Trevor Wilson
Introduction
A Telegram Emoji Pack is a collection of custom static or animated images that users can add to the messenger to personalize their communication. Telegram Premium users are able to subscribe to exclusive packs with unique designs, while any user can view them in messages. Users can also create and upload their own emoji packs to share with others.
Threat actors are creating packs with emojis that contain logos of companies they target. When they communicate with other threat actors about targeting a specific company, they will reference the target organization without spelling out the company’s name. Therefore, when analysts search for a specific company’s name in malicious Telegram groups, not all of the relevant search results will appear.
Example: Telegram threat actors “Jack” and “Jill” are planning on illegally buying a bank log, cloning the victim’s debit card, and draining the funds via ATM. However, Jack and Jill realize that they need to recruit two more threat actors: one to clone the card, and another to physically withdraw the funds from an ATM. In order to recruit these needed individuals, Jack decides to create an emoji pack containing the logo. Jill also wants to recruit individuals for the plan, so she subscribes to Jack’s emoji pack through Telegram premium and can now also use the bank logo emoji. Therefore, Jack and Jill can recruit individuals for the job without ever typing the name “Bank.” So, if an analyst is conducting a general search for Bank-specific criminal activity, a search for “Bank” will not uncover Jack and Jill’s operation.
Investigation
@KURASAOCAP
As of 20SEP2025, DarkTower has identified and recorded four different emoji packs containing bank logos. The first one is seen below, and the title of the pack tags @KURASAOCAP AS the creator.
Kurasao Cap’s bio states that he is a motion/graphic designer. Some of the bio is in Russian.
Display Name: 𝐾𝑈𝑅𝐴𝑆𝐴𝑂 𝐶𝐴𝑃 | 𝑊𝑂𝑅𝐾 [𝐵𝐼𝑂]
Handle: @KURASAOCAP
User ID: 943537646
Kurasao Cap also owns the handles @vsekartiny and @ralphlaur.
Random Acct Drops / Biz Drops
The second emoji pack is titled “Random Acct Drops / Biz Drops”. The pack does not credit a specific user as the creator. A general search for the display name of the pack revealed a wide variety of results, unrelated to emojis.
@atmanman :: @fStikbot
The third emoji pack is titled “@atmanman :: @fStikbot”. The pack credits two users in the display name.
The second user listed, @fStikbot, is still active on Telegram. @fStikbot appears to be a service that allows Telegram users to transform their own pictures into emoji packs. It is likely (not confirmed) that a threat actor abused this tool to upload target companies’ logos.
Display Name: Favorite Stickers Bot 🇺🇦
Handle: @fStikbot
User ID: 449972946
Telegram user @atmanman is no longer found on Telegram. However, a global search for the old handle reveals only one user, @Atmanmanjl.
Atmanmanjl’s display name and bio are written in Arabic.
Display Name: عفاف سرحا ن
Handle: @Atmanmanjl
User ID: 643068108
In English, Atmanmanjl’s display name is “Afaf Sarhan.” In English, Atmanmanjl’s bio reads “And seek help through patience and prayer.”
VICE UNION @viceunion
The fourth emoji pack is titled “VICE UNION @viceunion”. The pack credits the user @viceunion in the display name.
As of 22SEP2025, The Telegram user @viceunion is no longer found on Telegram. It is believed that the Telegram channel “VICE UNION SHOP” belonged to @viceunion. On 09SEP2025, Telegram user “Davidson terrace” forwarded a message from “VICE UNION SHOP” in the channel “ 🇦 Fraud Cartel 🇦”. The message has been replaced by the message below.
It is likely that @viceunion and VICE UNION SHOP were both removed from Telegram simultaneously.