Introduction
Security researchers have uncovered a massive, active fraud operation—dubbed the 'Blitz' campaign—that leverages Telegram's Mini App feature to facilitate cryptocurrency scams and distribute Android malware. Unlike traditional phishing that relies on external websites, this campaign utilizes the trusted Telegram ecosystem to impersonate legitimate brands like Notion and Pascal. By distributing trojanized Android applications and facilitating the theft of crypto seed phrases, this operation poses a significant risk to organizations allowing Bring Your Own Device (BYOD) policies and those actively monitoring for social engineering indicators. Defenders must treat Telegram Mini Apps as a high-risk vector for initial access and fraud.
Technical Analysis
Affected Platforms: Android OS, Telegram (Cross-platform client)
Threat Vector: Social Engineering via Telegram Mini Apps (Web-based applications running within the Telegram client).
Attack Chain:
- Initial Access: Targets receive links to malicious Telegram Mini Apps, often distributed via sponsored messages or hijacked channels.
- Impersonation: The Mini Apps spoof well-known productivity tools (e.g., Notion) or crypto services to establish legitimacy.
- Payload Delivery: The apps prompt users to download Android Package Kits (APKs) for 'updates' or 'functionality'. These APKs are often trojanized versions of legitimate apps or entirely malicious malware.
- Data Exfiltration: In crypto-scam scenarios, users are duped into entering seed phrases or 2FA codes (often using fake TOTP prompts) which are exfiltrated to attacker-controlled C2 servers.
- Malware Execution: Once installed, the Android malware gains persistence and requests invasive permissions (SMS, Contacts, Overlay) to intercept 2FA codes and facilitate account takeover.
Exploitation Status: Confirmed Active Exploitation. The 'Blitz' campaign is currently operational, with hundreds of fraudulent Mini Apps identified. Specific Indicators of Compromise (IoCs) include domains such as notion-site[.]com (a typo-squat of Notion) and Android package names like com.pascal[.]app.
Detection & Response
The following detection mechanisms focus on the network artifacts associated with the C2 infrastructure and the specific malicious Android package installations observed in this campaign.
SIGMA Rules
YAML
---
title: Telegram Mini App Fraud - Network Connection to Suspicious Domains
id: 8a5f2c1e-9b4d-4e6f-a1c3-5d6e7f8a9b0c
status: experimental
description: Detects network connections to domains known to be used in the Telegram Mini App 'Blitz' crypto scam campaign, such as typo-squatted Notion domains.
references:
- https://www.bleepingcomputer.com/news/security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery/
author: Security Arsenal
date: 2024/05/24
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'notion-site.com'
- 'onlinemahalaxmi.com'
- 'pascal-app'
condition: selection
falsepositives:
- Legitimate access to similarly named internal assets (unlikely given TLD)
level: high
---
title: Android Trojan - Suspicious Pascal Package Installation
id: 1b3c4d5e-6f78-90ab-cdef-1234567890ab
status: experimental
description: Detects the installation of the malicious 'Pascal' or 'Notion' impersonator Android APKs associated with the Telegram Mini App campaign.
references:
- https://www.bleepingcomputer.com/news/security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery/
author: Security Arsenal
date: 2024/05/24
tags:
- attack.initial_access
- attack.t1190
logsource:
product: android
definition: 'Package installation events'
detection:
selection:
PackageName|contains:
- 'com.pascal.app'
- 'com.notion.services'
- 'com.notion.tools'
Action: 'install'
condition: selection
falsepositives:
- Legitimate installation of the actual Notion app (com.notion.id)
level: critical
KQL (Microsoft Sentinel / Defender)
KQL — Microsoft Sentinel / Defender
// Hunt for network connections to domains associated with Telegram Mini App fraud
// Look for connections to typo-squatted domains or known C2s
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("notion-site.com", "onlinemahalaxmi.com", "pascal-app", "telegram-mini-app-c2")
or RemoteUrl contains "@" and ActionType == "ConnectionSuccess"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, LocalPort
| extend FullURL = iff(RemoteUrl contains "@", strcat("https://", RemoteUrl), RemoteUrl)
| order by Timestamp desc
// Hunt for installation of suspicious Android packages on mobile endpoints managed by Defender
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ActionType == "PackageInstall"
| where InitiatingProcessFileName in~ ("com.android.packageinstaller", "com.google.android.packageinstaller")
| where FileName has_any ("pascal", "notion.services", "notion.tools")
and FileName !~ "com.notion.id" // Filter out legitimate Notion
| project Timestamp, DeviceName, AccountName, FileName, SHA256, InitiatingProcessAccountName
Velociraptor VQL
VQL — Velociraptor
-- Hunt for active network connections to known malicious domains associated with the Blitz campaign
-- Note: Requires elevated privileges to view all connections
SELECT Timestamp, RemoteAddress, RemotePort, ProcessName, PID
FROM netstat()
-- Filter for connections to suspicious domains (resolved IPs or hostnames if available in cache)
WHERE RemoteAddress IN network_lookup("
notion-site.com,
onlinemahalaxmi.com,
pascal-app.com
")
OR RemoteAddress =~ "192.168\.." // Example: Exclude local LAN, focus on external specific C2s if known
Remediation Script (PowerShell)
PowerShell
<#
.SYNOPSIS
Hardens the local hosts file against known Telegram Mini App scam domains.
.DESCRIPTION
This script checks for specific malicious domains associated with the 'Blitz' campaign
and adds them to the Windows hosts file to prevent resolution and user connection.
#>
$MaliciousDomains = @(
"notion-site.com",
"onlinemahalaxmi.com",
"www.notion-site.com"
)
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$RedirectIP = "0.0.0.0"
Write-Output "[*] Starting hardening of hosts file against Telegram Mini App IoCs..."
try {
$CurrentHosts = Get-Content -Path $HostsPath -ErrorAction Stop
} catch {
Write-Error "[-] Failed to read hosts file. Run as Administrator."
exit
}
$ChangesMade = $false
foreach ($Domain in $MaliciousDomains) {
$Entry = "$RedirectIP $Domain"
# Check if domain is already present
if (-not ($CurrentHosts -match [regex]::Escape($Domain))) {
Write-Output "[+] Blocking domain: $Domain"
Add-Content -Path $HostsPath -Value $Entry
$ChangesMade = $true
} else {
Write-Output "[!] Domain $Domain is already blocked."
}
}
if ($ChangesMade) {
Write-Output "[*] Successfully updated hosts file. Flushing DNS cache..."
Clear-DnsClientCache
} else {
Write-Output "[*] No changes were necessary."
}
Write-Output "[*] Hardening complete."
Remediation
- Block IoCs at the Perimeter: Immediately add the domains identified in the 'Blitz' campaign (e.g.,
notion-site.com,onlinemahalaxmi.com) to your corporate DNS firewall (e.g., Cisco Umbrella, Cloudflare) and web proxy blocklists. - Mobile Application Management (MAM): Enforce strict policies on managed mobile devices. Block the sideloading of APKs (Unknown Sources) and utilize Mobile Threat Defense (MTD) solutions to detect the installation of malicious packages such as
com.pascal.app. - User Education & Awareness: Issue a security advisory to staff warning against interacting with unsolicited Mini Apps in Telegram, specifically those impersonating productivity tools (Notion) or requesting crypto wallet credentials.
- Policy Review: Review acceptable use policies regarding Telegram usage. If Telegram is not business-critical, consider restricting access via CASB (Cloud Access Security Broker) or network segmentation.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
managed-socmdrsecurity-monitoringthreat-detectionsiemtelegramandroid-malwarecrypto-scams
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.