Analysis of Multi-Stage Phishing Kits Leveraging Telegram for Credential Theft and Evasion Techniques

Researchers at Group-IB have uncovered a sophisticated phishing framework that demonstrates how cybercriminals are industrializing credential theft through automation, evasion techniques, and Telegram-based data exfiltration.

The kit targets explicitly Aruba S.p.A., an Italian IT services provider serving over 5.4 million customers, highlighting the significant financial and operational risks posed by modern phishing-as-a-service operations.

The analyzed phishing kit transcends traditional cloned web pages it represents a fully automated, multi-stage platform engineered for efficiency and stealth.

What makes this framework particularly concerning is its layered approach to evading security detection while maximizing credential harvesting.

Rather than deploying a single malicious page, the kit operates as a complete application with specialized templates for each attack phase, demonstrating the level of sophistication now common in underground phishing ecosystems.

The kit begins with a CAPTCHA challenge designed to filter out security bots and automated scanners, ensuring that phishing pages ...