How Adversary Telegram Bots Help to Reveal Threats: Case Study
This analysis examines a phishing campaign targeting Italian and US users, focusing on credential harvesting for Microsoft services and Italy's PEC system. The attackers use Notion workspaces and other cloud platforms to host phishing pages, exfiltrating stolen data via Telegram bots. The campaign, active since 2022, employs simple techniques and off-the-shelf tools, suggesting either low technical expertise or a focus on access brokering. The study demonstrates how intercepting Telegram bot communications can aid in profiling threat actors and provides insights into the campaign's evolution, victimology, and attacker characteristics.
AI Analysis
Technical Summary
This security threat involves a phishing campaign active since 2022, targeting primarily Italian and US users, with a focus on harvesting credentials for Microsoft services and Italy's PEC (Posta Elettronica Certificata) system. The attackers leverage cloud platforms such as Notion workspaces to host phishing pages, which are designed to mimic legitimate login portals to deceive victims into submitting their credentials. Once credentials are entered, the stolen data is exfiltrated using Telegram bots, which serve as command and control (C2) infrastructure and data relay points. The use of Telegram bots for exfiltration is notable because it allows attackers to bypass traditional network monitoring and detection mechanisms by blending malicious traffic with legitimate Telegram API communications. The campaign employs relatively simple and off-the-shelf tools, indicating either a low level of technical sophistication or a strategic focus on brokering access rather than developing complex malware. The analysis also highlights that intercepting communications between the attackers and their Telegram bots can provide valuable intelligence for profiling the threat actors, understanding their victimology, and tracking the campaign's evolution. The campaign uses a range of tactics and techniques mapped to MITRE ATT&CK IDs such as T1566 (Phishing), T1071 (Application Layer Protocol), T1059 (Command and Scripting Interpreter), T1102 (Web Service), T1041 (Exfiltration Over C2 Channel), T1573 (Encrypted Channel), T1056 (Input Capture), T1132 (Data Encoding), T1189 (Drive-by Compromise), and T1008 (Fallback Channels), illustrating a multi-faceted approach to compromise, data capture, and exfiltration. The threat does not exploit software vulnerabilities directly but relies on social engineering and cloud-based infrastructure abuse, making it highly dependent on user interaction and phishing effectiveness.
Potential Impact
For European organizations, especially those in Italy, this campaign poses a significant risk to the confidentiality of sensitive information due to credential theft targeting Microsoft services and the PEC system, which is widely used for secure and legally binding communications in Italy. Compromise of PEC credentials can lead to unauthorized access to official communications, legal documents, and sensitive business data, potentially resulting in reputational damage, financial loss, and regulatory penalties under GDPR. The use of cloud platforms like Notion for hosting phishing pages complicates detection and takedown efforts, as these platforms are legitimate services with high availability and trust. The exfiltration via Telegram bots further obfuscates attacker activity, making incident response and forensic investigations more challenging. Additionally, the campaign's persistence since 2022 indicates ongoing risk and potential for expansion to other European countries using Microsoft services extensively. Organizations relying heavily on Microsoft 365 and similar cloud services are at risk of account compromise, which could lead to lateral movement within networks, data breaches, and potential ransomware deployment by secondary threat actors who purchase access. The campaign's relatively low technical complexity suggests it could be widely adopted by less sophisticated threat actors, increasing the volume of attacks and potential victims.
Mitigation Recommendations
1. Implement advanced email filtering solutions that specifically target phishing attempts leveraging cloud-hosted pages, including heuristic and URL reputation analysis focused on platforms like Notion. 2. Enforce multi-factor authentication (MFA) on all Microsoft and PEC accounts to reduce the risk of credential misuse even if passwords are compromised. 3. Monitor outbound network traffic for unusual connections to Telegram API endpoints, especially from endpoints that do not typically use Telegram, to detect potential data exfiltration via Telegram bots. 4. Conduct targeted user awareness training focused on recognizing phishing attempts that use legitimate cloud services and emphasize the risks associated with PEC and Microsoft credential theft. 5. Deploy endpoint detection and response (EDR) tools capable of detecting scripting and command interpreter abuse (e.g., PowerShell, cmd) that may be used to automate credential capture or exfiltration. 6. Collaborate with cloud service providers to report and expedite takedown of malicious Notion workspaces and other cloud-hosted phishing infrastructure. 7. Utilize threat intelligence feeds that include indicators of compromise related to this campaign to proactively block known phishing URLs and Telegram bot identifiers. 8. Regularly audit and review access logs for PEC and Microsoft services to identify anomalous login patterns indicative of credential compromise.
