Apple, NVIDIA, Disney Impersonated in Telegram Mini App Scam Network
CTM360 names FEMITBOT — a shared backend running crypto scams, fake AI tools, and Android malware impersonating Apple, NVIDIA, Disney, and the BBC, all inside Telegram.
A Bahrain-based threat-intel firm has named the shared backend behind crypto scams, fake "AI tools," and Android malware impersonating Apple, NVIDIA, Disney, and the BBC — all running inside Telegram.
Bahrain-based threat intelligence firm CTM360 has documented a large-scale fraud platform — dubbed FEMITBOT — that abuses Telegram's Mini App feature to run cryptocurrency investment scams, impersonate well-known brands, and distribute Android malware via sideloaded APK files. The research, published by CTM360 and amplified by BleepingComputer's Bill Toulas on May 3, 2026, identifies what looks less like a one-off scam and more like a shared backend powering many campaigns at once.
The single biggest finding: FEMITBOT is shared scam infrastructure. The same backend serves multiple campaigns under different bot names, brands, and languages, identified by a common API response string — "Welcome to join the FEMITBOT platform." It uses legitimate marketing infrastructure, including Meta and TikTok tracking pixels, to optimize conversions. This is consumer-grade fraud, not enterprise-targeted attack tooling, but the brand-impersonation list reads like a Fortune 500 directory.
| FEMITBOT Platform Profile | |
|---|---|
| Detail | Information |
| Discovered by | CTM360 (Bahrain-based threat intelligence firm) |
| Platform name | FEMITBOT — derived from API response "Welcome to join the FEMITBOT platform" |
| Architecture | Shared backend; multiple phishing domains return identical API response, indicating common infrastructure |
| Scam categories | Fake cryptocurrency platforms, financial services, AI tools, streaming sites |
| Brands impersonated (Mini App phishing) | Apple, Coca-Cola, Disney, eBay, IBM, MoonPay, NVIDIA, YouKu |
| Brands impersonated (Android APKs) | BBC, NVIDIA, CineTV, Coreweave, Claro |
| Marketing optimization | Uses Meta and TikTok tracking pixels to measure conversions and optimize campaigns |
| Distribution | Telegram bot Mini Apps; APK downloads hosted on phishing domain with valid TLS certificates |
How a Telegram Bot Becomes a Phishing Page
Telegram Mini Apps are lightweight web applications that run inside Telegram's built-in browser, enabling services such as payments, account access, and interactive tools without requiring users to leave the app. The architecture is legitimate and widely used — Telegram's developer documentation describes Mini Apps as a way for businesses to deliver app-like experiences inside the messenger.
FEMITBOT abuses that architecture by deploying bots that, when a user clicks Start, launch phishing pages directly in Telegram's WebView, making them appear as part of the app itself. Victims see dashboards with fake balances or "earnings," paired with countdown timers and limited-time offers to create urgency. When users attempt to withdraw funds, they are prompted to make a deposit or complete referral tasks — a common pattern in advance-fee and Ponzi-style scams. CTM360 has documented similar dynamics in its earlier work on a related cluster called TRAP10, suggesting the Mini App scam category is now mature and well-tooled.
The infrastructure is designed for rapid campaign rotation. The same backend supports different branding, languages, and themes — the operators can swap a fake NVIDIA crypto-rewards site for a fake YouKu streaming login overnight. Meta and TikTok pixels track which lures convert best, applying ad-tech telemetry to fraud at a level of operational sophistication closer to legitimate marketing than traditional cybercrime.
The Android Sideloading Pivot: When Phishing Becomes Malware
Some Mini Apps go further than phishing. Users are prompted to download Android APK files, open links in the in-app browser, or install progressive web apps (PWAs) that mimic legitimate software. APKs distributed through this channel have impersonated the BBC, NVIDIA, CineTV, Coreweave, and Claro.
CTM360 explains the operational tradecraft: "The APK filenames are carefully chosen to resemble legitimate applications or use random-looking names that don't immediately trigger suspicion. The APKs are hosted on the same domain as the API, ensuring TLS certificate validity and avoiding mixed-content warnings in the browser." That last detail matters. By hosting the malicious APK on the same domain as the phishing API, the attackers eliminate the most reliable visual cue users have for detecting a scam — the browser security warning. This sits inside the broader Android sideloaded malware pattern CyberSignal has tracked across the year.
