Threat Actors Exploit Telegram as the Communication Channel to Exfiltrate Stolen Data

tLab Technologies, a Kazakhstan-based company that specializes in advanced threat prevention, discovered one of the first known phishing attempts in the region that targeted public sector clients in a recent cybersecurity incident.

The attack leveraged a professionally crafted fake login page to harvest user credentials, employing Telegram’s Bot API as a covert exfiltration channel.

This method, while not entirely novel, demonstrated a high level of sophistication in mimicking legitimate government interfaces, making it particularly deceptive for unsuspecting users.

The campaign exploited user trust through social engineering tactics, such as pre-filled email fields and fake security notices, to facilitate credential theft.

tLab’s Anti-APT system played a pivotal role in detection, utilizing a unique blend of heuristic analysis, optical character recognition (OCR) for rendered content extraction, and automated behavioral monitoring to identify the malicious HTML without manual intervention.

This allowed for rapid verdict generation within 60 seconds highlighting the system ...