{"id":96956,"date":"2026-05-09T07:00:00","date_gmt":"2026-05-09T04:00:00","guid":{"rendered":"https:\/\/u1f987.com\/en\/?p=96956"},"modified":"2026-05-09T09:06:28","modified_gmt":"2026-05-09T06:06:28","slug":"canadas-first-sms-blaster-a-daemon-tools-trojan-and-other-cybersecurity-news","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/canadas-first-sms-blaster-a-daemon-tools-trojan-and-other-cybersecurity-news\/","title":{"rendered":"Canada\u2019s first SMS blaster, a DAEMON Tools trojan, and other cybersecurity news"},"content":{"rendered":"<p>We round up the week\u2019s biggest cybersecurity stories.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>Fraudsters used Telegram Mini Apps to steal crypto.<\/li>\n<li>Toronto uncovered the country\u2019s first SMS blaster.<\/li>\n<li>Vulture hackers targeted the TeamPCP gang.<\/li>\n<li>A tainted DAEMON Tools build was found in a hundred countries.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\">Fraudsters used Telegram Mini Apps to steal cryptocurrency<\/h2>\n<p>Cybersecurity researchers at <a href=\"https:\/\/www.ctm360.com\/reports\/femitbot-telegram-mini-apps-fraud-campaigns\">CTM360<\/a> uncovered a Telegram-based fraud campaign used to steal crypto and spread malware.<\/p>\n<p>The criminals\u2019 platform, FEMITBOT, uses Telegram bots and embedded Mini Apps to create convincing in-app fakes across themes such as crypto, finance, AI tools and streaming.<\/p>\n<p>To build trust, the scammers impersonate well-known brands (Bitget, OKX, Binance, Apple, Coca-Cola, Disney, eBay, MoonPay, Nvidia) while reusing a single back-end across multiple domains and bots.<\/p>\n<p>Upon pressing \u201cStart\u201d, the bot launches a Mini App that renders a phishing page in an in-app WebView. The interface shows dashboards with bogus \u201cearnings\u201d figures, often paired with countdown timers or time-limited offers to stoke <span data-descr=\"fear of missing out\" class=\"old_tooltip\">FOMO<\/span>.<\/p>\n<p>When users try to withdraw funds, they are told to make a test deposit or complete referral tasks\u2014a classic investment-fraud tactic.<\/p>\n<p>Some Mini Apps push malware as Android APKs, likewise disguised as household brands.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/img-076ab6c9590dee29-3869922154644926.webp\" alt=\"image\" class=\"wp-image-279778\"\/><figcaption class=\"wp-element-caption\">The FEMITBOT kit. Source: CTM360.<\/figcaption><\/figure>\n<p>Researchers say the infrastructure is designed for easy reuse across campaigns. To analyse user activity and optimise the fraud, the operators employ Meta Pixel and TikTok Pixel tracking.<\/p>\n<h2 class=\"wp-block-heading\">Toronto uncovers Canada\u2019s first SMS blaster<\/h2>\n<p>Police <a href=\"https:\/\/www.tps.ca\/media-centre\/stories\/unprecedented-sms-blaster-arrests\/\">arrested<\/a> three suspects for operating an SMS blaster in downtown Toronto.<\/p>\n<p>Such devices transmit a stronger signal than nearby cell towers, coercing handsets in range to connect to a fake base station.<\/p>\n<p>Once connected, they can broadcast texts that often contain links to phishing sites mimicking login pages of well-known companies.<\/p>\n<p>SMS blasters exploit weaknesses in legacy 2G networks and, beyond the direct threat, disrupt mobile service, including for emergency services.<\/p>\n<p>According to police, the goal was to steal usernames and passwords, including banking credentials.<\/p>\n<p>The campaign began in November 2025. Over several months, spam messages reached tens of thousands of devices. It is \u201cthe first known instance\u201d of such equipment operating in Canada.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/img-8f9f07059d4a6cd6-3869924240495657.webp\" alt=\"image\" class=\"wp-image-279780\"\/><figcaption class=\"wp-element-caption\">A similar device found in Bangkok. Source: <a href=\"https:\/\/www.khaosodenglish.com\/news\/2024\/11\/18\/chinese-cybercrime-bust-in-thailand-over-700-million-calls-using-fake-02-numbers\/\">Khaosod English<\/a>.<\/figcaption><\/figure>\n<p>Authorities noted the rig\u2019s unusual build. Mounted in a car\u2019s rear compartment, it let the operators relocate quickly.