Information-stealing malware is spreading widely on Telegram, Cisco Talos says

The ZingoStealer information stealer identified by Cisco Talos threat analysts can exfiltrate credentials and steal cryptocurrency wallet information.
infected file, information stealer, malware
(Getty Images)

A new information stealer — dubbed “ZingoStealer” by the Cisco Talos researchers who identified the malware last month — is now being shared prolifically on Telegram by the Haskers Gang, a collective of cybercriminals.

The gang has been targeting Russian speakers and gamers, Nick Biasini, the head of outreach for Cisco Talos told CyberScoop. Victims think they’re receiving a file with game cheats, pirated software or some other useful item, but it’s the malware instead.

“The velocity of new samples that we’re seeing is starting to ramp up pretty quickly so it’s important that we get this information out so that the public is aware that there’s a new stealer out there that is increasing in distribution as we speak,” Biasini said.

ZingoStealer leverages Telegram chat features to “facilitate malware executable build delivery and data exfiltration,” the Cisco Talos research report said. The malware can grab credentials, steal cryptocurrency wallet information and mine cryptocurrency on victims’ systems.


The stealer is freely available on Telegram pages and doesn’t require advanced hacking skills to deploy, the researchers said.

Haskers Gang has been active since at least January 2020 and is mainly focused on crime.

ZingoStealer also delivers additional malware such as RedLine Stealer and the XMRig cryptocurrency mining malware to victims, Talos researchers said. RedLine Stealer is another information stealer that functions similarly to ZingoStealer but offers support for stealing data from significantly more applications and browser extensions, they said. XMRig is a cryptocurrency mining client that uses victim computing resources to mine Monero that is then paid to the attacker. 

Haskers Gang has been active since at least January 2020 and is mainly focused on crime, Talos researchers said. The group’s members steal confidential information for cryptocurrency mining. They operate a Telegram channel to collect logs from systems infected with ZingoStealer and publish announcements about their efforts.

Biasini said the situation is evolving even now, and Talos researchers found that shortly after they published their report the ZingoStealer author “apparently handed over the malware to another threat actor.”


Edmund Brumaghin, a Talos threat researcher who co-wrote the Talos blog post outlining findings, said via email that Telegram users should always be aware that the platform can be used to distribute malware and ensure that they remain vigilant when encountering file attachments, hyperlinks, or any other content that could potentially be used to infect their systems. 

Brumaghin said that since ZingoStealer emerged, Talos researchers have observed a “significant volume of samples in the wild.” He said that because ZingoStealer is free, it likely to be “an attractive toolkit for a variety of financially motivated threat actors.”

Suzanne Smalley

Written by Suzanne Smalley

Suzanne joined CyberScoop from Inside Higher Ed, where she covered educational technology and from Yahoo News, where she worked as an investigative reporter. Prior to Yahoo News, Suzanne worked as a consultant to the economist Raj Chetty as he launched his Harvard-based research institute Opportunity Insights. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and covered two presidential campaigns for Newsweek. She holds a masters in journalism from Northwestern and a BA from Georgetown. A Miami native, Suzanne lives in upper Northwest Washington with her family.

Latest Podcasts