Microsoft cautions cryptocurrency investment companies that a new threat cluster is wandering on Telegram groups searching for potential victims.

DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members


Further on, the malicious actor impersonated a cryptocurrency investment company and asked the victim to join another Telegram group. The supposed reason was they wanted feedback on the trading fee structure that exchange platforms used on VIP levels.

The attackers really did their homework on the subject and Microsoft researchers highlighted their level of knowledge on the challenges cryptocurrency companies face nowadays.

The Malicious Excel Files

Once again cybercriminals used social engineering techniques and as soon as they got the victim’s trust, they sent them a malicious Excel spreadsheet. The OKX Binance & Huobi VIP fee comparision.xls document contained a data comparison between the VIP fee structures that looked real enough not to raise any suspicions.


As the unsuspecting victims opened the document, they were further tricked into enabling macros. Subsequently, another worksheet that was embedded in the original file was downloaded.

„A second worksheet embedded in the file will download and parse a PNG file to extract a malicious DLL, an XOR-encoded backdoor, and a legitimate Windows executable later used to sideload the DLL.”, according to cyber researchers

The DLL then decrypted and loaded the backdoor that the attackers needed for remote access to exploit the compromised system.

To better understand the way the cyber attack worked, see below a graphic prepared by Microsoft’s Security Threat Intelligence team:


According to Microsoft, customers who were targeted or compromised by this series of attacks have been notified and instructed in order to secure their accounts.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

A New Malware Exploits A Critical Vulnerability on Redis Servers

Lazarus Hacking Group Uses New Fake Crypto App to Spread Malware

Laplas Clipper Malware Aimed at Cryptocurrency Users

What Is Social Engineering?

What Is Online Impersonation?

Excel 4.0 Macros Will Be Disabled in Order to Protect Users

Is Telegram Secure? What You Need to Know Before Downloading the App

How to Secure a Business Network, Servers and Endpoints

Leave a Reply

Your email address will not be published. Required fields are marked *