<\/p>\n<p>In 2024, Thai police <a href=\"https:\/\/www.khaosodenglish.com\/news\/2024\/11\/18\/chinese-cybercrime-bust-in-thailand-over-700-million-calls-using-fake-02-numbers\/\">arrested<\/a> members of a gang using a similar setup. Hauled around Bangkok in a truck bed, it sent nearly a million messages in three days.<\/p>\n<h2 class=\"wp-block-heading\">Vulture hackers go after the TeamPCP gang<\/h2>\n<p>Unknown attackers are actively hunting for systems already compromised by the notorious <a href=\"https:\/\/u1f987.com\/en\/news\/bitwarden-cli-hack-arrest-of-illicit-debt-collectors-in-kyiv-and-other-cybersecurity-news\">TeamPCP<\/a> group, breaking in and locking them down. The campaign, dubbed PCPJack, was <a href=\"https:\/\/www.sentinelone.com\/labs\/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale\/\">identified<\/a> by SentinelOne senior researcher Alex Delamotte.<\/p>\n<p>The intruders infiltrate the compromised infrastructure and remove backdoors to shut out the prior hackers, then deploy their own tooling, which propagates through cloud networks like a worm.<\/p>\n<p>PCPJack\u2019s tools automatically tally the servers wrested back from rivals.<\/p>\n<p>They steal credentials to resell access to other criminals or to extort victims themselves. Whereas most cloud intruders (including TeamPCP) plant cryptominers, PCPJack deliberately removes them. The group prefers to steal cryptocurrency directly, using dedicated routines to capture wallet passwords.<\/p>\n<p>According to the researcher, the operators do not limit themselves to systems already hit by TeamPCP. They also scan the internet for exposed services such as cloud virtual-machine platforms like Docker and the MongoDB database.<\/p>\n<p>In comments to <a href=\"https:\/\/techcrunch.com\/2026\/05\/07\/hackers-hack-victims-hacked-by-other-hackers\/\">TechCrunch<\/a>, Delamotte suggested the hackers could be disgruntled former TeamPCP members, a rival crew or mere copycats.<\/p>\n<h2 class=\"wp-block-heading\">Backdoored DAEMON Tools spotted in a hundred countries<\/h2>\n<p>Hackers implanted a trojan in the installer of DAEMON Tools Lite, a popular disk-imaging utility. Since April 8th they have used it to deploy backdoors on thousands of systems in more than 100 countries, researchers at \u201c<a href=\"https:\/\/securelist.com\/tr\/daemon-tools-backdoor\/119654\/\">Kaspersky Lab<\/a>\u201d reported.<\/p>\n<p>After users installed the free version of DAEMON Tools, the malicious code dropped a payload to persist and to activate the backdoor on Windows startup.<\/p>\n<p>At the first stage, the attackers used a basic infostealer to collect system data and ship it to attacker-controlled servers for victim profiling. Based on those results, a second stage was initiated on some machines\u2014a backdoor capable of executing commands, downloading files and running code directly in memory.<\/p>\n<p>In some cases the QUIC RAT malware was used; it can inject code into standard processes and supports multiple communication protocols.<\/p>\n<p>Victims included retailers, academic, government and industrial organisations in Russia, Belarus and Thailand, as well as home PCs in Russia, Brazil, Turkey, Spain, Germany, France, Italy and China.<\/p>\n<p>DAEMON Tools developer Disc Soft <a href=\"https:\/\/blog.daemon-tools.cc\/post\/security-incident\">continues<\/a> to investigate the incident. Users who downloaded DAEMON Tools Lite 12.5.1 after April 8th are advised to uninstall the app, run a full system scan and install the latest 12.6 version from the official site.<\/p>\n<h2 class=\"wp-block-heading\">Taiwan arrests student over high-speed rail hack<\/h2>\n<p>Taiwanese authorities detained a student suspected of hacking the <span data-descr=\"TErrestrial Trunked RAdio \u2014 terrestrial trunked radio used by municipal services\" class=\"old_tooltip\">TETRA<\/span> communications system used by the country\u2019s high-speed rail network (THSR), <a href=\"https:\/\/newtalk.tw\/news\/view\/2026-04-30\/1032583\">Newtalk<\/a> reported.<\/p>\n<p>THSR is a 350 km double-track line along Taiwan\u2019s west coast, with trains reaching 300 km\/h.<\/p>\n<p>On April 5th, a citizen surnamed Lin halted four trains for 48 minutes using a <span data-descr=\"Software-Defined Radio \u2014 a radio technology in which components (modulation, filters) are implemented in software on a PC rather than hardware\" class=\"old_tooltip\">SDR<\/span> and handheld radios to transmit a high-priority \u201cGeneral Alarm\u201d signal, triggering emergency braking.