New FEMITBOT Network Uses Telegram Mini Apps to Push Crypto Fraud and Android Malware

A new and highly organized fraud network called FEMITBOT has emerged, exploiting Telegram’s Mini App feature to run large-scale cryptocurrency scams and push malicious Android software onto users worldwide.

The campaign, which came to light in April 2026, operates through fake apps designed to look like real cryptocurrency exchanges, streaming services, financial platforms, and AI tools. Victims are drawn in through social media advertising and unsolicited Telegram invites that promise easy passive income.

The fraudulent apps follow a carefully scripted trap. Once a user taps on one of these bots, they are greeted with a polished interface that mirrors well-known brands. Fake earnings dashboards, countdown timers, and VIP upgrade prompts create a false sense of urgency.

Victims are then asked to make a small deposit to unlock their supposed winnings, a trick that has been used to steal real money from users around the globe.

Analysts at CTM360 identified the malicious infrastructure and traced it back to a shared backend platform. Across dozens of unrelated-looking domains, every site returned the same API response: “Welcome to join the FEMITBOT platform.”

This consistent fingerprint across more than 60 active domains confirmed that all the campaigns were running on one unified kit, pointing to a professional-grade operation with a clear commercial motive.

The scale of the network is striking. Researchers found over 146 active Telegram bots, more than 30 impersonated brands, and upward of 100 tracking pixel IDs tied to Meta and TikTok advertising systems.

How FEMITBOT Exploits Telegram Mini Apps

Threat actors used these pixels to measure which lures performed best, allowing them to sharpen their tactics in real time. A multi-level referral system further extended the reach by turning victims into unwitting recruiters.

What makes FEMITBOT particularly dangerous is how seamlessly it blends into Telegram’s trusted environment. Because the fake apps load inside Telegram’s own browser window, users have little reason to suspect anything is wrong. The entire kit supports more than 22 languages and uses Cloudflare’s network to hide its true origin, making it a genuinely global operation.

The FEMITBOT kit is built around the abuse of Telegram Mini Apps, lightweight web applications that run inside Telegram and can handle logins, payments, and interactive features. These apps are convenient by design, but that same convenience makes them easy to weaponize for fraud at scale.

When a victim opens one of these bots, the app silently collects their Telegram user ID, display name, and authentication data through a feature called initData. This is sent to the attacker’s server, which logs the victim in automatically without a password.

The server then loads the correct brand theme, whether it resembles Binance, Netflix, or an AI mining platform, based on a skin configuration setting.

The fraud then follows a step-by-step escalation script. Fake earnings appear on the dashboard, timers count down to create urgency, and limited VIP slot warnings build pressure. Eventually, the user is asked for a deposit to unlock withdrawals, and that is the moment real money is lost.

Android Malware Distribution Tactics

Beyond financial fraud, FEMITBOT also functions as a delivery system for Android malware. Certain sites in the network include a hidden feature flag that, when switched on, serves malicious APK files directly to visitors. These files are named to resemble real apps, making them hard to spot as threats at first glance.

Delivery comes in three forms: a direct file download triggered by a button, an in-app browser experience that feels more trusted, or a Progressive Web App prompt asking users to add the page to their home screen.

Each method reduces friction so the malicious software reaches the device as smoothly as possible.

Users should avoid installing any app that arrives through a Telegram link, especially if it requests a deposit or promises guaranteed returns.

Apps should only come from official stores, and anything requesting unusual permissions should be removed right away. Security teams are advised to block the known FEMITBOT-linked domains and monitor outbound traffic for connections to this infrastructure.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	zerocap[.]vip	FEMITBOT phishing domain impersonating crypto platform
Domain	spiderpool[.]app	FEMITBOT phishing domain linked to crypto fraud
Domain	btcaimining[.]xyz	FEMITBOT phishing domain for fake BTC mining pool
Domain	btcpoolok[.]cloud	FEMITBOT phishing domain for fake BTC mining pool
Domain	cineotv[.]one	FEMITBOT phishing domain impersonating BBC streaming
Telegram Bot	@Zerocap01_bot	Telegram bot tied to zerocap[.]vip phishing domain
Telegram Bot	@SpiderPool01_bot	Telegram bot tied to spiderpool[.]app phishing domain
Telegram Bot	@AiSuperBtc	Telegram bot tied to btcaimining[.]xyz phishing domain
Telegram Bot	@AiSuperBtcVIP01	Telegram bot tied to btcpoolok[.]cloud phishing domain
Telegram Bot	@BBC_Serve	Telegram bot tied to cineotv[.]one phishing domain
URL	/api/public/init	Unauthenticated FEMITBOT API endpoint exposing full config including malware URLs
URL	/api/public/telegramLogin	FEMITBOT authentication endpoint used for session hijacking via initData

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.