A Multi-Stage Phishing Kit Using Telegram to Harvest Credentials and Bypass Automated Detection

Phishing attacks continue to be one of the most persistent threats targeting organizations worldwide.

Cybercriminals are constantly improving their methods to steal sensitive information, and a recently discovered phishing kit demonstrates just how advanced these operations have become.

This particular framework was designed to impersonate the Italian IT and web services provider Aruba S.p.A., a company that serves over 5.4 million customers across Italy’s digital infrastructure.

By targeting such a widely trusted service provider, attackers could gain access to critical business assets, including hosted websites, domain controls, and email systems.

The phishing campaign begins with spear-phishing emails that create urgency by warning victims about expiring services or failed payments.

These messages contain links to fake login pages that closely mimic the official Aruba.it webmail portal.

What makes this attack particularly clever is the use of pre-filled login URLs that automatically populate the victim’s email address in the login form.

This small detail adds a layer of authenticity that makes targets less suspicious and more likely to enter their passwords.

Group-IB security researchers identified this sophisticated phishing framework through their ongoing monitoring of underground criminal ecosystems.

The kit represents more than just a fake webpage. It functions as a complete, automated platform built for efficiency and stealth, employing multiple techniques to evade detection and maximize credential theft.

Unlike basic phishing attempts, this system uses CAPTCHA filtering to block security scanners and Telegram bots to send stolen data to attackers instantly.

Multi-Stage Credential Harvesting Process

The attack unfolds through four carefully designed stages that systematically extract credentials and financial information.

First, victims encounter a CAPTCHA challenge that serves as an anti-bot filter, ensuring only human targets proceed to the actual phishing pages.

After passing this check, victims land on a convincing replica of the Aruba login page, where they enter their username and password, which are sent to the attacker immediately.

The process continues with a fake payment page requesting credit card details for a small fee, typically around €4.37, presented as a service renewal charge.

Once card information is submitted, victims are presented with a fraudulent 3D Secure verification page that captures the one-time password sent by their bank.

This final piece of information gives attackers everything needed to authorize real-time fraudulent transactions.

Throughout this process, all stolen data is exfiltrated to Telegram chats that serve as exfiltration channels, providing attackers with instant notifications.

After completing the stages, victims are redirected to the legitimate Aruba website, remaining unaware that their information was compromised.

This operation highlights the growing trend of phishing-as-a-service, where pre-built kits dramatically lower technical barriers and enable widespread credential theft at an industrial scale.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post A Multi-Stage Phishing Kit Using Telegram to Harvest Credentials and Bypass Automated Detection appeared first on Cyber Security News.