The attack technique used by DEV-0139 has been publicly known for a long time
Microsoft has reported that a party dubbed DEV-0139 has been identified to be actively involved in targeting crypto investment startups. DEV-0139 poses as a crypto investment company on Telegram and uses a well-crafted malware-infected Excel file to infect systems, gaining remote access to them.
The threat is carried out with a high level of sophistication, as is the trend with these types of attacks. DEV-0139 works by falsely identifying itself with fake profiles of OKX employees and joining groups on Telegram “used to facilitate communication between VIP clients and cryptocurrency exchange platforms.”