Why Brand-Protection Teams Should Care
The list of impersonated brands — Apple, Coca-Cola, Disney, eBay, IBM, MoonPay, NVIDIA, YouKu, BBC, CineTV, Coreweave, Claro — covers tech, telecom, retail, media, fintech, and entertainment. If your company operates in any of those sectors, the working assumption should be that your brand is on the list, has been on the list, or will be on the list. CTM360 has previously documented similar campaigns under names like TRAP10 and GovTrap, suggesting Mini App scam infrastructure is now standard tradecraft for crypto-investment fraud globally.
The defender takeaway is narrow but real. Telegram does limited proactive vetting before a Mini App goes live; moderation is largely reactive, kicking in after complaints or law-enforcement involvement. That gap is the operational space FEMITBOT is exploiting. For brand-protection and trust-and-safety teams, the case for adding Telegram bot and Mini App monitoring to your impersonation watch is now backed by a named platform with concrete TTPs.
The fraud chain here is also a reminder that this whole operation is, fundamentally, social engineering at platform scale — Telegram's brand authority does the heavy lifting that traditional phishing emails can't.
Defender Actions for This Week
- Add Telegram-themed lures to phishing test catalogs and user awareness training. The combination of in-app phishing pages, Telegram's brand authority, and the absence of vetting on Mini Apps is a gap most awareness programs do not currently address.
- For brand protection: monitor Telegram bots and Mini Apps for impersonation of your organization's brand. Establish a takedown workflow with Telegram's abuse channel before you need it, not after.
- Reinforce mobile device policies that block APK sideloading on managed Android devices. Most enterprise MDM solutions can disable installation from unknown sources; verify the policy is enforced in practice, not just configured.
- Treat unusual Meta and TikTok tracking-pixel activity as a marketing-fraud signal. If your marketing team sees referral or conversion patterns that don't match a known campaign, that may indicate your pixels are being copied or your brand is being impersonated.
- For ongoing reporting on brand-impersonation phishing campaigns, our coverage of the AccountDumpling Facebook campaign documents the same general playbook applied to a different platform — credential theft via brand impersonation, optimized for scale.
The CyberSignal Analysis
Signal 01 — The platform's design choices, not just the attackers, are doing the work
What makes FEMITBOT effective is not novel malware. The scams it runs — fake crypto investment platforms, advance-fee withdrawal blockers, signed APKs masquerading as streaming apps — are decades old in pattern. What is new is that Telegram's Mini App architecture lets attackers serve those scams from inside a trusted messenger, with the platform's chrome around the phishing page and TLS certificates already valid. The user-experience cues a careful person uses to detect a scam — strange domain names, browser warnings, the visible transition to a third-party site — are absent by design. Telegram's choice to allow web content inside its WebView with minimal vetting is the structural decision that makes this campaign possible at scale.
Signal 02 — Marketing-pixel abuse is the real signal that fraud has industrialized
The detail in this story that should change how defenders think about scam infrastructure is the use of Meta and TikTok tracking pixels for conversion optimization. Fraudsters have always tested lures, but they tested them by hand. Pixel-based optimization means FEMITBOT operators can run A/B tests across landing pages, languages, and brand impersonations, retire underperforming variants, and double down on the ones that convert. That is a marketing operation. The implication for defenders is that scam infrastructure is now reaching the same level of operational sophistication as legitimate digital advertising — including the same iteration speed. Threat-intel feeds keyed on static IOCs will lag this cycle badly.
Signal 03 — The brands on the list are not random
Apple, Disney, eBay, IBM, NVIDIA, MoonPay, BBC, NVIDIA, Coreweave, Claro — the impersonation list is heavily weighted toward brands users already associate with payments, media subscriptions, AI compute, or large-scale consumer trust. That is not coincidence. The brands chosen are ones where the lure ("collect your NVIDIA AI rewards," "stream BBC content with your account credit") sounds plausible enough to override a user's instinct to verify. For organizations on this list — and any organization whose brand is in a similar trust position — the brand-protection function is not a cost center anymore. It is part of the customer-protection mission.
