MOSCOW (Kaspersky blog) — A Russian-language cyberespionage threat actor dubbed DustSquad targeting Central Asian users and diplomatic entities using a malware, dubbed Octopus, designed to exploit the hype surrounding the Telegram app ban in Central Asia.

According to Kaspersky researchers, political entities in Central Asia have been targeted throughout 2018 by different actors, including IndigoZebra, Sofacy (with Zebrocy malware) and most recently by DustSquad (with Octopus malware). They observed some victims who are “threat magnets” were targeted by all of them.

Earlier this year, the Russian government ordered the urgent blocking of the Telegram messaging app from the Play Store and App Store, an imitation of the popular app made its rounds on Google Play. Confusion surrounding the order left an occasion for several impostor apps to fill the void of former users looking to get their social messaging fix.

Kaspersky researchers discovered a new Octopus sample packed into a ZIP file pretending to be communication software for a Kazakh opposition political group. The dropper for the malware pretends to be the Telegram Messenger app with a Russian interface. The ZIP file was named dvkmailer.zip which stands for Kazakhstan Democratic Choice, an opposition political party that is prohibited in the country.

Researchers can’t confirm how the malware is being distributed, but noted that it is obviously using some form of social engineering to infect users noting that the threat actor has previously used spear phishing to spread the malware.