Ddos 
A new phishing campaign is targeting Telegram users by turning the platform’s own security features into a weapon. CYFIRMA has uncovered an operation that bypasses traditional credential harvesting in favor of a more insidious approach: tricking users into authorizing the attackers directly through Telegram’s official app.
This “abuse-of-function” attack leverages legitimate Telegram API credentials to trigger authentic login prompts on victim’s phones, masking a full account takeover as a routine security check.
The attack begins when a user visits a malicious phishing site, often disguised as a Telegram resource. They are presented with two login options: scanning a QR code or entering their phone number.
Unlike standard phishing sites that simply steal passwords, these actions trigger a real request to Telegram’s servers, initiated by the attacker’s tools.
- QR Code: Scanning the code instantly links the victim’s account to the attacker’s device.
- Phone Number: Entering a number triggers a legitimate “in-app authorization prompt” on the victim’s phone.
Crucially, the phishing site coaches the victim to approve this prompt. “The phishing pages reinforce compliance by presenting misleading system messages,” such as instructing users to click “This is me” in the notification to “authorize this operation”.
By framing the prompt as a security verification, “the attackers shift the decisive action into Telegram’s trusted application interface,” effectively bypassing suspicion.
This is not a small, isolated effort. CYFIRMA’s analysis reveals a “centralized, reusable phishing framework” designed for mass deployment.
The infrastructure is configuration-driven, allowing attackers to rapidly spin up new domains that look and function identically. “This design supports high-volume operations and facilitates rapid domain rotation,” a tactic used to stay one step ahead of blacklists and takedown efforts.
The campaign is also explicitly multilingual, with code revealing support for languages like Simplified Chinese, indicating a “broad international reach rather than localized targeting”.
Perhaps most concerning is the resilience of this campaign. The report describes it as a “campaign restart model,” where attackers simply replace blocked domains while keeping the core logic intact.
“The consistency of behavior across these domains indicates continuity of an established framework rather than isolated or opportunistic phishing attempts,” CYFIRMA concludes.
Related Posts:
- Following Russian, Iran also issued a signal to ban Telegram
- The Anonymity Trap: New Telegram Flaw Leaks Real IPs via Proxy Links
- Russia immediately blocked Telegram Instant Messaging software
- Malicious npm Packages Backdoor Telegram Bot Developers
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
