iZOOlogic Red Team has uncovered a recent malicious phishing campaign targeting Telegram users on a large scale. This attack involves the use of phishing links disguised as Telegram login pages, aimed at harvesting user credentials such as mobile number, OTPs, and 2FA passwords.
The threat actor behind this campaign is identified as “Tai Tsi,” based on the Whois registration details, with all flagged domains originating from Hong Kong, China.
During the research, we found more than 200 similar phishing domains registered under the .top TLD and aimed to compromise user accounts in a supply chain attack by hijacking and further propagating the malicious links.
Modus Operandi
- Phishing Link Distribution
- The attacker sends an initial phishing message with a link, appearing to be from Telegram to the victim. The message may say, “There are your photos and videos in it: http://lbvamvemkxfi.top/login”.
- The link directs the victim to a fake Telegram login page designed to steal credentials, OTPs, and passwords.
- Credential Harvesting
- Once the victim enters their credentials, they are harvested by the attacker in real time.
- The attacker immediately uses the stolen credentials to hijack the victim’s Telegram account.
- Account Takeover
- The attacker then sends a similar phishing message from the compromised account to the victim’s entire contact list.
- The cycle repeats, leading to a massive chain of compromised accounts across Telegram.
- Further Abuse
- In some cases, the attackers might use the compromised accounts to spread malware, request sensitive information from contacts, or impersonate the victim for financial fraud.
Source Code Analysis
- Input Validation and Phone Number Formatting
- The code includes logic for validating and formatting phone numbers based on country-specific patterns. This enhances the legitimacy of the phishing page by ensuring that users enter valid numbers, increasing the success rate of data collection.
- Countries such as India (IN), USA (US), and Canada (CA) are specifically targeted, though the list can easily be expanded to include more countries.
- The code includes logic for validating and formatting phone numbers based on country-specific patterns. This enhances the legitimacy of the phishing page by ensuring that users enter valid numbers, increasing the success rate of data collection.
- AJAX Request for Data Collection
- The phishing script captures the phone number, OTP, and 2FA Password and sends it to the attacker’s server using an AJAX POST request.
- The phishing script captures the phone number, OTP, and 2FA Password and sends it to the attacker’s server using an AJAX POST request.
- Local Storage for Tracking
- The phone number and a unique identifier (UUID) are stored in the browser’s localStorage, which can be used to track the user’s activity on the phishing page. Once the user shares the sensitive credentials (OTP and password), the user will be redirected to a pornography site. The stored information in local storage and cookies are used to validate the user and accordingly keep on redirecting the existing user to the hardcoded pornography domain.
- The phone number and a unique identifier (UUID) are stored in the browser’s localStorage, which can be used to track the user’s activity on the phishing page. Once the user shares the sensitive credentials (OTP and password), the user will be redirected to a pornography site. The stored information in local storage and cookies are used to validate the user and accordingly keep on redirecting the existing user to the hardcoded pornography domain.
Tactics, Techniques, and Procedures (TTPs)
- T1071.001: Phishing via Telegram Messaging Service.
- T1204.003: User Execution – Compelling users to interact with a malicious link or message.
- T1566.002: Phishing – Use of a fraudulent Telegram login page to steal credentials.
- T1078: Valid Accounts – Using harvested credentials to access and control the victim’s Telegram account.
- T1090: Proxy – Using compromised accounts to propagate the phishing link and impersonate the victim.
Mitigation and Recommendations
- User Awareness and Training
- Users should be educated about the risks of phishing attacks and how to recognize suspicious messages.
- Always verify the legitimacy of unsolicited links, even when they come from known contacts.
- Two-Factor Authentication (2FA)
- Enforce the use of 2FA on Telegram accounts to add an additional layer of security.
- Credential Hygiene
- Encourage users to avoid sharing OTPs, passwords, or login credentials through Telegram or any untrusted platform.
- Regularly monitor account activity for unauthorized logins.
- Incident Response
- If an account is compromised, users should immediately log out of all sessions, reset passwords, and notify contacts about the compromise.
- Avoid Click on Malicious Domains
- Avoid clicking on malicious random character domains, such as HTTP[:]//lbvamvemkxfi.top.
