Cybersecurity experts have warned users about a new malicious campaign that is spreading through a fake Telegram Premium website. The site, hosted on telegrampremium[.]app, tricks visitors into downloading a dangerous malware called Lumma Stealer, which can steal sensitive information such as saved passwords, cryptocurrency wallet details and system data.
According to researchers at Cyfirma, the website looks like the official Telegram Premium service but secretly pushes a file named start.exe. The worrying part is that this file is downloaded automatically as soon as someone visits the page without any clicks required. Built in C/C++, the malware uses advanced hiding techniques that help it bypass traditional antivirus scans.
How the malware works
Once the malware is active, it immediately starts collecting data. It can grab login details stored in browsers, copy crypto wallet information, and even capture system-related data. Cybersecurity researchers warn that this puts the user at risk of identity theft and financial loss.
The malware is also designed to stay hidden. It uses cryptor obfuscation, which makes it difficult for security tools to detect. It imports multiple Windows functions that allow it to manipulate files, change registry settings, run hidden scripts, and cover its tracks.
Interestingly, the malware also connects to real services like Telegram and Steam Community, which helps it avoid suspicion while secretly sending stolen data to hidden domains. Experts believe the attackers are using newly registered domains for short campaigns, making it harder for authorities to shut them down quickly.
The malicious software also drops disguised files in the system’s temporary folder. Some files are encrypted to look like harmless images but are later turned into scripts that keep the malware running in the background. It even delays execution to avoid being caught during security checks.
How to stay safe
Cybersecurity experts recommend a mix of technical safeguards and user awareness to stay protected from threats like Lumma Stealer.
- Use advanced endpoint detection tools that track unusual activity like hidden file changes or suspicious connections, making it easier to spot new and evolving malware.
- Block malicious domains and restrict downloads from unverified websites to prevent automatic, drive-by installations like the one used in this fake Telegram Premium campaign.
- Enable multi-factor authentication (MFA) across important accounts. Even if passwords are stolen, MFA provides an extra security layer that can block unauthorised access.
- Rotate login credentials regularly to reduce risk of long-term account compromise. Changing passwords often limits how long stolen information remains useful to attackers.
- Monitor system and network activity continuously for suspicious behaviour such as unexpected logins, data transfers, or unusual processes running in the background.
Most importantly: Download Telegram Premium only from official sources. Fake sites may look convincing, but cautious browsing is the strongest defense.
Authored by: Aishwarya Faraswal
