{"id":13690,"date":"2025-05-20T13:13:10","date_gmt":"2025-05-20T13:13:10","guid":{"rendered":"\/cybersecurity-blog\/?p=13690"},"modified":"2025-08-07T07:56:36","modified_gmt":"2025-08-07T07:56:36","slug":"adversary-telegram-bot-abuse","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/","title":{"rendered":"How Adversary Telegram Bots Help to Reveal Threats: Case Study\u00a0"},"content":{"rendered":"\n<p>Are Telegram bots safe? While analyzing malware samples uploaded to <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=adversary_bot_abuse&amp;utm_term=200525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a>, one particular case marked as \u201cphishing\u201d and \u201cTelegram\u201d drew the attention of our security analysts.\u00a0<\/p>\n\n\n\n<p>Although this <a href=\"https:\/\/app.any.run\/tasks\/6e05ff83-09e4-4eaf-9b5f-b6628b3919f1\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=adversary_bot_abuse&amp;utm_term=200525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">analysis session<\/a> wasn\u2019t attributed to any known malware family or threat actor group, the analysis revealed that Telegram bots were being used for data exfiltration. This led us to apply a message interception technique for Telegram bots, previously described on the <a href=\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN blog<\/a>.&nbsp;<\/p>\n\n\n\n<p>The investigation resulted in a clear and practical case study demonstrating how intercepting Telegram bot communications can aid in profiling the threat actor behind a relatively obscure phishing campaign.&nbsp;<\/p>\n\n\n\n<p>Key outcomes of this analysis include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Examination and technical analysis of a lesser known phishing campaign&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Demonstration of <a href=\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/\" target=\"_blank\" rel=\"noreferrer noopener\">Telegram API-based<\/a> data interception techniques&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Collection of <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\">threat <\/a><a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">i<\/a><a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\">ntelligence<\/a> (TI) indicators to help identify the actor&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Recommendations for detecting this type of threat&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let\u2019s dive in.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Technical Analysis of Attack with Telegram Bot&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s take a closer look at the analysis session:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/6e05ff83-09e4-4eaf-9b5f-b6628b3919f1\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=adversary_bot_abuse&amp;utm_term=200525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n\n<p>The subject of the analysis is a phishing page hosted on a Notion workspace. The page content is in Italian, which, combined with the subdomain name, suggests this is a targeted campaign aimed at Italian-speaking users or organizations.&nbsp;<\/p>\n\n\n\n<p>The URL submitted for analysis was:&nbsp;<\/p>\n\n\n\n<p><strong>hxxps[:]\/\/studiosperandio.notion[.]site\/1c37ff25a354805f8dd0eed23673d4e8?pvs=4<\/strong>&nbsp;<\/p>\n\n\n\n<p>Here\u2019s how the page appeared inside ANY.RUN&#8217;s Interactive Sandbox:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"874\" height=\"343\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image24.png\" alt=\"\" class=\"wp-image-13715\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image24.png 874w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image24-300x118.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image24-768x301.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image24-370x145.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image24-270x106.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image24-740x290.png 740w\" sizes=\"(max-width: 874px) 100vw, 874px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 1 \u2013 Phishing page designed to appear as an invitation to view a document<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>It\u2019s worth noting that the use of Notion workspaces as easily accessible infrastructure for phishing activity is not new. <\/p>\n\n\n\n<p>This is supported by the number and frequency of related samples uploaded to ANY.RUN sandbox, as seen in the following <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22domainName:%5C%22notion%5C%22%20and%20threatName:%5C%22phishing%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup query<\/a>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"395\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image25-1-1024x395.png\" alt=\"\" class=\"wp-image-13718\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image25-1-1024x395.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image25-1-300x116.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image25-1-768x296.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image25-1-1536x592.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image25-1-2048x789.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image25-1-370x143.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image25-1-270x104.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image25-1-740x285.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 2 \u2013 Search results in TI ANY.RUN<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The targeted user is prompted to view a document that was allegedly shared with them. <\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nLevel up your team&#8217;s malware analysis and threat intelligence capabilities<br>See all <span class=\"highlight\">ANY.RUN&#8217;s 9th Birthday offers<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=adversary_bot_abuse=200525&#038;utm_content=linktoplans\" rel=\"noopener\" target=\"_blank\">\nCheck out offers\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>To do so, they are asked to sign in using their Microsoft credentials via the following link:&nbsp;<\/p>\n\n\n\n<p><strong>hxxps[:]\/\/gleaming-foregoing-quicksand[.]glitch[.]me\/noter.html<\/strong>&nbsp;<\/p>\n\n\n\n<p>Clicking the link opens a hastily crafted phishing page designed to mimic a Microsoft OneNote login prompt. The page presents multiple authentication options, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Office365&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Outlook&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rackspace&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Aruba Mail&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PEC&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Altra Posta&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"553\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image26-1024x553.png\" alt=\"\" class=\"wp-image-13721\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image26-1024x553.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image26-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image26-768x415.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image26-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image26-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image26-740x400.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image26.png 1496w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 3 \u2013 Fake OneNote login page&nbsp;<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>After selecting a login method, the user is prompted to enter their credentials:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"479\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image29-1024x479.png\" alt=\"\" class=\"wp-image-13723\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image29-1024x479.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image29-300x140.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image29-768x359.