CISO FORUM

Telegram-Based Infrastructure Enables Mass Infection Campaign; Malware Harvests Banking Credentials, SMS Data, and Deploys Ransomware Demanding 50 TRX Cryptocurrency

Cyble Research and Intelligence Labs has discovered deVixor, an advanced Android banking trojan with integrated ransomware capabilities actively targeting Iranian users through an elaborate phishing campaign masquerading as legitimate automotive businesses.

The sophisticated malware, which has evolved from basic SMS-harvesting to a fully-featured Remote Access Trojan (RAT), represents a significant escalation in mobile banking threats combining credential theft, device surveillance, and financial extortion within a single platform.

“deVixor demonstrates how Android banking malware has evolved into scalable, service-driven criminal platforms capable of long-term device compromise and multi-vector financial abuse,” said Daksh Nakra, Senior Manager of Research and Intelligence at Cyble. “The combination of banking fraud capabilities with ransomware functionality, all managed through Telegram infrastructure, makes this a particularly interesting and dangerous threat to mobile users in the region.”

Campaign Overview and Distribution

Automotive Phishing Lure at Scale

CRIL identified over 700 samples of deVixor variants since October 2025, distributed through fraudulent websites impersonating legitimate automotive companies. The sites lure victims with heavily discounted vehicle offers, tricking them into downloading malicious APK files that install the banking trojan.

Malicious Distribution Domains:

asankhodroo[.]shop
asan-khodro.store
naftyar.info
abfayar.info
blupod.site
vamino.online

The campaign demonstrates sophisticated social engineering, exploiting trust in established automotive brands to achieve widespread installation across Iranian Android devices.

Telegram-Based Criminal Infrastructure

deVixor leverages a unique Telegram bot-based administrative panel for managing infections at scale. Each deployed APK receives a unique Bot ID (called a “Port” by operators) stored in a local configuration file, enabling individual device tracking and control.

Analysis of the threat actor’s Telegram channel revealed:

Active development and version updates published regularly
Operational screenshots showing numerous simultaneously infected devices
Growing subscriber base indicating ongoing criminal service maintenance
Real-time command issuance and status updates from operators

The channel’s activity, combined with linguistic artifacts in Persian throughout the malware code and exclusive targeting of Iranian banks, confirms the operation’s regional focus on Iranian users.

Multi-Vector Financial Data Harvesting

deVixor employs sophisticated techniques to steal banking information and cryptocurrency assets:

SMS-Based Data Collection:

GET_BANK_BALANCE: Scans up to 5,000 SMS messages to extract account balances and OTPs from Iranian banks
GET_CARD_NUMBER: Uses regular expressions to identify and validate credit/debit card numbers in SMS history
GET_EXCHANGE: Targets cryptocurrency exchanges including Binance, CoinEx, Ramzinex, Exir, and 14 other platforms
GET_BANK_SMS: Harvests messages from 26+ Iranian banks including Bank Melli, Bank Mellat, Bank Tejarat, Bank Saderat

WebView JavaScript Injection:

Generates fake bank notifications via “BankEntryNotification” command
Loads legitimate banking websites inside WebView when victim taps notification
Injects malicious JavaScript into login forms
Silently exfiltrates username and password credentials to C&C server

Targeted Iranian Financial Institutions: The malware specifically targets Iran’s major banks, payment services, and domestic cryptocurrency exchanges, demonstrating deliberate victim profiling and regional specialization.

Integrated Ransomware Module

deVixor includes an embedded ransomware component activated via the “RANSOMWARE” command. When triggered, the malware:

Parses attacker-supplied ransom note, TRON wallet address, and payment amount
Stores configuration in persistent LockTouch.json file
Locks victim’s device with full-screen overlay
Displays message: “Your device is locked. Deposit to unlock”
Demands 50 TRX (TRON cryptocurrency) payment
Tracks victim compliance status through C&C server

This dual-threat capability enables both credential theft for banking fraud AND direct financial extortion through device locking.

Scale and Impact Assessment

Mass Infection Campaign: Screenshots from the threat actor’s Telegram channel show numerous devices infected simultaneously, each with unique Bot IDs. The systematic nature of the infrastructure, combined with 700+ identified samples, indicates an ongoing mass infection campaign rather than isolated targeting.

Regional Focus: Multiple indicators confirm Iranian users as primary targets: