Cybercriminals are leveraging the popularity of Hamster Kombat, a clicker game on Telegram, to distribute Ratel spyware via malicious apps on Android and Telegram channels. They are also dropping Lumma Stealer, a malware designed to attack cryptocurrency wallets, via fake auxiliary tools for the game, targeting Windows users.

Hamster Kombat revolves around simple screen tapping to accumulate in-game points. The game has drawn significant attention from the cryptocurrency community due to its developers’ plans to introduce a new cryptocurrency token. This token, set to be distributed based on specific criteria, has sparked considerable excitement among players looking to profit from their gaming efforts.

The game has a considerable presence on social media, with over 10 million followers on X and 50 million subscribers on the official Telegram channel. This surge in popularity, driven by the lure of cryptocurrency rewards, has inevitably attracted legitimate game enthusiasts and cybercriminals looking to exploit the frenzy.

Threat actors are targeting both Android and Windows users. Researchers have identified the following threats:

Ratel Android spyware

Researchers have discovered a Telegram channel, named ‘Hamster Easy,’ that is distributing a malicious app disguised as Hamster Kombat. This app contains the Ratel spyware, which is capable of intercepting notifications and sending SMS messages.

This is an image of hamsterkombat ratelspyware android — *Malicious Hamster Kombat copycat access requests. | Source: ESET*

“While the malicious app misuses the name Hamster Kombat to attract potential victims, it contains no functionality found within the game and even lacks a user interface altogether,” researchers noticed.

Once installed, the spyware requests access to notifications and SMS functions, allowing it to execute commands such as sending messages, making calls, and hiding notifications from over 200 apps, effectively masking its malicious activities.

Fake app stores

Cybercriminals have also set up fake app stores that mimic legitimate ones, claiming to offer Hamster Kombat for download. However, clicking on the download links only leads users to unwanted advertisements, creating a nuisance rather than a direct threat.

This is an image of fake hamsterkombat apps android — *Fale Hamster Kombat apps. | Source: ESET*

“We also discovered fake application storefronts claiming to offer Hamster Kombat for download. However, tapping the Install or Open buttons only leads the user to unwanted advertisements,” researchers said.

Lumma Stealer on Windows

Experts also discovered that Windows users are not immune to the threats. They observed GitHub repositories purporting to offer automation tools for Hamster Kombat. Instead, these repositories distribute Lumma Stealer cryptors, a type of info-stealer malware designed to siphon sensitive information such as cryptocurrency wallets and user credentials.

This is an image of hamsterkombat fakewindowstools ss1 — *Fake Hamster Kombat auxiliary tool used by hackers to drop Lumma Stealer. | Source: ESET*

The cryptors are embedded in various applications, including C++, Go, and Python executables, each utilising different encryption methods to conceal the malware.

“The GitHub repositories we found either had the malware available directly in the release files or contained links to download it from external file-sharing services. We identified three different versions of Lumma Stealer cryptors lurking within the repositories: C++ applications, Go applications, and Python applications,” researchers cautioned. “Of the three, only the Python applications have a graphical user interface (GUI).”

Researchers have urged individuals to download the game from official sources. While the Hamster Kombat app has not shown any malicious behaviours, the presence of copycats and malware-laden versions poses a significant risk.

In the News: UK’s NCA takes down popular DDoS-for-hire service Digitalstress