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image29-370x173.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image29-270x126.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image29-740x346.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image29.png 1500w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 4 \u2013 Credential input form<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>However, clicking the \u201cLogin\u201d button does not grant access to the shared document. Instead, several malicious actions are triggered:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>The phishing page uses the ipify[.]org service to retrieve the victim\u2019s IP address.&nbsp;<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"822\" height=\"157\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2a.png\" alt=\"\" class=\"wp-image-13725\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2a.png 822w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2a-300x57.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2a-768x147.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2a-370x71.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2a-270x52.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2a-740x141.png 740w\" sizes=\"(max-width: 822px) 100vw, 822px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 5 \u2013 Code snippet used to capture the victim\u2019s IP address<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>The collected login, password, and IP address are then exfiltrated via a Telegram bot, with the bot token and chat ID hardcoded directly into the phishing script.&nbsp;<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"367\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2b-1024x367.png\" alt=\"\" class=\"wp-image-13727\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2b-1024x367.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2b-300x107.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2b-768x275.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2b-370x132.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2b-270x97.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2b-740x265.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2b.png 1098w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 6 \u2013 Data exfiltration logic using a Telegram bot<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Finally, the user is redirected to the official Microsoft OneNote login page to reinforce the illusion of legitimacy.&nbsp;<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"553\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2c-1-1024x553.png\" alt=\"\" class=\"wp-image-13730\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2c-1-1024x553.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2c-1-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2c-1-768x415.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2c-1-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2c-1-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2c-1-740x400.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2c-1.png 1493w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 7 \u2013 Official OneNote login page shown after redirection<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>As a result, this is a classic case of phishing aimed at <strong>credential harvesting<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"332\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2d-1024x332.png\" alt=\"\" class=\"wp-image-13732\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2d-1024x332.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2d-300x97.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2d-768x249.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2d-370x120.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2d-270x87.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2d-740x240.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2d.png 1253w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 8 \u2013 Request containing credentials sent to the attacker\u2019s Telegram bot<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"373\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2e-1024x373.png\" alt=\"\" class=\"wp-image-13733\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2e-1024x373.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2e-300x109.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2e-768x280.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2e-370x135.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2e-270x98.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2e-740x270.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image2e.png 1252w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 9 \u2013 Response from the Telegram API<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>From the Telegram API response to the data submission request, we were able to extract details about the Telegram bot used by the attacker:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Name<\/strong>: Sultanna&nbsp;&nbsp;<\/li>\n\n\n\n<li><strong>Username<\/strong>: @Sultannanewbot&nbsp;&nbsp;<\/li>\n\n\n\n<li><strong>Token<\/strong>: 7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE&nbsp;&nbsp;<\/li>\n\n\n\n<li><strong>Exfiltration chat ID<\/strong>: 6475928726&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The combination of the Notion \u2192 Glitch domain chain appeared suspicious. A search in ANY.RUN\u2019s Threat Intelligence Lookup revealed several additional submissions following the same pattern:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=adversary_bot_abuse&amp;utm_term=200525&amp;utm_content=linktolookup#{%22query%22:%22domainName:%5C%22notion%5C%22%20AND%20domainName:%5C%22glitch%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">DomainName:\u201dnotion AND domainName:\u201dglitch\u201d<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"514\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image48-1024x514.png\" alt=\"\" class=\"wp-image-13735\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image48-1024x514.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image48-300x150.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image48-768x385.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image48-370x186.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image48-270x135.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image48-740x371.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image48.png 1292w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 10 \u2013 Search results for Glitch + Notion domain combination<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In all of these cases, the Notion workspace used is different (as indicated by the subdomain), but the attack vector is entirely the same. Both the phishing design and the page\u2019s functionality are identical to what was described earlier.&nbsp;<\/p>\n\n\n\n<p>A search based on the hash and fragments of the phishing page content led us to several earlier submissions, the oldest of which dates back to August 26, 2024. Let\u2019s examine a few:&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Sample submission 1:&nbsp;September 19, 2024<\/h3>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/691515d9-3a54-49b3-9ab1-a19635e90bf5\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=adversary_bot_abuse&amp;utm_term=200525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View sandbox session<\/a><\/p>\n\n\n\n<p>Upon analyzing the HTML content of the page, we can confirm it follows the exact same pattern:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OneNote credential phishing&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exfiltration of IP address and credentials via a Telegram bot&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A domain chain consisting of two services, the first of which is a Cloud Service Provider (CSP)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The differences this time lie in the use of a different token and chatID bots, as well as a different domain in the attack chain, involving<strong> Google Docs <\/strong>and <strong>Backblaze B2<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"482\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image49-1-1024x482.png\" alt=\"\" class=\"wp-image-13739\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image49-1-1024x482.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image49-1-300x141.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image49-1-768x362.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image49-1-370x174.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image49-1-270x127.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image49-1-740x348.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image49-1.png 1495w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 11 \u2013 Identical phishing login page<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The exact same code is used to retrieve the victim\u2019s IP address and exfiltrate the stolen data to a Telegram bot, as described earlier.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"195\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4a-1024x195.png\" alt=\"\" class=\"wp-image-13740\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4a-1024x195.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4a-300x57.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4a-768x147.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4a-370x71.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4a-270x52.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4a-740x141.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4a.png 1336w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 12 \u2013 Same logic used to capture the victim\u2019s IP address<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"636\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4b-1024x636.png\" alt=\"\" class=\"wp-image-13741\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4b-1024x636.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4b-300x186.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4b-768x477.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4b-370x230.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4b-270x168.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4b-740x460.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4b.png 1329w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 13 \u2013 Same logic used for interaction with the Telegram bot<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Information obtained about the Telegram bot used in this case:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Name<\/strong>: remaxx24&nbsp;<\/li>\n\n\n\n<li><strong>Username<\/strong>: @remaxx24bot&nbsp;<\/li>\n\n\n\n<li><strong>Token<\/strong>: 7072331661:AAEnFxNxOI162AVQUCmfDHMdy6s4fGrnTZY&nbsp;<\/li>\n\n\n\n<li><strong>Chat ID<\/strong>: 5308217415&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Sample submission 2:&nbsp;August 26, 2024<\/h3>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/2eb1ee0a-66e1-45fd-82e7-5b12aeda9a0b\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=adversary_bot_abuse&amp;utm_term=200525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View sandbox session<\/a><\/p>\n\n\n\n<p>The attack vector remains the same, with only a slight variation in the phishing theme, this time impersonating an Aruba PEC login page (in Italian: PEC, Posta Elettronica Certificata).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"484\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4c-1-1024x484.png\" alt=\"\" class=\"wp-image-13744\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4c-1-1024x484.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4c-1-300x142.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4c-1-768x363.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4c-1-370x175.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4c-1-270x128.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4c-1-740x350.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4c-1.png 1493w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 14 \u2013 Similar phishing login page<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>It\u2019s worth noting that over a relatively long period, only a few elements have changed:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The phishing pretext (e.g., impersonating a OneNote login instead of PEC)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Minor visual adjustments to the page layout&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Meanwhile, the malicious JavaScript used to steal credentials has remained identical except for changes to the Telegram bot token and chat ID.&nbsp;<\/p>\n\n\n\n<p>Telegram bot used in this instance:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Name<\/strong>: Resultant&nbsp;<\/li>\n\n\n\n<li><strong>Username<\/strong>: @Resultantnewbot&nbsp;<\/li>\n\n\n\n<li><strong>Token<\/strong>: 6741707974:AAHGfsh1hk8WVtAfcISXgpZCTL-bpHNvQ_E&nbsp;<\/li>\n\n\n\n<li><strong>Chat ID<\/strong>: 6475928726&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Based on the analysis above, it can be concluded that this is part of a phishing campaign specifically targeting Italian users and employees of Italian organizations.&nbsp;<\/p>\n\n\n\n<p>Notable characteristics of the campaign include its low operational tempo (as indicated by the limited number and frequency of submissions) and the overall simplicity of the attacker\u2019s tooling. The threat actor relies on free platforms to host phishing content, such as Notion, Glitch, Google Presentation, and RenderForest, uses no or only rudimentary evasion techniques, and leverages Telegram bots as readily available, off-the-shelf C2 infrastructure.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nFollow along a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Page Hunting&nbsp;<\/h2>\n\n\n\n<p>Using a search by webpage titles on urlscan.io, we were able to identify a number of sites associated with this phishing campaign.&nbsp;<\/p>\n\n\n\n<p>Query used: page.title:&#8221;One Note | Microsoft&#8221; OR page.title:&#8221;Aruba | PEC&#8221;&nbsp;<\/p>\n\n\n\n<p>The oldest submission dates back to January 29, 2022: <a href=\"https:\/\/urlscan.io\/result\/b4584a98-d35d-4c08-89e8-7208f903fb2d\/#summary\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/urlscan.io\/result\/b4584a98-d35d-4c08-89e8-7208f903fb2d\/#summary<\/a>&nbsp;<\/p>\n\n\n\n<p>The visual appearance of the phishing page in this case matches what we&#8217;ve seen in previously analyzed samples.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"630\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/mal_urlscan-1024x630.png\" alt=\"\" class=\"wp-image-13746\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/mal_urlscan-1024x630.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/mal_urlscan-300x185.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/mal_urlscan-768x472.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/mal_urlscan-370x228.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/mal_urlscan-270x166.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/mal_urlscan-740x455.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/mal_urlscan.png 1523w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 15 \u2013Malicious page sample from January 29, 2022<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Distinctive features of the older variant:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Uses obfuscation via URL encoding&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Employs a different exfiltration method via a POST request to submit data through a web form (the URL was no longer accessible at the time of research), with the login and password entered into designated form fields.