article featured image


Microsoft cautions cryptocurrency investment companies that a new threat cluster is wandering on Telegram groups searching for potential victims.

DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members


Further on, the malicious actor impersonated a cryptocurrency investment company and asked the victim to join another Telegram group. The supposed reason was they wanted feedback on the trading fee structure that exchange platforms used on VIP levels.

The attackers really did their homework on the subject and Microsoft researchers highlighted their level of knowledge on the challenges cryptocurrency companies face nowadays.

The Malicious Excel Files

Once again cybercriminals used social engineering techniques and as soon as they got the victim’s trust, they sent them a malicious Excel spreadsheet. The OKX Binance & Huobi VIP fee comparision.xls document contained a data comparison between the VIP fee structures that looked real enough not to raise any suspicions.


As the unsuspecting victims opened the document, they were further tricked into enabling macros. Subsequently, another worksheet that was embedded in the original file was downloaded.

„A second worksheet embedded in the file will download and parse a PNG file to extract a malicious DLL, an XOR-encoded backdoor, and a legitimate Windows executable later used to sideload the DLL.”, according to cyber researchers

The DLL then decrypted and loaded the backdoor that the attackers needed for remote access to exploit the compromised system.

To better understand the way the cyber attack worked, see below a graphic prepared by Microsoft’s Security Threat Intelligence team:


According to Microsoft, customers who were targeted or compromised by this series of attacks have been notified and instructed in order to secure their accounts.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Leave a Reply

Your email address will not be published. Required fields are marked *