How Adversary Telegram Bots Help to Reveal Threats: Case Study
Essential information
- Published
- 21/05/2025 16:50
- Modified
- 21/05/2025 22:12
- Tags
- 2025-05-21 cloud platforms credential harvesting exfiltration notion pec phishing telegram
- Related entities
- 16 observables, 9 techniques (mitre), 8 others
Description
This analysis examines a phishing campaign targeting Italian and US users, focusing on credential harvesting for Microsoft services and Italy's PEC system. The attackers use Notion workspaces and other cloud platforms to host phishing pages, exfiltrating stolen data via Telegram bots. The campaign, active since 2022, employs simple techniques and off-the-shelf tools, suggesting either low technical expertise or a focus on access brokering. The study demonstrates how intercepting Telegram bot communications can aid in profiling threat actors and provides insights into the campaign's evolution, victimology, and attacker characteristics.