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"777\" height=\"742\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4e.png\" alt=\"\" class=\"wp-image-13748\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4e.png 777w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4e-300x286.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4e-768x733.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4e-370x353.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4e-270x258.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4e-740x707.png 740w\" sizes=\"(max-width: 777px) 100vw, 777px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 16 \u2013 Data exfiltration code using a web form submission<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Samples dating back to <a href=\"https:\/\/urlscan.io\/result\/f8663734-6a7a-430c-9f0c-66ea2cdccd8f\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">February 2, 2022<\/a>, began using the Telegram bot-based exfiltration method described earlier. Obfuscation was implemented through nested URL encoding (typically 2 to 4 levels deep).&nbsp;<\/p>\n\n\n\n<p>Starting with the sample from <a href=\"https:\/\/urlscan.io\/result\/48457c87-98eb-4844-8156-ab5e6950367c\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">August 23, 2023<\/a>, functionality was added to identify and exfiltrate the victim\u2019s IP address.&nbsp;<\/p>\n\n\n\n<p>At some point, the threat actor experimented with using Base64 obfuscation for the phishing page but later abandoned this technique for unknown reasons.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"540\" height=\"251\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4f.png\" alt=\"\" class=\"wp-image-13750\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4f.png 540w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4f-300x139.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4f-370x172.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image4f-270x126.png 270w\" sizes=\"(max-width: 540px) 100vw, 540px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 17 \u2013 Example of Base64 obfuscation in the phishing page payload<\/em>&nbsp;&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Observation period for Base64 obfuscation:&nbsp; <a href=\"https:\/\/urlscan.io\/result\/ab2ab801-d844-493b-8804-925d01515a8d\/#transactions\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">July 1, 2024<\/a> \u2013 <a href=\"https:\/\/urlscan.io\/result\/65b676fa-d076-4e86-8e60-d0aaa6fff685\/#summary\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">December 3, 2024<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Evolution of the Phishing Page Mechanisms<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-239\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"8\"\n           data-wpID=\"239\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Sample Date\u00a0\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Sample Link\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Changes\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        January 29, 2022\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/urlscan.io\/result\/b4584a98-d35d-4c08-89e8-7208f903fb2d\/#summary\" style=\"color: #009cff; text-decoration: underline\" target=\"_blank\">https:\/\/urlscan.io\/result\/b4584a98-d35d-4c08-89e8-7208f903fb2d\/#summary<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Oldest known sample.\u00a0URL encoding used.\u00a0Data exfiltration via form submission.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        February 2, 2022\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/urlscan.io\/result\/f8663734-6a7a-430c-9f0c-66ea2cdccd8f\/\" style=\"color: #009cff; text-decoration: underline\" target=\"_blank\">https:\/\/urlscan.io\/result\/f8663734-6a7a-430c-9f0c-66ea2cdccd8f\/<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Telegram bot-based exfiltration.\u00a0Nested (2\u20134 levels) URL encoding.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        August 23, 2023\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/urlscan.io\/result\/48457c87-98eb-4844-8156-ab5e6950367c\/\" style=\"color: #009cff; text-decoration: underline\" target=\"_blank\">https:\/\/urlscan.io\/result\/48457c87-98eb-4844-8156-ab5e6950367c\/<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Added functionality to collect and exfiltrate victim's IP address.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        July 1, 2024 \u2013 December 3, 2024\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/urlscan.io\/result\/ab2ab801-d844-493b-8804-925d01515a8d\/#summary\" style=\"color: #009cff; text-decoration: underline\" target=\"_blank\">https:\/\/urlscan.io\/result\/ab2ab801-d844-493b-8804-925d01515a8d\/#summary<\/a>\n<br><br>\n<a href=\"https:\/\/urlscan.io\/result\/65b676fa-d076-4e86-8e60-d0aaa6fff685\/#summary\" style=\"color: #009cff; text-decoration: underline\" target=\"_blank\">https:\/\/urlscan.io\/result\/65b676fa-d076-4e86-8e60-d0aaa6fff685\/#summary<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Experimented with Base64 obfuscation.\u00a0Technique was later abandoned for unknown reasons.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        August 26, 2024\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/app.any.run\/tasks\/2eb1ee0a-66e1-45fd-82e7-5b12aeda9a0b\/\" style=\"color: #009cff; text-decoration: underline\" target=\"_blank\">https:\/\/app.any.run\/tasks\/2eb1ee0a-66e1-45fd-82e7-5b12aeda9a0b\/<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Oldest observed sample on app.any.run.\u00a0Shift in phishing theme to PEC login (Posta Elettronica Certificata).\u00a0Infrastructure used: RenderForest + Glitch.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        September 19, 2024\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/app.any.run\/tasks\/691515d9-3a54-49b3-9ab1-a19635e90bf5\/\" style=\"color: #009cff; text-decoration: underline\" target=\"_blank\">https:\/\/app.any.run\/tasks\/691515d9-3a54-49b3-9ab1-a19635e90bf5\/<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Infrastructure chain updated to: Google Docs + BackBlazeB2\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        April 7, 2025\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/app.any.run\/tasks\/6e05ff83-09e4-4eaf-9b5f-b6628b3919f1\/\" style=\"color: #009cff; text-decoration: underline\" target=\"_blank\">https:\/\/app.any.run\/tasks\/6e05ff83-09e4-4eaf-9b5f-b6628b3919f1\/<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Last studied sample on app.any.run at the time of research.\u00a0Infrastructure chain: Notion + Glitch.\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-239'>\ntable#wpdtSimpleTable-239{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-239 td, table.wpdtSimpleTable239 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Key Insights on the Phishing Campaign<\/strong>&nbsp;<\/h2>\n\n\n\n<p>As a result of this analysis, we\u2019ve outlined key insights into the nature and structure of the phishing campaign under investigation.&nbsp;<\/p>\n\n\n\n<p>We identified the active timeline, clarified the target audience, and examined the technical details of the phishing tools used throughout the campaign. While the operation is relatively low in volume and visibility compared to other campaigns, it remains active to this day with phishing pages and Telegram-based exfiltration infrastructure still operational, indicating a continued potential for harm.&nbsp;<\/p>\n\n\n\n<p>The primary objective of the campaign is the harvesting of credentials for Microsoft 365 services (including Outlook, OneNote, etc.) and Italy\u2019s PEC (Posta Elettronica Certificata), a national certified email system. These stolen credentials are likely intended for brokered access resale within cybercriminal ecosystems.&nbsp;<\/p>\n\n\n\n<p>From a technical standpoint, the campaign is neither advanced nor innovative:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Low-effort phishing pages, both in terms of social engineering and evasion techniques&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reliance on easily accessible, off-the-shelf infrastructure (e.g., Notion, Glitch, Google Docs, RenderForest)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>This suggests either a low level of technical expertise on the part of the attacker or a lack of focus on the credential theft process itself, supporting the hypothesis that the campaign&#8217;s true value lies in access brokering, not execution.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Investigating the Attacker\u2019s Profile Through Telegram Bot Exfiltration&nbsp;<\/h2>\n\n\n\n<p>In this section, we\u2019ll attempt to refine the attacker profile by analyzing the structure and contents of the stolen data, based on insights gathered during the technical analysis of the exfiltration infrastructure.&nbsp;<\/p>\n\n\n\n<p>With access to information about the Telegram bots used by the threat actor, we can attempt to retrieve the chat data where victims\u2019 credentials were sent. To do this, we\u2019ll follow the methodology outlined in ANY.RUN\u2019s previously published guide.&nbsp;<\/p>\n\n\n\n<p>This section focuses on the practical application of that approach. For a deeper dive into the underlying mechanics, refer to the original source: <a href=\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Intercept Data Exfiltrated by Malware via Telegram and Discord<\/a><strong><\/strong>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Telegram Exfil Interception<\/h3>\n\n\n\n<p>Let\u2019s start with the bot identified in the following analysis: <a href=\"https:\/\/app.any.run\/tasks\/6e05ff83-09e4-4eaf-9b5f-b6628b3919f1\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=adversary_bot_abuse&amp;utm_term=200525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name: Sultanna&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Username: @Sultannanewbot&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Token: 7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exfiltration Chat ID: 6475928726&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>To proceed safely, we\u2019ll create a private Telegram group and enable the anonymous message sending option to protect our identity during the interaction.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"644\" height=\"218\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image50.png\" alt=\"\" class=\"wp-image-13753\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image50.png 644w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image50-300x102.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image50-370x125.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image50-270x91.png 270w\" sizes=\"(max-width: 644px) 100vw, 644px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 18 \u2013 Newly created private Telegram group<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Next, we\u2019ll check whether the bot in question is using webhooks. If webhooks are enabled, the attacker is likely to detect the interception attempt quickly, since webhook requests also transmit the secret bot token, potentially alerting the operator in real time.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"617\" height=\"138\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image51.png\" alt=\"\" class=\"wp-image-13755\" style=\"width:617px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image51.png 617w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image51-300x67.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image51-370x83.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image51-270x60.png 270w\" sizes=\"(max-width: 617px) 100vw, 617px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 19 \u2013 Description of the secret_token parameter in the Telegram Bot API webhook documentation<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><\/p>\n\n\n\n<p>We\u2019ll now send a request to the \/getWebhookInfo endpoint via a browser to check the current webhook status for the bot. The response is in JSON format:<\/p>\n\n\n\n<p>https:\/\/api.telegram.org\/bot7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE\/getWebhookInfo<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"326\" height=\"177\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image52.png\" alt=\"\" class=\"wp-image-13757\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image52.png 326w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image52-300x163.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image52-270x147.png 270w\" sizes=\"(max-width: 326px) 100vw, 326px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 20 \u2013 Response to endpoint request \u2018\/getWebhookInfo\u2019&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This bot does not have any webhooks configured (no URLs are listed in the API\u2019s JSON response), which reduces the likelihood of the attacker detecting interference with the exfiltration infrastructure.&nbsp;<\/p>\n\n\n\n<p>After completing the initial checks, we\u2019ll use the script set provided in the following article:&nbsp; <a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/tree\/main\/Scripts\/TelegramAPI\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/github.com\/anyrun\/blog-scripts\/tree\/main\/Scripts\/TelegramAPI<\/a>&nbsp;<\/p>\n\n\n\n<p>First, let\u2019s prepare the bot for analysis:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Run the prepare_bot.py script, passing the bot token as an argument&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Synchronize the bot\u2019s update history&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Add the bot to the previously created private group&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li>Delete the message that logs the bot\u2019s addition to the group&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li>Retrieve the group ID, which will be needed in the next stage of analysis&nbsp;<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Prepare_bot.py<\/strong>:&nbsp;<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>python3 prepare_bot.py bot7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE&nbsp;<\/code><\/pre>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"294\" height=\"134\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-15.png\" alt=\"\" class=\"wp-image-13701\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-15.png 294w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-15-270x123.png 270w\" sizes=\"(max-width: 294px) 100vw, 294px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 21 \u2013 Output of the prepare_bot.py utility<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Now, let\u2019s run the forward_message.py script to make the bot forward messages from the exfiltration chat (the chat_id specified in the phishing page) to our newly created private group:&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Forward_message.py:<\/strong>&nbsp;<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>python3 forward_message.py bot7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE 6475928726 -1002412181543&nbsp;<\/code><\/pre>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"550\" height=\"445\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image54.png\" alt=\"\" class=\"wp-image-13760\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image54.png 550w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image54-300x243.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image54-370x299.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image54-270x218.png 270w\" sizes=\"(max-width: 550px) 100vw, 550px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 22 \u2013 forward_message.py utility in action<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>As a result, we begin to see the messages forwarded by the bot appearing in our group chat:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"858\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/Italian-Victims-Leak-858x1024.png\" alt=\"\" class=\"wp-image-13762\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/Italian-Victims-Leak-858x1024.png 858w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/Italian-Victims-Leak-251x300.png 251w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/Italian-Victims-Leak-768x917.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/Italian-Victims-Leak-370x442.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/Italian-Victims-Leak-270x322.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/Italian-Victims-Leak-740x883.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/Italian-Victims-Leak.png 976w\" sizes=\"(max-width: 858px) 100vw, 858px\" \/><figcaption class=\"wp-element-caption\"><em>Figures 23 \u2013 Messages exfiltrated by the attacker\u2019s Telegram bot (combined view)<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>To intercept messages in bulk rather than one at a time, we can run the forward_messages.py script using the same arguments as forward_message.py. This approach allows us to quantify the scale of the data leakage caused by the phishing campaign under analysis.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"549\" height=\"682\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image57.png\" alt=\"\" class=\"wp-image-13764\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image57.png 549w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image57-241x300.png 241w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image57-370x460.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image57-270x335.png 270w\" sizes=\"(max-width: 549px) 100vw, 549px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 24 \u2013 Example output from the forward_messages.py utility<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>After analyzing the email addresses of users whose data was stolen during the phishing campaign, we can confirm our initial assumption: the campaign is primarily targeting Italian users and businesses. Examples of affected domains include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.aedsrl.it\/eng\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">aedsrl.it<\/a> &#8211; warehouse logistics and automation&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.legalmail.infocert.it\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">legalmail.it<\/a> &#8211; certification authority and PEC (certified email) solutions for corporate communications&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.steelsystembuilding.it\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">steelsystembuilding.it<\/a> &#8211; logistics and warehouse services&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.gruppoamag.it\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">gruppoamag.it<\/a> &#8211; public utilities and environmental services&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.goetsch-transporte.it\/de\/home\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">goetsch-transporte.it<\/a> &#8211; freight transport; a German company operating in Italy&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>This conclusion is further supported by:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The use of Italian language in phishing lures and page content&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Subdomain names hosting the phishing content, which include Italian words&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>To expand or refine our understanding of the threat landscape, we will now examine the bot found in a sandbox session featuring an English-language phishing page:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/691515d9-3a54-49b3-9ab1-a19635e90bf5\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=adversary_bot_abuse&amp;utm_term=200525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Bot information:&nbsp;<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name: remaxx24&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Username: @remaxx24bot&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Token: 7072331661:AAEnFxNxOI162AVQUCmfDHMdy6s4fGrnTZY&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Chat ID: 5308217415&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>We repeated the same steps as described earlier, and as a result, retrieved another batch of messages forwarded by the bot, containing freshly stolen credentials.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1002\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/USA-Victims-Leak-1024x1002.png\" alt=\"\" class=\"wp-image-13766\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/USA-Victims-Leak-1024x1002.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/USA-Victims-Leak-300x294.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/USA-Victims-Leak-768x751.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/USA-Victims-Leak-370x362.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/USA-Victims-Leak-270x264.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/USA-Victims-Leak-740x724.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/USA-Victims-Leak.png 1067w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figures 25 \u2013 Intercepted messages from the remaxx24 bot (combined view)&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><\/p>\n\n\n\n<p>This time, based on the intercepted IP addresses and email data, the victims appear to be located primarily in the United States, with no clear pattern regarding affected companies or industries.&nbsp;<\/p>\n\n\n\n<p>Finally, let\u2019s examine another bot identified in the task dated August 26, 2024: <a href=\"https:\/\/app.any.run\/tasks\/2eb1ee0a-66e1-45fd-82e7-5b12aeda9a0b\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=adversary_bot_abuse&amp;utm_term=200525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Bot details:&nbsp;<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name: Resultant&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Username: @Resultantnewbot&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Token: 6741707974:AAHGfsh1hk8WVtAfcISXgpZCTL-bpHNvQ_E&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Chat ID: 6475928726&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>An interesting detail here is that the bot from the older sandbox analysis session (over six months old) appears to be connected to the bot from a <a href=\"https:\/\/app.any.run\/tasks\/6e05ff83-09e4-4eaf-9b5f-b6628b3919f1\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=adversary_bot_abuse&amp;utm_term=200525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">recent sandbox session dated April 7, 2025<\/a>.<\/p>\n\n\n\n<p>Specifically, both bot configurations share the same chat ID:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name: Sultanna&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Username: @Sultannanewbot&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Token: 7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exfiltration Chat ID: 6475928726&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Once again, we launch the previously mentioned utilities and retrieve:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"369\" height=\"265\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-18.png\" alt=\"\" class=\"wp-image-13710\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-18.png 369w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-18-300x215.