Affected Countries
Italy, United Kingdom, Germany, France, Spain, Netherlands
Indicators of Compromise
- hash: 1c37ff25a354805f8dd0eed23673d4e8
- hash: 2049afb27b7d71b311ef83205ec8c1397ed9b705b4f84517471cc41c8c1f29d1
- hash: 2969a13ecc2540287fe0f2971bc523c5668781944e5daad34d23e1291a3e67f3
- hash: 7bfccbc16df79c1b837b764bb19f15400b9be80f0d3d88130dbeba1e1965c5ae
- hash: 7e5a3bb0cff67b2c1ff50544f956a903a6ff364c006033c0887d17019875040e
- hash: 8a1cecaf7c6df616fae15dca013cea78d209f0e813b9aa75964de1f813d614e0
- hash: a2346c9d602323359f99007eac73bc3bf4d62d0fed1af2e3e20e9a7d74cbf190
- hash: a5ca3ceebe83e4049ed5affc3403ddc2030ba0fad80392895df2f50711ad54ce
- hash: b1145accfe9485052186f5db3507a3ebd8796b8246bee3990711dc2381c703b4
- hash: f31113f3167e1d62f1908bf366892576cd521e0122a76d5f79eefaa9764e5d04
- hash: faefef284cd76c17ecb747ed2c5a443e0b0653af29de972b62cea14f7c54edd2
- domain: aedsrl.it
- domain: goetsch-transporte.it
- domain: gruppoamag.it
- domain: hampshiredownsheepwales.com
- domain: steelsystembuilding.it
- domain: 25348255-1243060.renderforestsites.com
How Adversary Telegram Bots Help to Reveal Threats: Case Study
Description
This analysis examines a phishing campaign targeting Italian and US users, focusing on credential harvesting for Microsoft services and Italy's PEC system. The attackers use Notion workspaces and other cloud platforms to host phishing pages, exfiltrating stolen data via Telegram bots. The campaign, active since 2022, employs simple techniques and off-the-shelf tools, suggesting either low technical expertise or a focus on access brokering. The study demonstrates how intercepting Telegram bot communications can aid in profiling threat actors and provides insights into the campaign's evolution, victimology, and attacker characteristics.
AI-Powered Analysis
Technical Analysis
This security threat involves a phishing campaign active since 2022, targeting primarily Italian and US users, with a focus on harvesting credentials for Microsoft services and Italy's PEC (Posta Elettronica Certificata) system. The attackers leverage cloud platforms such as Notion workspaces to host phishing pages, which are designed to mimic legitimate login portals to deceive victims into submitting their credentials. Once credentials are entered, the stolen data is exfiltrated using Telegram bots, which serve as command and control (C2) infrastructure and data relay points. The use of Telegram bots for exfiltration is notable because it allows attackers to bypass traditional network monitoring and detection mechanisms by blending malicious traffic with legitimate Telegram API communications. The campaign employs relatively simple and off-the-shelf tools, indicating either a low level of technical sophistication or a strategic focus on brokering access rather than developing complex malware. The analysis also highlights that intercepting communications between the attackers and their Telegram bots can provide valuable intelligence for profiling the threat actors, understanding their victimology, and tracking the campaign's evolution. The campaign uses a range of tactics and techniques mapped to MITRE ATT&CK IDs such as T1566 (Phishing), T1071 (Application Layer Protocol), T1059 (Command and Scripting Interpreter), T1102 (Web Service), T1041 (Exfiltration Over C2 Channel), T1573 (Encrypted Channel), T1056 (Input Capture), T1132 (Data Encoding), T1189 (Drive-by Compromise), and T1008 (Fallback Channels), illustrating a multi-faceted approach to compromise, data capture, and exfiltration. The threat does not exploit software vulnerabilities directly but relies on social engineering and cloud-based infrastructure abuse, making it highly dependent on user interaction and phishing effectiveness.
