New malware uses Telegram app to replace crypto addresses

New malware uses Telegram app to replace crypto addresses

Cybercriminals are exploring every method they can to get to your crypto, and the latest malware is proof of the ever-evolving tactics. Known as Masad Stealer, the new malware strain uses the Telegram messaging app to exfiltrate the stolen information. Other than stealing crucial information such as browser passwords, the malware is able to replace crypto addresses from the clipboard with addresses controlled by the attackers.

Masad Stealer was discovered by security researchers from Juniper Labs. In their report, the researchers revealed that the malware is being advertised on black market forums under the name ‘Masad Clipper and Stealer.’ The most basic version of the malware is offered for free, with additional features being charged in tiers, the highest of which goes for $85.

There is at least one website,, dedicated to promoting the malware. The attackers have also established a Telegram group for their clients which already has hundreds of members.

The attackers’ main distribution tactic involves posing as legitimate software or bundling the malware into third-party tools. Some of the popular software products they have targeted include CCleaner, Tradesanta, Iobit, ProxySwitcher and Samsung Galaxy Software Update.

The malware is difficult to notice as it’s small in size, averaging 1.5 MB. Once it’s downloaded, it executes and immediately gets to work, collecting sensitive information from the host. This information includes system information, browser passwords, autofill browser fields, browser cookies, credit card browser data and cryptocurrency wallet addresses.

To ensure that it’s almost always running, the malware creates a scheduled task on the host machine that initiates every one minute.

It’s with cryptocurrency users that Masad Stealer is most lethal. The malware has been configured to recognize cryptocurrency addresses for over 20 cryptos, from BTC, Ethereum and Zcash to XRP, Dash and Lisk. Once the host copies a crypto address to the clipboard, the malware switches it with an address that belongs to the attackers.

One of the BTC addresses that the attackers have been swapping with has already registered 193 transactions, receiving 0.95 BTC at press time which is worth $7,500.

The report concludes, “Juniper Threat Labs believes that Masad Stealer represents an active and ongoing threat. Command and Control bots are still alive and responding as of this writing, and the malware appears to still be available for purchase on the black market.”

It’s been a hot summer for crypto malware, as CoinGeek reported recently. This year has seen a rebirth in the crypto malware menace, with millions of dollars being stolen in the past few months alone. Some of the most lethal malware campaigns include SkidMap which targeted Linux systems, Panda which is reported to be operated by Chinese hackers, Glupteba which relies on the BTC blockchain for extra resilience and Norman which is able to avoid detection.

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.