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-18-270x194.png 270w\" sizes=\"(max-width: 369px) 100vw, 369px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 26 \u2013 Extracted messages from the Resultant bot<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Both of these bots appear to be linked to a Telegram account named <strong>Don<\/strong>, which was responsible for initiating the bots in the exfiltration group\/channel via the \/start command. Using the Telegram API, we were able to retrieve information about this account:&nbsp;<\/p>\n\n\n\n<p>https:\/\/api.telegram.org\/bot6741707974:AAHGfsh1hk8WVtAfcISXgpZCTL-bpHNvQ_E\/getChatMember?chat_id=6475928726&#038;user_id=6475928726<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"251\" height=\"419\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-19.png\" alt=\"\" class=\"wp-image-13711\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-19.png 251w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-19-180x300.png 180w\" sizes=\"(max-width: 251px) 100vw, 251px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 27\u2013 Fragment of raw message dump referencing the \u2018Don\u2019 account<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"262\" height=\"190\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-20.png\" alt=\"\" class=\"wp-image-13712\"\/><figcaption class=\"wp-element-caption\"><em>Figure 28 \u2013 Telegram API response for user \u2018Don\u2019<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>However, we were unable to investigate the retrieved data any further. A lookup using the sender\u2019s user_id did not yield any additional information.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Attacker Profile&nbsp;<\/h3>\n\n\n\n<p>By consolidating the clues uncovered during phishing page analysis and Telegram bot interception, we can outline the characteristics of the phishing campaign and enrich its threat context.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Attack Vector<\/strong><\/h4>\n\n\n\n<p>Phishing pages and email lures impersonating login portals for Microsoft services (OneNote, Outlook) and Italy\u2019s Aruba PEC (Posta Elettronica Certificata).&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Phishing Mechanics<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Victim credentials are collected through fake login forms (email + password), and the IP address is gathered using the ipify service.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>When the victim clicks the \u201cLogin\u201d button, the stolen data is exfiltrated via Telegram bots through interactions with the Telegram API.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>After submission, the user is redirected to the legitimate Microsoft login page to maintain the illusion of legitimacy.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Victimology:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Countries:<\/strong> United States, Italy&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Industries affected:<\/strong> Natural resources (gas), business\/financial consulting, environmental services, energy, logistics, and digital identity providers (e.g., PEC and e-signature services)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Objectives:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>BEC (Business Email Compromise)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Credential Harvesting (MS OneNote, MS Outlook, etc.)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Attribution &amp; Threat Actor Assessment:<\/strong>&nbsp;<\/p>\n\n\n\n<p>There is not enough reliable evidence to attribute this campaign to any specific group or APT. Attribution is further complicated by the low number of samples and the slow operational tempo of the malicious activity.&nbsp;<\/p>\n\n\n\n<p>Distinct characteristics of the threat actor&#8217;s profile include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Lack of obfuscation or only weak techniques (e.g., atob, nested URL encoding)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Poor mimicry of legitimate web content (low-quality phishing page design)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use of off-the-shelf solutions (Telegram bots) as exfiltration and C2 infrastructure&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rudimentary defensive mechanisms; the only protection observed is a redirect to a legitimate login page after credentials are captured and exfiltrated&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>These factors suggest a particular level of the attacker\u2019s skill and motivation. Either the actor lacks technical sophistication, or they simply choose not to invest resources into more advanced phishing payloads, focusing instead on other parts of their operation, such as access brokering (selling harvested credentials to third parties for further exploitation).&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion and Detection Recommendations&nbsp;<\/h2>\n\n\n\n<p>This case study demonstrated the practical application of the Telegram bot interception technique previously described on the ANY.RUN blog, using it to expand the threat landscape around a lesser-known phishing campaign focused on harvesting Microsoft and PEC credentials.&nbsp;<\/p>\n\n\n\n<p>Insights gained from the analysis of intercepted data allowed us to broaden the visibility of the campaign, from a single isolated case to a long-running trend that, as evidence suggests, may still be active today.&nbsp;<\/p>\n\n\n\n<p>The findings also helped refine the attacker profile potentially responsible for this phishing operation.&nbsp;<\/p>\n\n\n\n<p>Finally, based on the collected technical evidence, we can define practical recommendations for detecting and hunting malicious activity linked to this newly profiled phishing campaign:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor behavioral patterns of suspicious pages, such as domain chains following the pattern:&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>&#8220;Notion \u2192 Glitch \u2192 Telegram API&#8221;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement signature-based detection rules that identify Telegram bot activity in corporate network traffic&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor for activity matching the Tactics, Techniques, and Procedures (TTPs) associated with the threat actor described in this report&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>TI Lookup Queries<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=adversary_bot_abuse&amp;utm_term=200525&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522threatName:%255C%2522telegram%255C%2522%2520AND%2520(threatName:%255C%2522phishing%255C%2522%2520OR%2520threatName:%255C%2522possible-phishing%255C%2522)%2520AND%2520(domainName:%255C%2522*.glitch.me%255C%2522)%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;telegram&#8221; AND (threatName:&#8221;phishing&#8221; OR threatName:&#8221;possible-phishing&#8221;) AND (domainName:&#8221;*.glitch.me&#8221;)&nbsp;<\/a><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=adversary_bot_abuse&amp;utm_term=200525&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522notion%255C%2522%2520AND%2520domainName:%255C%2522glitch%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;notion&#8221; AND domainName:&#8221;glitch&#8221;&nbsp;<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>urlscan.io Query<\/strong><\/h3>\n\n\n\n<p>page.title:&#8221;One Note | Microsoft&#8221; OR page.title:&#8221;Aruba | PEC&#8221;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Indicators of Compromise<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>studiosperandio.notion[.]site&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>gleaming-foregoing-quicksand[.]glitch[.]me&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>seabbz.notion[.]site&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ergonperizie.notion[.]site&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>f004.backblazeb2[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>charming-separated-rhubarb[.]glitch[.]me&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>25348255-1243060.renderforestsites[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Urlscan.io IOCs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>inshared0-onenote-asx.pages[.]dev&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>onedriv-shared0-apx.pages[.]dev&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>onedriv1-switchview-asx.pages[.]dev&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>view0-onenote-doc3hmlgroup.pages[.]dev&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>doc91173-onenote-viewapx[.]vercel[.]app&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>file01173-onenote-view.vercel[.]app&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hampshiredownsheepwales[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>charming-separated-rhubarb[.]glitch[.]me&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>lucky-leaf-dogwood.glitch[.]me&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>kindly-tropical-icicle.glitch[.]me&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1noteindex-view-apx.pages[.]dev&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>butternut-acidic-bambiraptor.glitch[.]me&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>onenote-shared-5a03.note46.workers[.]dev&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>saber-mercurial-tang.glitch[.]me&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>familiar-pewter-night.glitch[.]me&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>regular-classic-spade.glitch[.]me&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>trusting-impossible-koi.glitch[.]me&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>harmless-utopian-sodalite.glitch[.]me&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hashes of HTML phishing pages (SHA-256)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>2049afb27b7d71b311ef83205ec8c1397ed9b705b4f84517471cc41c8c1f29d1&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>8a1cecaf7c6df616fae15dca013cea78d209f0e813b9aa75964de1f813d614e0&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>7e5a3bb0cff67b2c1ff50544f956a903a6ff364c006033c0887d17019875040e&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>B1145accfe9485052186f5db3507a3ebd8796b8246bee3990711dc2381c703b4&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>7bfccbc16df79c1b837b764bb19f15400b9be80f0d3d88130dbeba1e1965c5ae&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>2969a13ecc2540287fe0f2971bc523c5668781944e5daad34d23e1291a3e67f3&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A2346c9d602323359f99007eac73bc3bf4d62d0fed1af2e3e20e9a7d74cbf190&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Faefef284cd76c17ecb747ed2c5a443e0b0653af29de972b62cea14f7c54edd2&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>F31113f3167e1d62f1908bf366892576cd521e0122a76d5f79eefaa9764e5d04&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a5ca3ceebe83e4049ed5affc3403ddc2030ba0fad80392895df2f50711ad54ce&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Telegram Exfil Bot Tokens | chatID pairs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE | 6475928726&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>7072331661:AAEnFxNxOI162AVQUCmfDHMdy6s4fGrnTZY&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>6741707974:AAHGfsh1hk8WVtAfcISXgpZCTL-bpHNvQ_E | 6475928726&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>5305890750:AAHJnWdIMel23kaV_UWs9eha5IgXppE-b58 | 5308217415&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>6875925240:AAG5htB1kiH-G8fYV4kzBs-GWOE0Q784oxM | 6978226203&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>6913021003:AAFMWDSrZSLOxX34nOVRXmoOA8SUTMXiOgg | 5668726693&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>6848015467:AAHTt8TTTYFKRX6B5euTg47sZF8j6q01oxQ | 1270872185&nbsp;<br>&nbsp;<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Are Telegram bots safe? While analyzing malware samples uploaded to ANY.RUN\u2019s Interactive Sandbox, one particular case marked as \u201cphishing\u201d and \u201cTelegram\u201d drew the attention of our security analysts.\u00a0 Although this analysis session wasn\u2019t attributed to any known malware family or threat actor group, the analysis revealed that Telegram bots were being used for data exfiltration. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":13807,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,40],"class_list":["post-13690","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How Adversary Telegram Bots Help to Reveal Threats: Case Study\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Discover how to intercept data stolen by cybercriminals via Telegram bots and learn to use it to clarify related threat landscape.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"raptur3\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/\"},\"author\":{\"name\":\"raptur3\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How Adversary Telegram Bots Help to Reveal Threats: Case Study\u00a0\",\"datePublished\":\"2025-05-20T13:13:10+00:00\",\"dateModified\":\"2025-08-07T07:56:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/\"},\"wordCount\":3545,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/\",\"name\":\"How Adversary Telegram Bots Help to Reveal Threats: Case Study\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-05-20T13:13:10+00:00\",\"dateModified\":\"2025-08-07T07:56:36+00:00\",\"description\":\"Discover how to intercept data stolen by cybercriminals via Telegram bots and learn to use it to clarify related threat landscape.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How Adversary Telegram Bots Help to Reveal Threats: Case Study\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"raptur3\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png\",\"caption\":\"raptur3\"},\"description\":\"Network Analyst at ANY.RUN. Keen to become a 'cybersec Swiss Army knife' man. Enjoys reading and writing deep-dive tech research.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How Adversary Telegram Bots Help to Reveal Threats: Case Study\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"Discover how to intercept data stolen by cybercriminals via Telegram bots and learn to use it to clarify related threat landscape.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/","twitter_misc":{"Written by":"raptur3","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/"},"author":{"name":"raptur3","@id":"https:\/\/any.run\/"},"headline":"How Adversary Telegram Bots Help to Reveal Threats: Case Study\u00a0","datePublished":"2025-05-20T13:13:10+00:00","dateModified":"2025-08-07T07:56:36+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/"},"wordCount":3545,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/","url":"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/","name":"How Adversary Telegram Bots Help to Reveal Threats: Case Study\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-05-20T13:13:10+00:00","dateModified":"2025-08-07T07:56:36+00:00","description":"Discover how to intercept data stolen by cybercriminals via Telegram bots and learn to use it to clarify related threat landscape.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/adversary-telegram-bot-abuse\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"How Adversary Telegram Bots Help to Reveal Threats: Case Study\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"raptur3","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png","caption":"raptur3"},"description":"Network Analyst at ANY.RUN. Keen to become a 'cybersec Swiss Army knife' man. Enjoys reading and writing deep-dive tech research.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13690"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=13690"}],"version-history":[{"count":76,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13690\/revisions"}],"predecessor-version":[{"id":15345,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13690\/revisions\/15345"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/13807"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=13690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=13690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=13690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}