Hamster Kombat is a new Telegram-based clicker game where players earn in-game currency by tapping the screen. Launched in March 2024, it has gained significant popularity, with over 10 million followers on its official account and 50 million subscribers on its announcement channel.
The key driver for this popularity is the promise of a new cryptocurrency token airdrop to players based on in-game performance metrics like profit-per-hour, similar to the successful launch of the NOT token on Telegram’s TON blockchain platform, which suggests that Hamster Kombat is aiming to replicate the play-to-earn model popularized by Notcoin.
The surge in Hamster Kombat’s popularity has attracted cybercriminals, as researchers identified threats targeting both Android and Windows users.
Android users are vulnerable to spyware and fake app stores, while Windows users might encounter repositories containing malware like Lumma Stealer.
There’s no evidence of malicious activity within the official Hamster Kombat app itself, while cybersecurity experts and government officials are cautioning players about potential financial risks associated with the play-to-earn model.
There are two threats targeting Android users related to the popular Hamster Kombat game. One is a fake app distributed through a Telegram channel that impersonates the Hamster Kombat app store listing.
This malicious app, disguised as Hamster Kombat but lacking any game functionality, is actually Ratel spyware. Once installed, Ratel requests notification access and permission to become the default SMS app. If granted, it can steal notifications and send SMS messages, potentially allowing attackers to make fraudulent purchases on the victim’s behalf.
The Ratel malware communicates with its command and control server to receive a phone number for further instructions, which can involve sending SMS messages or making calls designated by the attacker.
It can check the victim’s Sberbank Russia account balance by texting a specific command. To prevent the user from seeing notifications related to potential financial transactions or subscription services, Ratel hides notifications from a predetermined list of apps, including Telegram and WhatsApp.
However, it still forwards notifications from unrecognized apps to the attacker’s server, possibly with the intention of adding those apps to the blocklist in the future.
According to ESET researchers, besides fake mobile app stores distributing ads disguised as Hamster Kombat download links, there are also Windows malware threats targeting Hamster Kombat players.
Cybercriminals lure Windows users with fake tools like farm bots and autoclickers on GitHub repositories, which contain Lumma Stealer malware, an infostealer that steals cryptocurrency wallets, user credentials, and other sensitive information.
Lumma Stealer comes in three versions (C++, Go, and Python) and is delivered through download links or embedded within the downloaded files. The malware then injects itself into legitimate processes to steal user data and communicates with the attackers, potentially through Telegram.
