Bonvi Team DeliveryRAT Telegram distribution campaign targeting Russian Android users
Campaign
Summary
Hide ▲
Show ▼
The Bonvi Team distribution operation is actively pushing DeliveryRAT to Russian Android device owners, increasing the reach of a mobile malware scheme that relies on phishing and malicious app installs. The operation uses a Telegram bot to hand out APK files or phishing-page links that masquerade as normal consumer services. It matters because the delivery chain blends MaaS distribution, fake service lures, and background permissions abuse to maximize infections and keep victims engaged.
Related Happenings
Mirax Android banking trojan with residential proxy nodes
Malware Activity
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Android RAT campaign using Hugging Face dropper lure
Campaign
First: 16.02.2026 12:24
Last: 16.02.2026 12:24
Sources 1
About this happening:
In recent weeks, a **live Android RAT campaign** has used **Hugging Face** to deliver malicious APKs through a fake-update lure. The operation starts with a dropper app, such as *...
Android RAT campaign using Hugging Face dropper lure
CampaignAbout this happening: In recent weeks, a **live Android RAT campaign** has used **Hugging Face** to deliver malicious APKs through a fake-update lure. The operation starts with a dropper app, such as *...
UNC1069 GhostCall cryptocurrency social-engineering campaign
Campaign
First: 11.02.2026 08:50
Last: 11.02.2026 08:50
Sources 1
About this happening:
**UNC1069** is **actively targeting the cryptocurrency sector** with a **social-engineering campaign** designed to steal credentials and data for **financial theft**. The operatio...
UNC1069 GhostCall cryptocurrency social-engineering campaign
CampaignAbout this happening: **UNC1069** is **actively targeting the cryptocurrency sector** with a **social-engineering campaign** designed to steal credentials and data for **financial theft**. The operatio...
AI-assisted Truman Show investment fraud campaign
Campaign
First: 09.01.2026 13:00
Last: 09.01.2026 13:00
Sources 1
About this happening:
The **Truman Show** operation is an **AI-assisted investment fraud campaign** that uses **fake personas** and **attacker-controlled infrastructure** to lure victims into crypto sc...
AI-assisted Truman Show investment fraud campaign
CampaignAbout this happening: The **Truman Show** operation is an **AI-assisted investment fraud campaign** that uses **fake personas** and **attacker-controlled infrastructure** to lure victims into crypto sc...
Android tap-to-pay malware relays NFC card data for fraudulent payments
Malware Activity
First: 07.01.2026 18:00
Last: 07.01.2026 18:00
Sources 1
About this happening:
A wave of **Android tap-to-pay malware** is enabling **unauthorized contactless payments** by relaying **NFC card data** from victims’ phones to criminal devices. The operation us...
Android tap-to-pay malware relays NFC card data for fraudulent payments
Malware ActivityAbout this happening: A wave of **Android tap-to-pay malware** is enabling **unauthorized contactless payments** by relaying **NFC card data** from victims’ phones to criminal devices. The operation us...
Timeline
-
03.11.2025 13:14 2 articles · 6mo ago
Bonvi Team distributes DeliveryRAT through Telegram bots to Russian Android users
Initial DisclosureBonvi Team runs a DeliveryRAT malware-as-a-service distribution channel through a Telegram bot that offers APK files or phishing-page links, using fake food delivery, marketplace, banking, and parcel-tracking lures to target Russian Android device owners. The campaign requests notification and battery-optimization access, can hide app icons, and is assessed to have been active since mid-2024.
Show sources
- Researchers Uncover BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Data — thehackernews.com — 03.11.2025 13:14
- Researchers Uncover BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Data — thehackernews.com — 03.11.2025 13:14