We’ve gathered the most important cybersecurity news from the past week.

  • Fraudsters used Telegram mini-apps to steal cryptocurrency.
  • Toronto has discovered the country's first SMS blaster.
  • Hackers targeted the TeamPCP group.
  • A Trojan in DAEMON Tools was found in over a hundred countries.

Fraudsters Used Telegram Mini-Apps to Steal Cryptocurrency

Cybersecurity researchers from CTM360 uncovered a fraudulent campaign on Telegram aimed at stealing cryptocurrency and spreading malware.

The attackers' platform, FEMITBOT, employs Telegram bots and integrated Mini Apps to create convincing fake applications within the messenger, covering various topics such as cryptocurrency, finance, AI tools, and streaming.

To build trust, the fraudsters impersonate well-known brands (Bitget, OKX, Binance, Apple, Coca-Cola, Disney, eBay, MoonPay, Nvidia) while using a single server infrastructure with multiple domains and bots.

When users click the “Start” button, the bot launches a mini-app that displays a phishing page in an embedded WebView. The interface includes control panels showing fake “earnings” figures, often accompanied by countdown timers or limited-time offers to incite FOMO.

When users attempt to withdraw funds, they are asked to make a test deposit or complete tasks in a referral program—a classic tactic of investment fraud.

Some Mini Apps distribute malware in the form of APK files for Android, also masquerading as well-known brands.

According to experts, the infrastructure is designed for easy adaptation to various campaigns. To analyze user activity and optimize fraud, hackers utilize tracking algorithms like Meta Pixel and TikTok Pixel.

Toronto Discovers the Country's First SMS Blaster

The police arrested three suspects for operating an SMS blaster in downtown Toronto.

These devices transmit a stronger signal than cellular towers within their range, causing nearby devices to connect to a fake station.

Once connected, they can send text messages that often contain links to phishing sites mimicking login pages of well-known companies.

SMS blasters exploit vulnerabilities in outdated 2G networks and pose a direct threat by disrupting mobile communications, including emergency services.

According to police, the goal of the fraudulent scheme was to steal usernames and passwords, including banking credentials.

The malicious campaign began in November 2025, and within a few months, spam messages reached tens of thousands of devices. This is the “first known case” of such equipment operating in Canada.

The authorities noted the unique assembly of the SMS blaster, which was located in the back of a vehicle, allowing the perpetrators to quickly change locations.

In 2024, police in Thailand arrested members of a gang using a similar setup, which was transported in a truck bed around Bangkok and sent nearly a million messages in three days.

Hackers Targeted the TeamPCP Group

Unknown attackers are actively seeking systems already compromised by the notorious group TeamPCP, hacking into them and closing off access. The campaign, dubbed PCPJack, was discovered by senior researcher Alex DeLamotte from SentinelOne.

The hackers infiltrate the compromised infrastructure and remove backdoors to cut off access for previous attackers. They then deploy their own software, which spreads through cloud networks like a worm.

The PCPJack tools automatically tally the servers successfully “taken back” from competitors.

The attackers steal credentials to resell access to other criminals or to blackmail victims directly. While most cloud hackers (including TeamPCP) infect systems with miners, PCPJack specifically removes their programs. The group prefers to steal cryptocurrency directly, using specialized algorithms to intercept passwords from crypto wallets.

According to the researcher, the fraudsters are not limited to systems already hacked by TeamPCP; they also scan the internet for vulnerable services like Docker virtual machine cloud platforms and MongoDB databases.

In a comment to TechCrunch, DeLamotte suggested that the hackers might be disgruntled former members of TeamPCP, members of a competing group, or mere imitators.

Trojan in DAEMON Tools Found in Over a Hundred Countries

Hackers embedded a Trojan in the installer of the popular disk imaging software DAEMON Tools Lite. Since April 8, they have used the malware to install backdoors on thousands of systems across more than 100 countries. The incident was reported by experts from Kaspersky Lab.

After installing the free version of DAEMON Tools, the malicious code deployed a payload to establish persistence in the system and activate the backdoor upon Windows startup.

Experts indicate that in the initial phase of the attack, the attackers used a basic infostealer to collect system data and send it to controlled servers for profiling victims. Based on the results obtained, they initiated a second phase on several infected systems—a backdoor capable of executing commands, downloading files, and running code directly in memory.

In some cases, the QUIC RAT malware was used, which can inject code into standard processes and supports multiple communication protocols.

Among the victims of the campaign were retailers, scientific, governmental, and industrial organizations in Russia, Belarus, and Thailand, as well as home PCs in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

The developer of DAEMON Tools, Disc Soft, continues to investigate the incident. Users who downloaded DAEMON Tools Lite 12.5.1 after April 8 are advised to uninstall the application, perform a full system scan, and install the latest version 12.6 from the official website.

Student Arrested in Taiwan for Hacking High-Speed Train System

Taiwanese authorities arrested a student suspected of hacking the TETRA communication system used by the country’s high-speed rail network (THSR). This was reported by Newtalk.

THSR is a dual-track line stretching 350 km along Taiwan's western coast, with trains reaching speeds of up to 300 km/h.

On April 5, a citizen with the surname Lin halted four trains for 48 minutes using a software-defined radio (SDR) system and portable radios to transmit a high-priority “General Alarm” signal, triggering emergency braking procedures.

Before the attack, Lin intercepted and decoded the radio communication parameters using equipment purchased from a marketplace. He then input the obtained data into portable radios to transmit signals mimicking the operation of service radio beacons.

According to police, the suspect had an accomplice who helped Lin set up the communication. THSR had been in operation for 19 years, and during that time, its parameters apparently remained unchanged, allowing the hacker to bypass seven levels of verification.

After the incident, THSR specialists reviewed logs and discovered that the signal was sent from a beacon that was not assigned to duty. The company concluded that the signal had been unauthorizedly cloned.

Law enforcement examined surveillance footage and records from the TETRA network servers, leading them to the suspect's residence. During a search, they seized 11 portable radios, one SDR device, and a laptop.

Lin faces up to 10 years in prison. His lawyer claims that the alarm signal transmission was accidental, but authorities find this explanation unconvincing.

Also on ForkLog:

  • Aave liquidated the positions of hacker Kelp.
  • The market maker TrustedVolumes was hacked for $6 million.
  • Bitcoin Core developers fixed a critical vulnerability.
  • Lawyers for North Korean victims reclassified the Kelp hack as credit fraud.
  • A hacker stole $1.4 million through a vulnerability in the Ekubo contract.
  • In North Korea, accusations of hacking crypto projects were labeled as “absurd slander.”

What to Read This Weekend?

ForkLog explored what really happened with the InfoFi segment and how it might return.