Potential Impact
For European organizations, especially those in Italy, this campaign poses a significant risk to the confidentiality of sensitive information due to credential theft targeting Microsoft services and the PEC system, which is widely used for secure and legally binding communications in Italy. Compromise of PEC credentials can lead to unauthorized access to official communications, legal documents, and sensitive business data, potentially resulting in reputational damage, financial loss, and regulatory penalties under GDPR. The use of cloud platforms like Notion for hosting phishing pages complicates detection and takedown efforts, as these platforms are legitimate services with high availability and trust. The exfiltration via Telegram bots further obfuscates attacker activity, making incident response and forensic investigations more challenging. Additionally, the campaign's persistence since 2022 indicates ongoing risk and potential for expansion to other European countries using Microsoft services extensively. Organizations relying heavily on Microsoft 365 and similar cloud services are at risk of account compromise, which could lead to lateral movement within networks, data breaches, and potential ransomware deployment by secondary threat actors who purchase access. The campaign's relatively low technical complexity suggests it could be widely adopted by less sophisticated threat actors, increasing the volume of attacks and potential victims.
Mitigation Recommendations
1. Implement advanced email filtering solutions that specifically target phishing attempts leveraging cloud-hosted pages, including heuristic and URL reputation analysis focused on platforms like Notion. 2. Enforce multi-factor authentication (MFA) on all Microsoft and PEC accounts to reduce the risk of credential misuse even if passwords are compromised. 3. Monitor outbound network traffic for unusual connections to Telegram API endpoints, especially from endpoints that do not typically use Telegram, to detect potential data exfiltration via Telegram bots. 4. Conduct targeted user awareness training focused on recognizing phishing attempts that use legitimate cloud services and emphasize the risks associated with PEC and Microsoft credential theft. 5. Deploy endpoint detection and response (EDR) tools capable of detecting scripting and command interpreter abuse (e.g., PowerShell, cmd) that may be used to automate credential capture or exfiltration. 6. Collaborate with cloud service providers to report and expedite takedown of malicious Notion workspaces and other cloud-hosted phishing infrastructure. 7. Utilize threat intelligence feeds that include indicators of compromise related to this campaign to proactively block known phishing URLs and Telegram bot identifiers. 8. Regularly audit and review access logs for PEC and Microsoft services to identify anomalous login patterns indicative of credential compromise.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://any.run/cybersecurity-blog/adversary-telegram-bot-abuse/"]
- Adversary
- Pulse Id
- 682e044167e773f503da5a37
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hash1c37ff25a354805f8dd0eed23673d4e8 | — | |
hash2049afb27b7d71b311ef83205ec8c1397ed9b705b4f84517471cc41c8c1f29d1 | — | |
hash2969a13ecc2540287fe0f2971bc523c5668781944e5daad34d23e1291a3e67f3 | — | |
hash7bfccbc16df79c1b837b764bb19f15400b9be80f0d3d88130dbeba1e1965c5ae | — | |
hash7e5a3bb0cff67b2c1ff50544f956a903a6ff364c006033c0887d17019875040e | — | |
hash8a1cecaf7c6df616fae15dca013cea78d209f0e813b9aa75964de1f813d614e0 | — | |
hasha2346c9d602323359f99007eac73bc3bf4d62d0fed1af2e3e20e9a7d74cbf190 | — | |
hasha5ca3ceebe83e4049ed5affc3403ddc2030ba0fad80392895df2f50711ad54ce | — | |
hashb1145accfe9485052186f5db3507a3ebd8796b8246bee3990711dc2381c703b4 | — | |
hashf31113f3167e1d62f1908bf366892576cd521e0122a76d5f79eefaa9764e5d04 | — | |
hashfaefef284cd76c17ecb747ed2c5a443e0b0653af29de972b62cea14f7c54edd2 | — |
Domain
Value | Description | Copy |
---|---|---|
domainaedsrl.it | — | |
domaingoetsch-transporte.it | — | |
domaingruppoamag.it | — | |
domainhampshiredownsheepwales.com | — | |
domainsteelsystembuilding.it | — | |
domain25348255-1243060.renderforestsites.com | — |
Threat ID: 682e0875c4522896dcc32dcb
Added to database: 5/21/2025, 5:08:05 PM
Last enriched: 6/21/2025, 1:53:33 PM
Last updated: 8/17/2025, 6:41:08 AM
Views: 12
Related Threats
“Vibe Hacking”: Abusing Developer Trust in Cursor and VS Code Remote Development
MediumSupply Chain Risk in Python: Termcolor and Colorama Explained
MediumMicrosoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations
MediumThreat Actor Claims to Sell 15.8 Million Plain-Text PayPal Credentials
MediumElastic EDR 0-day: Microsoft-signed driver can be weaponized to attack its own host
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.