Skip to main content

How Adversary Telegram Bots Help to Reveal Threats: Case Study

Medium
Published: Wed May 21 2025 (05/21/2025, 16:50:09 UTC)
Source: AlienVault OTX General

Description

This analysis examines a phishing campaign targeting Italian and US users, focusing on credential harvesting for Microsoft services and Italy's PEC system. The attackers use Notion workspaces and other cloud platforms to host phishing pages, exfiltrating stolen data via Telegram bots. The campaign, active since 2022, employs simple techniques and off-the-shelf tools, suggesting either low technical expertise or a focus on access brokering. The study demonstrates how intercepting Telegram bot communications can aid in profiling threat actors and provides insights into the campaign's evolution, victimology, and attacker characteristics.

AI-Powered Analysis

AILast updated: 06/21/2025, 13:53:33 UTC

Technical Analysis

This security threat involves a phishing campaign active since 2022, targeting primarily Italian and US users, with a focus on harvesting credentials for Microsoft services and Italy's PEC (Posta Elettronica Certificata) system. The attackers leverage cloud platforms such as Notion workspaces to host phishing pages, which are designed to mimic legitimate login portals to deceive victims into submitting their credentials. Once credentials are entered, the stolen data is exfiltrated using Telegram bots, which serve as command and control (C2) infrastructure and data relay points. The use of Telegram bots for exfiltration is notable because it allows attackers to bypass traditional network monitoring and detection mechanisms by blending malicious traffic with legitimate Telegram API communications. The campaign employs relatively simple and off-the-shelf tools, indicating either a low level of technical sophistication or a strategic focus on brokering access rather than developing complex malware. The analysis also highlights that intercepting communications between the attackers and their Telegram bots can provide valuable intelligence for profiling the threat actors, understanding their victimology, and tracking the campaign's evolution. The campaign uses a range of tactics and techniques mapped to MITRE ATT&CK IDs such as T1566 (Phishing), T1071 (Application Layer Protocol), T1059 (Command and Scripting Interpreter), T1102 (Web Service), T1041 (Exfiltration Over C2 Channel), T1573 (Encrypted Channel), T1056 (Input Capture), T1132 (Data Encoding), T1189 (Drive-by Compromise), and T1008 (Fallback Channels), illustrating a multi-faceted approach to compromise, data capture, and exfiltration. The threat does not exploit software vulnerabilities directly but relies on social engineering and cloud-based infrastructure abuse, making it highly dependent on user interaction and phishing effectiveness.

Potential Impact

For European organizations, especially those in Italy, this campaign poses a significant risk to the confidentiality of sensitive information due to credential theft targeting Microsoft services and the PEC system, which is widely used for secure and legally binding communications in Italy. Compromise of PEC credentials can lead to unauthorized access to official communications, legal documents, and sensitive business data, potentially resulting in reputational damage, financial loss, and regulatory penalties under GDPR. The use of cloud platforms like Notion for hosting phishing pages complicates detection and takedown efforts, as these platforms are legitimate services with high availability and trust. The exfiltration via Telegram bots further obfuscates attacker activity, making incident response and forensic investigations more challenging. Additionally, the campaign's persistence since 2022 indicates ongoing risk and potential for expansion to other European countries using Microsoft services extensively. Organizations relying heavily on Microsoft 365 and similar cloud services are at risk of account compromise, which could lead to lateral movement within networks, data breaches, and potential ransomware deployment by secondary threat actors who purchase access. The campaign's relatively low technical complexity suggests it could be widely adopted by less sophisticated threat actors, increasing the volume of attacks and potential victims.

Mitigation Recommendations

1. Implement advanced email filtering solutions that specifically target phishing attempts leveraging cloud-hosted pages, including heuristic and URL reputation analysis focused on platforms like Notion. 2. Enforce multi-factor authentication (MFA) on all Microsoft and PEC accounts to reduce the risk of credential misuse even if passwords are compromised. 3. Monitor outbound network traffic for unusual connections to Telegram API endpoints, especially from endpoints that do not typically use Telegram, to detect potential data exfiltration via Telegram bots. 4. Conduct targeted user awareness training focused on recognizing phishing attempts that use legitimate cloud services and emphasize the risks associated with PEC and Microsoft credential theft. 5. Deploy endpoint detection and response (EDR) tools capable of detecting scripting and command interpreter abuse (e.g., PowerShell, cmd) that may be used to automate credential capture or exfiltration. 6. Collaborate with cloud service providers to report and expedite takedown of malicious Notion workspaces and other cloud-hosted phishing infrastructure. 7. Utilize threat intelligence feeds that include indicators of compromise related to this campaign to proactively block known phishing URLs and Telegram bot identifiers. 8. Regularly audit and review access logs for PEC and Microsoft services to identify anomalous login patterns indicative of credential compromise.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://any.run/cybersecurity-blog/adversary-telegram-bot-abuse/"]
Adversary
Pulse Id
682e044167e773f503da5a37

Indicators of Compromise

Hash

ValueDescriptionCopy
hash1c37ff25a354805f8dd0eed23673d4e8
hash2049afb27b7d71b311ef83205ec8c1397ed9b705b4f84517471cc41c8c1f29d1
hash2969a13ecc2540287fe0f2971bc523c5668781944e5daad34d23e1291a3e67f3
hash7bfccbc16df79c1b837b764bb19f15400b9be80f0d3d88130dbeba1e1965c5ae
hash7e5a3bb0cff67b2c1ff50544f956a903a6ff364c006033c0887d17019875040e
hash8a1cecaf7c6df616fae15dca013cea78d209f0e813b9aa75964de1f813d614e0
hasha2346c9d602323359f99007eac73bc3bf4d62d0fed1af2e3e20e9a7d74cbf190
hasha5ca3ceebe83e4049ed5affc3403ddc2030ba0fad80392895df2f50711ad54ce
hashb1145accfe9485052186f5db3507a3ebd8796b8246bee3990711dc2381c703b4
hashf31113f3167e1d62f1908bf366892576cd521e0122a76d5f79eefaa9764e5d04
hashfaefef284cd76c17ecb747ed2c5a443e0b0653af29de972b62cea14f7c54edd2

Domain

ValueDescriptionCopy
domainaedsrl.it
domaingoetsch-transporte.it
domaingruppoamag.it
domainhampshiredownsheepwales.com
domainsteelsystembuilding.it
domain25348255-1243060.renderforestsites.com

Threat ID: 682e0875c4522896dcc32dcb

Added to database: 5/21/2025, 5:08:05 PM

Last enriched: 6/21/2025, 1:53:33 PM

Last updated: 8/17/2025, 6:41:08 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats