Bonvi Team DeliveryRAT Telegram distribution campaign targeting Russian Android users
Campaign
Summary
Hide ▲
Show ▼
The Bonvi Team distribution operation is actively pushing DeliveryRAT to Russian Android device owners, increasing the reach of a mobile malware scheme that relies on phishing and malicious app installs. The operation uses a Telegram bot to hand out APK files or phishing-page links that masquerade as normal consumer services. It matters because the delivery chain blends MaaS distribution, fake service lures, and background permissions abuse to maximize infections and keep victims engaged.
Related Happenings
India's Ministry of Electronics and Information Technology acting under Section 69A of the IT Act Restricted access to Telegram nationwide and ordered message-editing disabled
Public Sector Action
H score71
First: 17.06.2026 16:12
Last: 17.06.2026 16:12
Sources 1
About this happening:
India's **Ministry of Electronics and Information Technology** ordered a **nationwide Telegram restriction** under **Section 69A** through **June 22**, adding a separate requireme...
India's Ministry of Electronics and Information Technology acting under Section 69A of the IT Act Restricted access to Telegram nationwide and ordered message-editing disabled
Public Sector ActionAbout this happening: India's **Ministry of Electronics and Information Technology** ordered a **nationwide Telegram restriction** under **Section 69A** through **June 22**, adding a separate requireme...
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score69
First: 12.06.2026 21:59
Last: 12.06.2026 21:59
Sources 1
About this happening:
The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
Outsider Telegram-run smishing campaign targeting Americans
Campaign
H score53
First: 12.06.2026 21:59
Last: 12.06.2026 21:59
Sources 1
About this happening:
The **Outsider Enterprise** happening is a **phishing-as-a-service** campaign tied to a **Chinese cybercrime network** that used **AI** and distributed phishing kits to impersonat...
Outsider Telegram-run smishing campaign targeting Americans
CampaignAbout this happening: The **Outsider Enterprise** happening is a **phishing-as-a-service** campaign tied to a **Chinese cybercrime network** that used **AI** and distributed phishing kits to impersonat...
Latest development: 14.06.2026 17:36
The FBI, working with Google and Black Lotus Labs, dismantled Outsider Enterprise, a Chinese phishing-as-a-service operation that used AI and distributed phishing kits to impersonate trusted brands in texts sent through AT&T, T-Mobile and Verizon. The takedown included seizures of administration servers, a Shopify e-commerce storefront, a testing account, around $100,000 USDT and a Telegram bot linked to the service, while Google pursued civil action and coordinated with carriers to block fraudulent messages.
Mirax Android banking trojan with residential proxy nodes
Malware Activity
H score37
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Android RAT campaign using Hugging Face dropper lure
Campaign
H score37
First: 16.02.2026 12:24
Last: 16.02.2026 12:24
Sources 1
About this happening:
In recent weeks, a **live Android RAT campaign** has used **Hugging Face** to deliver malicious APKs through a fake-update lure. The operation starts with a dropper app, such as *...
Android RAT campaign using Hugging Face dropper lure
CampaignAbout this happening: In recent weeks, a **live Android RAT campaign** has used **Hugging Face** to deliver malicious APKs through a fake-update lure. The operation starts with a dropper app, such as *...
Timeline
-
03.11.2025 13:14 2 articles · 8mo ago
Bonvi Team distributes DeliveryRAT through Telegram bots to Russian Android users
Initial DisclosureBonvi Team runs a DeliveryRAT malware-as-a-service distribution channel through a Telegram bot that offers APK files or phishing-page links, using fake food delivery, marketplace, banking, and parcel-tracking lures to target Russian Android device owners. The campaign requests notification and battery-optimization access, can hide app icons, and is assessed to have been active since mid-2024.
Show sources
- Researchers Uncover BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Data — thehackernews.com — 03.11.2025 13:14
- Researchers Uncover BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Data — thehackernews.com — 03.11.2025 13:14