"Welcome to join the FEMITBOT platform," researchers found — a single API string that, according to CTM360, ties together a sprawling campaign of fake crypto platforms, brand impersonations, and Android malware delivery operating inside Telegram's Mini Apps.
FEMITBOT: a shared backend powering Mini App scams
CTM360's analysis, shared with BleepingComputer, identifies the operation under the label "FEMITBOT" based on that repeated API response. The platform uses Telegram bots and the service's Mini App capability to present convincing, app-like interfaces inside Telegram's built-in browser. Attackers craft phishing pages that load within Telegram's WebView when a user clicks "Start" on a malicious bot, making the fraudulent experience look native to the messaging app.
Across multiple campaigns the same infrastructure is re-skinned with different domains and bots, allowing threat actors to switch branding, languages, and themes rapidly. The shared-backend pattern shows up in identical API replies across otherwise distinct phishing domains, a signal CTM360 used to group activity under the FEMITBOT name.
Brand impersonation and Android APK distribution
The campaigns rely heavily on impersonation to gain credibility. CTM360 lists a long series of brands used as lures, including Apple, Coca-Cola, Disney, eBay, IBM, Moon Pay, NVIDIA, and YouKu. Some Mini Apps go beyond phishing pages and attempt to get users to download Android APK files that mimic legitimate applications; APKs were observed pretending to be software associated with the BBC, NVIDIA, CineTV, Coreweave, and Claro.
Victims who engage are shown dashboards displaying fake balances or "earnings" and are pushed toward withdrawals that require additional deposits or the completion of referral tasks — a classic investment or advance-fee scam pattern adapted to Telegram's Mini App environment.
How Mini Apps, WebView hosting, and tracking pixels lower suspicion
CTM360 highlights specific technical choices that make these scams more convincing and more effective. By running phishing pages inside Telegram's built-in browser, attackers avoid the visible context switches that normally alert users when a link opens an external website. APKs are hosted on the same domains as the platform's API, preserving valid TLS certificates and preventing mixed-content browser warnings, which reduces obvious signs of fraud.
APK filenames are "carefully chosen to resemble legitimate applications or use random-looking names that don't immediately trigger suspicion," CTM360 writes. Campaigns also employ tracking scripts — notably Meta and TikTok tracking pixels — to measure conversions and tune performance, turning a run-of-the-mill phishing play into an optimized, data-driven fraud operation.
What this means for end users, security teams, and impersonated brands
- End users and Android device owners: Exercise caution with Telegram bots that promote investments or request you to open Mini Apps; the report explicitly warns users to be wary when asked to deposit funds or download apps. Android users should avoid sideloading APK files, which CTM360 notes are commonly used to distribute malware outside the Google Play Store.
- Security teams and defenders: The shared-backend and rebranding model means defensive signals should focus on infrastructure indicators (shared API responses, hosting TLS continuity) and on malicious use of Mini Apps and WebView contexts. Tracking pixels and domain-hosting patterns are useful telemetry to tie disparate campaigns together.
- Impersonated brands and platform owners: Repeated use of high-profile brand names across phishing Mini Apps and APK lures suggests value in rapid takedown coordination and public guidance; the same infrastructure supporting multiple brands means takedowns or mitigations targeting the backend could blunt several campaigns at once.
Conclusion — a phishing economy inside a messaging shell
CTM360's findings show an economy of fraud that leverages Telegram's convenience to collapse the gap between conversation and credential capture. By embedding phishing pages in Mini Apps, hosting APKs alongside trusted TLS certificates, and using conversion-tracking pixels, the operators make scams feel familiar and performant. The single API string that names the FEMITBOT platform is a clear fingerprint — and a reminder that coordinated detection and user caution remain the best immediate defenses.
