CRIL analyzed an active phishing campaign leveraging HTML-based Telegram bot credential harvesters designed to mimic multiple prominent brands

Cyble's publication is a resource for cybersecurity professionals and businesses seeking to stay ahead of evolving cyber threats. Through detailed analysis of threat intelligence, cybersecurity trends, and real-world cyber incidents, Cyble provides  insights into emerging threats, cyber attack tactics, and risk mitigation strategies. Readers can learn about threat detection methodologies, vulnerability assessment techniques, incident response protocols, and compliance standards to enhance their cybersecurity posture. Additionally, Cyble offers expert commentary, best practices, and actionable recommendations to help organizations protect their digital assets, safeguard sensitive data, and maintain business continuity in the face of cyber threats.

Cyble

Cyble Research and Intelligence Labs uncovered a widespread credential harvesting campaign using HTML email attachments that bypass traditional security measures. Attackers impersonate trusted brands like Adobe, Microsoft, FedEx, and DHL through fake login pages embedded in HTML files. The malicious JavaScript captures credentials and exfiltrates them directly to Telegram bots, avoiding external server hosting. The campaign primarily targets Central and Eastern European organizations across 15+ industries using RFQ-themed social engineering. Technical analysis reveals evolving sophistication including AES encryption, anti-forensics measures blocking developer tools, and multi-language support. Multiple active Telegram bot tokens indicate a decentralized operation by various threat actors.

Multi Brand Themed Phishing Campaign Harvests Credentials