This phishing threat leverages Telegram's Mini Apps platform, which allows developers to create embedded web applications running inside the Telegram client without external browser redirection. Unlike app stores with strict vetting, Telegram Mini Apps undergo minimal to no pre-launch review, enabling attackers to publish malicious apps easily. The scam involves fake giveaways of digital collectibles (NFT-style 'gifts' such as 'papakhas' linked to celebrities like Khabib Nurmagomedov) promoted via direct messages or channel posts. Victims are enticed to launch a Mini App within Telegram and enter their login credentials into a phishing form embedded in the app. Because the app runs inside Telegram, users mistakenly trust its legitimacy. The attackers also mimic legitimate platforms like Portals, including referencing official Telegram channels to add credibility. The phishing messages sometimes contain AI-generated text artifacts, indicating rushed or automated content creation. Once credentials are submitted, attackers hijack the Telegram account, potentially gaining access to private chats, contacts, and linked services. Telegram's reactive moderation means malicious Mini Apps remain live until reported. The campaign is multilingual (Russian and English) and targets users interested in specific channels or digital assets. Mitigation focuses on user vigilance, verification of sources and badges, enabling two-factor authentication and passkeys, and avoiding credential entry in Mini Apps. The threat does not exploit a software vulnerability but abuses Telegram's platform design and user trust.

For European organizations, the primary risk is the compromise of employee Telegram accounts, which can lead to unauthorized access to sensitive communications, social engineering attacks leveraging hijacked accounts, and potential lateral movement if Telegram is used for business communications or authentication. Account takeover can also facilitate fraud, data leakage, or reputational damage if attackers impersonate employees. Given Telegram's popularity in Europe for both personal and professional use, especially in sectors like media, technology, and finance, compromised accounts could disrupt operations and expose confidential information. The phishing campaign's reliance on social engineering means that organizations with less security awareness training are more vulnerable. Additionally, attackers could use hijacked accounts to target corporate contacts or spread malware. The lack of technical exploitation reduces the risk of widespread automated compromise but increases the importance of user education and account security hygiene.

1. Educate employees about the risks of Telegram Mini Apps phishing, emphasizing that legitimate Telegram services rarely require re-authentication within Mini Apps. 2. Train users to verify the authenticity of giveaway offers by checking official Telegram channels and verifying account badges by tapping the blue checkmark. 3. Enforce the use of Telegram's two-step verification (password) and passkeys to add strong layers of account protection. 4. Encourage the use of password managers to generate and store strong, unique passwords and passkeys. 5. Implement organizational policies restricting the use of Telegram Mini Apps for business-critical communications or require IT approval. 6. Deploy endpoint security solutions with anti-phishing capabilities that can detect malicious links or embedded phishing attempts within apps. 7. Monitor for signs of account compromise, such as unusual login activity or unauthorized messages sent from employee accounts. 8. Establish incident response procedures for rapid recovery of compromised Telegram accounts, including immediate password resets and notifying contacts. 9. Promote skepticism towards unsolicited offers, especially those promising free digital assets or requiring credential input. 10. Collaborate with Telegram support and law enforcement to report and take down malicious Mini Apps promptly.