Amerian Internet infrastructure firm Juniper Networks has found a new spyware that uses Telegram app to replace crypto addresses with its own.

Masad Clipper and Stealer

Juniper Threat Labs, a threat intelligence portal at Juniper Networks (NYSE: JNPR), discovered a new Trojan-delivered malware implementing major global messaging app Telegram to exfiltrate stolen information, according to threat research released on Sept. 26.

Reportedly circulating under the name “Masad Clipper and Stealer” on black market forums, the spyware is capable of stealing a broad list of browsing data, including usernames, passwords, credit card information.

Moreover, the malware also includes a function that replaces cryptocurrency wallets from the clipboards with the one by the attacker’s party. According to the report, the spyware’s clipping supports a number of major cryptos such as Bitcoin (BTC), Ether (ETH), XRP, Bitcoin Cash (BCH) and Litecoin (LTC), among others.

Ongoing threat signals

Specifically, the malware uses Telegram as a Command and Control (CnC) channel, which reportedly allows the malware some anonymity. This malware is written using Autoit scripts and then compiled into a Windows executable, according to the report. After being installed, Masad Stealer starts by collecting sensitive information from the system like crypto wallet addresses, credit card browser data, PC and system information.

According to Jupiter Threat Labs, Masad Stealer sends all collected information to a Telegram bot managed by the threat actor, which also sends commands to the spyware.

The security portal concluded that Masad Stealer is an active and ongoing threat Command and Control bots were still alive at the time of publication.

Meanwhile, Telegram released a wallet for its TON Blockchain’s native token Gram in the app’s alpha version for iOS on Sept. 26. On Sept. 24, Telegram announced a bug bounty competition within its new smart contract coding contest.