Fake Telegram download site spreading malware through typo domain

Cybersecurity researchers have uncovered a malicious campaign using a fake Telegram download site to distribute advanced malware. The fraudulent domain telegrgam[.]com mimics the official website and tricks users into downloading a fake installer disguised as a legitimate Telegram setup file. This typo-based deception makes it easy for unsuspecting users to install malware simply by mistyping the URL.

Fake Telegram download site spreading malware through typo domainFake Telegram download site spreading malware through typo domain

The attack uses a multi-stage loader that executes malicious code directly in memory, making it difficult for traditional antivirus tools to detect. Once installed, the malware disables Windows Defender protections, drops staged payloads, and uses trusted system tools like rundll32.exe to execute a malicious DLL. The final payload is reconstructed in memory using reflective loading and connects to a command-and-control (C2) server, allowing attackers to maintain persistent access and deploy additional payloads.

Fake Telegram download site spreading malware through typo domainFake Telegram download site spreading malware through typo domain

Researchers also identified multiple similar typosquatted domains, indicating a broader campaign targeting users searching for Telegram downloads. This attack highlights how simple visual deception combined with advanced in-memory execution techniques can lead to full system compromise. Users are advised to download software only from official sources and monitor systems for unusual activity to prevent infection.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, FraudProtector.net