Conclusion
This phishing campaign demonstrates how threat actors can exploit human trust and social networks like Telegram to orchestrate large-scale supply chain compromises. Further, attackers can misuse compromised Telegram accounts to harvest sensitive data, including user chats, contacts, and private information, which can then be leveraged for more insidious attacks such as extortion, blackmail, or identity theft. The compromised accounts could also be used to spread additional phishing campaigns, malware, or disinformation, expanding the scope of the attack by targeting the victim’s contacts and further compromising other individuals or organizations in the victim’s network.
Annexure
Indicators of Compromise
Malicious IP Address
- 156[.]251[.]139[.]34
- 23[.]224[.]184[.]250
Malicious Domains
- delqggdxkdyp[.]top
- idkbsmvenxtm[.]top
- fnxyzihiendz[.]top
- seyyhnzqvgoy[.]top
- kmhxuymkzowe[.]top
- sqjusunzsiyl[.]top
- nihjodoqndmn[.]top
- edohaguylkjx[.]top
- gfsclmsdmqmp[.]top
- jubkcmkbsarb[.]top
- weqetutiohnh[.]top
- lbvamvemkxfi[.]top
- jlcxbrhtddxh[.]top
- nwhijnqbfawk[.]top
- lsywcgvmsooq[.]top
- recwrqhvpnpd[.]top
- npyyulqlqhjg[.]top
- typhzeowbjol[.]top
- auyqhalqjckc[.]top
- hhothofmznsb[.]top
- swcfukvqxmec[.]top
- xrroawddkcir[.]top
- rsfzdrtidyfn[.]top
- lpeqemxeprfh[.]top
- tqsqqzxnxycl[.]top
- uekkvnqqdohm[.]top
- glhqbtfkflef[.]top
- tpqszgbzlfmo[.]top
- liihqwkqqvxn[.]top
- yhiroybgtrkk[.]top
- zqqahpegkgyb[.]top
- wenllpismlaz[.]top
- nantylceonqb[.]top
- si3qqt4ur[.]top
- moneylioniqj[.]top
- moneylioneaa[.]top
- moneylionulc[.]top
- moneylionbqg[.]top
- moneylionplq[.]top
- moneylionlim[.]top
- moneylionpxl[.]top
- moneylionhbi[.]top
- moneylionfha[.]top
- moneylionwrq[.]top
- moneylionlpn[.]top
- moneylionjio[.]top
- moneylionixw[.]top
- moneylionlve[.]top
- moneylioncjj[.]top
- moneylionayy[.]top
- moneylionwtt[.]top
- moneylionrpw[.]top
- moneylionolu[.]top
- lockingnf[.]top
- moneylionwvh[.]top
- moneylionpus[.]top
- moneylionmxk[.]top
- lockingnk[.]top
- zd977[.]icu
- recoupwl[.]top
- recouphh[.]top
- xyh79[.]top
- moneylionqlr[.]top
- recoupqy[.]top
- lockingmb[.]top
- yhdgpxvqw[.]top
- xyh78[.]top
- xyk20[.]top
- varomoneyav[.]top
- varomoneyrh[.]top
- varomoneytf[.]top
- unlockdfx[.]top
- unlockfir[.]top
- unlockgun[.]top
- unlocklsr[.]top
- unlockolb[.]top
- unlockpge[.]top
- unlockccf[.]top
- unlockbvq[.]top
- unlockspq[.]top
- unlockfza[.]top
- unlockauh[.]top
- unlockfkm[.]top
- unlockgvw[.]top
- unlockfpq[.]top
- unlockhmj[.]top
- moneylionpuc[.]top
- moneylionrhu[.]top
- moneylionnpw[.]top
- moneylionvfe[.]top
- moneylionyqt[.]top
- moneylionruo[.]top
- moneylionhwc[.]top
- moneylionkug[.]top
- moneyliondpn[.]top
- lockinggs[.]top
- lockingxn[.]top
- lockingaq[.]top
- lockingvb[.]top
- lockingzj[.]top
- lockingvf[.]top
- coercionjl[.]top
- unlockebb[.]top
- varomoneyoz[.]top
- unlockbfw[.]top
