May 3, 2026· Updated May 17, 2026· 1 source

Telegram Mini Apps Exploited in Widespread 'FEMITBOT' Fraud Campaign

A large-scale fraud operation dubbed 'FEMITBOT' is leveraging Telegram's Mini App feature to impersonate global brands, run cryptocurrency scams, and distribute Android malware.

A sophisticated fraud operation known as "FEMITBOT" is actively exploiting Telegram’s Mini App feature to conduct large-scale cryptocurrency scams and distribute malicious Android applications. By leveraging the platform's built-in WebView, attackers are delivering convincing, app-like phishing experiences that appear to be native to the messaging service, allowing them to impersonate major global brands and deceive users BleepingComputer.

The technical mechanism relies on a shared backend infrastructure that allows threat actors to rapidly deploy and rotate phishing campaigns. When a user interacts with a malicious Telegram bot and initiates a session, the bot launches a Mini App—a lightweight web application—directly within the Telegram interface. Because these apps run inside Telegram’s internal browser, they benefit from a high degree of perceived legitimacy, often displaying fake financial dashboards, countdown timers, and "earnings" to create a false sense of urgency BleepingComputer.

The scope of the impersonation is extensive, with researchers at CTM360 identifying campaigns mimicking prominent organizations such as Apple, NVIDIA, IBM, Disney, Coca-Cola, and eBay. The infrastructure is designed for modularity, enabling attackers to swap branding, languages, and themes with minimal effort. Furthermore, the operators utilize tracking pixels from platforms like Meta and TikTok to monitor user engagement and optimize their conversion rates BleepingComputer.

Beyond financial fraud, the FEMITBOT platform is being used to distribute Android malware. Users are frequently prompted to download APK files that masquerade as legitimate software from entities like the BBC, CineTV, and Coreweave. To bypass security warnings, these APKs are hosted on the same domains as the phishing APIs, ensuring valid TLS certificates and preventing mixed-content browser alerts. In some instances, the platform also pushes malicious progressive web apps to unsuspecting victims BleepingComputer.

As of the current reporting, there is no single patch or vendor-side fix for this activity, as it represents an abuse of legitimate platform features rather than a traditional software vulnerability. Security researchers advise users to exercise extreme caution when interacting with Telegram bots that promise investment returns or request the installation of external software. Specifically, Android users are strongly cautioned against sideloading APK files from outside the official Google Play Store, as this remains a primary vector for mobile malware infection BleepingComputer.

This campaign highlights a growing trend where threat actors weaponize integrated platform features—such as Mini Apps or in-app browsers—to bypass traditional security perimeters. By embedding malicious content within a trusted communication tool, attackers can effectively lower the victim's guard. As platforms continue to expand their ecosystems with third-party integrations, the challenge for users and security teams will be distinguishing between legitimate services and sophisticated, platform-native fraud infrastructure BleepingComputer.

Synthesized by Vypr AI