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/img-91c9f27441d05e50-3870198859744851.webp\" alt=\"train\" class=\"wp-image-279781\"\/><figcaption class=\"wp-element-caption\">THSR train. Source: <a href=\"https:\/\/unsplash.com\/photos\/a-high-speed-train-is-stopped-at-a-station-SvNAF-ZP6zE\">Unsplash\/Kaden Taylor<\/a>.<\/figcaption><\/figure>\n<p>Before the attack, Lin intercepted and decoded radio parameters using equipment bought on a marketplace. He then programmed the captured data into handheld radios to transmit signals that mimicked official radio beacons.<\/p>\n<p>According to police, an accomplice helped Lin configure the setup. THSR had been in operation for 19 years and its parameters apparently <a href=\"https:\/\/www.rtl-sdr.com\/student-arrested-in-taiwan-for-using-sdr-and-handheld-radios-to-halt-four-high-speed-trains-with-tetra-hack\/\">had not changed<\/a>, allowing the hacker to bypass seven verification layers.<\/p>\n<p>After the incident, THSR specialists examined logs and found the signal had been sent from a beacon that was not assigned to duty. The company concluded the signal had been cloned without authorisation.<\/p>\n<p>Investigators reviewed CCTV and TETRA network server records, leading them to the suspect\u2019s residence. A search found and seized 11 handheld radios, one SDR device and a laptop.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/img-5419aae778de16a6-3869923757057049.webp\" alt=\"image\" class=\"wp-image-279779\"\/><figcaption class=\"wp-element-caption\">Source: <a href=\"https:\/\/udn.com\/news\/story\/7315\/9475450\">UDN<\/a>.<\/figcaption><\/figure>\n<p>Lin faces up to ten years in prison. His lawyer claims the alarm transmission was accidental, but authorities find the explanation unconvincing.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Aave <a href=\"https:\/\/u1f987.com\/en\/news\/aave-liquidates-hacker-kelps-positions\">liquidated<\/a> the Kelp hacker\u2019s positions.<\/li>\n<li>Market maker TrustedVolumes was <a href=\"https:\/\/u1f987.com\/en\/news\/market-maker-trustedvolumes-hacked-for-6-million\">hacked<\/a> for $6 million.<\/li>\n<li>Bitcoin Core developers <a href=\"https:\/\/u1f987.com\/en\/news\/bitcoin-core-developers-address-critical-vulnerability\">fixed<\/a> a critical vulnerability.<\/li>\n<li>Lawyers for DPRK victims <a href=\"https:\/\/u1f987.com\/en\/news\/lawyers-reclassify-north-korean-hack-of-kelp-as-credit-fraud\">reclassified<\/a> the Kelp hack as credit fraud.<\/li>\n<li>A hacker <a href=\"https:\/\/u1f987.com\/en\/news\/hacker-exploits-1-4-million-vulnerability-in-ekubo-contract\">stole<\/a> $1.4 million via a vulnerability in Ekubo\u2019s contract.<\/li>\n<li>North Korea <a href=\"https:\/\/u1f987.com\/en\/news\/north-korea-dismisses-accusations-of-cryptocurrency-hacks-as-absurd-slander\">called<\/a> allegations of hacking crypto projects \u201cabsurd slander\u201d.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">What to read at the weekend?<\/h2>\n<p>ForkLog unpacks what really happened to the InfoFi segment\u2014and how it might return.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A roundup of the week\u2019s most important cybersecurity news.<\/p>\n","protected":false},"author":1,"featured_media":96957,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"The week\u2019s key cyber stories: Telegram scams, SMS blaster, TeamPCP, DAEMON Tools trojan.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-96956","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"22","promo_type":"1","layout_type":"1","short_excerpt":"The week\u2019s key cyber stories: Telegram scams, SMS blaster, TeamPCP, DAEMON Tools trojan.","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/96956","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=96956"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/96956\/revisions"}],"predecessor-version":[{"id":96958,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/96956\/revisions\/96958"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/96957"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=96956"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=96956"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=96956"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}