- recouptob[.]top
- varomoneytp[.]top
- unlockppa[.]top
- varomoneyei[.]top
- unlockenr[.]top
- unlockork[.]top
- lockinglu[.]top
- lockingcz[.]top
- recoupoe[.]top
- unlockxgn[.]top
- unlocknbp[.]top
- varomoneypo[.]top
- unlockosr[.]top
- moneylionqbg[.]top
- varomoneybw[.]top
- varomoneydo[.]top
- unlockvkj[.]top
- unlockvev[.]top
- recoupjfa[.]top
- o7z1qf8mf[.]top
- of1zgcahn[.]top
- 82fkgjyai[.]top
- bubdhm5fg[.]top
- 793hd9hld[.]top
- th8qpavse[.]top
- 9ynuupnsv[.]top
- rqmzcylp8[.]top
- bwpr9yg7a[.]top
- xwo8z3fyu[.]top
- lzdhtgug3[.]top
- rq6ei353o[.]top
- ppihr8vtg[.]top
- durbjr235[.]top
- df4xsdnsx[.]top
- 55r34huk5[.]top
- 4gv3b5jwq[.]top
- wxp4xeegn[.]top
- xqkst6s5z[.]top
- 464vdervb[.]top
- cy2fjocax[.]top
- v79aoi8f9[.]top
- gfbv5qk7w[.]top
- fsyw8irri[.]top
- 99uebjdpa[.]top
- y14jmv91w[.]top
- v5pa8m6n7[.]top
- w61kxwap7[.]top
- 2l9pdrxvr[.]top
- qk4g5g1cp[.]top
- lockingfn[.]top
- regulation-lfu[.]top
- regulation-snh[.]top
- regulation-ima[.]top
- regulation-rec[.]top
- regulation-ibx[.]top
- lockingtc[.]top
- lockingsj[.]top
- regulation-com[.]top
- regulation-dly[.]top
- recovery-wss[.]top
- regulation-ylh[.]top
- regulation-mqe[.]top
- recovery-gim[.]top
- regulation-llr[.]top
- recovery-bcy[.]top
- recovery-pfi[.]top
- recovery-bbs[.]top
- regulation-hob[.]top
- recovery-jat[.]top
- recovery-ivh[.]top
- regulation-drx[.]top
- regulation-jyk[.]top
- regulation-kfg[.]top
- regulation-nbi[.]top
- regulation-dqs[.]top
- recovery-hxc[.]top
- regulation-ppl[.]top
- recovery-uwu[.]top
- recovery-nmw[.]top
- recovery-vwn[.]top
- source-y5q[.]top
- regulation-dsq[.]top
- regulation-hlf[.]top
- regulation-ihu[.]top
- recovery-xfm[.]top
- recovery-orc[.]top
- recovery-hrx[.]top
- recovery-itq[.]top
- recovery-jz[.]top
- recovery-pe[.]top
- recovery-xu[.]top
- recovery-qe[.]top
- recovery-yx[.]top
- recovery-un[.]top
- recovery-rq[.]top
- recovery-kc[.]top
- recovery-uh[.]top
- recovery-uk[.]top
- recovery-ow[.]top
- recovery-fo[.]top
- recovery-mg[.]top
- recovery-he[.]top
- recovery-ff[.]top
- recovery-ml[.]top
- recovery-dc[.]top
- recovery-ci[.]top
- recovery-ux[.]top
- recovery-qp[.]top
- recovery-dtf[.]top
- recovery-cr[.]top
- recovery-vb[.]top
- recovery-rjr[.]top
- recovery-gzo[.]top
- recovery-dlg[.]top
- recovery-qoa[.]top
- recovery-xhp[.]top
- recovery-drj[.]top
- recovery-yq[.]top
- recovery-mn[.]top
- recovery-wq[.]top
- recovery-pes[.]top
- recovery-mv[.]top
- recovery-kx[.]top
- recovery-ws[.]top
- recovery-wdx[.]top
- recovery-fqc[.]top
- recovery-ehu[.]top
- recovery-vpw[.]top
- recovery-wvo[.]top
- recovery-tu[.]top
- recovery-ecd[.]top
- moneylioncng[.]top
- unlockshg[.]top
- moneylionzwu[.]top
- unlocksov[.]top
- moneylioniyb[.]top
- unlocktsd[.]top
- recoupzwu[.]top
- unlockbyd[.]top
- recouprq[.]top
- recoupdz[.]top
- recoupfp[.]top
- unlockxtp[.]top
- recoupff[.]top
- lockingji[.]top
- xyh83[.]top