250 Million Hamster Kombat Players Targeted Via Android And Windows Malware

Despite having simple gameplay, the new Telegram clicker game Hamster Kombat has become very well-liked among gamers who use cryptocurrencies because of the potential rewards of a brand-new cryptocoin that the developers intend to launch. 

The game’s success has spawned numerous copycats with similar names, icons, and gameplay mechanics. While these imitations appear benign, they aim to profit from in-app advertising. 

The popularity of Hamster Kombat has created openings for cybercriminals. Fake app stores target Android users, offering malware disguised as the game that bombards them with ads.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Windows users are at risk from GitHub repositories distributing malicious farm bots and auto-clickers laced with Lumma Stealer malware for credential theft.  

In-game screenshot of Hamster Kombat

Researchers discovered malware distributed through unofficial channels, including fake Hamster Kombat apps and game automation tools that actually steal user information, targeting both Android and Windows devices, highlighting the risks of downloading apps from unofficial sources. 

The game’s token, HMSTR, will be distributed on The Open Network (TON) based on in-game performance metrics like profit per hour, unlike Notcoin’s airdrop, which rewarded total score, emulating Notcoin’s successful token launch on TON in May 2024 and aiming to replicate its achievement in the crypto-gaming space. 

It has been found that Android malware, including spyware (Ratel) and fake app stores with unwanted ads, might encounter repositories containing Lumma Stealer cryptors.

While the game itself seems safe, cybersecurity experts warn of potential financial risks associated with “play-to-earn” mechanics. 

Malicious Hamster Kombat access requests

ESET researchers discovered Ratel, an Android spyware disguised as Hamster Kombat, on Telegram, which steals notifications and sends SMS messages to steal money from the victim. 

It hides notifications from over 200 apps to prevent the victim from discovering suspicious activities. Ratel also communicates with a C&C server to receive instructions and potentially upload intercepted notifications.  

Notification exfiltrated to C&C server

Hamster Kombat, a popular Telegram clicker game with a promised cryptocoin, has attracted malicious actors, while Android spyware Ratel disguised as Hamster Kombat on Telegram steals notifications and sends SMS messages. 

Fake app stores impersonating legitimate ones also deliver unwanted advertisements.

For Windows users, GitHub repositories offering farm bots and autoclickers contain Lumma Stealer malware, which steals cryptocurrency wallets, user credentials, and other sensitive information.

Fake websites impersonating an app store interface

Lumma Stealer malware uses different encryption methods for C++, Go, and Python applications.

The C++ variant embeds RC4 encrypted Lumma Stealer and injects it into RegAsm.exe.

The Go variant uses AES-GCM encryption and leverages obfuscated code from go_libpeconv to perform process hollowing. 

The Python variant presents a fake installer, downloads a password-protected archive containing a cryptor with Lumma Stealer upon user consent, and sends timestamps to a C&C server that likely forwards the data to the operators’ Telegram account.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo 

Aman Mishra

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

34 minutes ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

43 minutes ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

4 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

7 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

8 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

8 hours ago