Executive Summary

Security researchers at Cyble have identified a widespread and evasive phishing campaign targeting various industries in Central and Eastern Europe, including Germany, Hungary, Slovakia, and the Czech Republic. The attackers are using a technique known as HTML smuggling, embedding a credential harvesting form within an HTML file attached to an email. This method often bypasses traditional email security scanners that are focused on URLs in the email body. In a further act of evasion, the campaign uses the legitimate Telegram Bot API to exfiltrate stolen credentials, eliminating the need for attackers to set up and maintain their own command-and-control (C2) infrastructure. This makes the operation resilient and difficult to disrupt.

Threat Overview

The campaign targets a wide range of sectors, including manufacturing, government, telecommunications, energy, and automotive. The attack begins with a spear-phishing email, often disguised as a business document like a Request for Quotation (RFQ). The email contains an HTML attachment.

When the victim opens the HTML file in their browser, it renders a fake login page for a well-known service like Microsoft or Adobe. The entire phishing page is self-contained within the HTML file. Any credentials entered by the victim are captured by a JavaScript function embedded within the same file. The script then makes a POST request to api.telegram.org, sending the stolen username and password to a private Telegram channel controlled by the attacker.

Technical Analysis

This campaign demonstrates several effective defense evasion and C2 techniques:

1. Initial Access (T1566.001 - Spearphishing Attachment): The use of an HTML attachment is key. Because the malicious content is inside the attachment, email gateways may not flag the email itself as dangerous.
2. Defense Evasion (T1027.006 - HTML Smuggling): The phishing form is 'smuggled' past defenses inside the HTML file. There is no malicious URL to block in the email itself; the threat is activated locally when the file is opened.
3. Command and Control (T1102.001 - Dead Drop Resolver): The use of the Telegram Bot API is a form of C2 over a legitimate, widely used service. It is difficult for organizations to block api.telegram.org outright, as it may be used for legitimate business purposes. This makes the C2 channel highly resilient.
4. Defense Evasion (T1027 - Obfuscated Files or Information): Researchers noted that attackers are iterating on their methods, beginning to use libraries like CryptoJS to encrypt the stolen data before exfiltration, further hiding their activity.

Impact Assessment

The direct impact of this campaign is credential theft. Compromised credentials can be used for a wide range of malicious activities, including:

• Business Email Compromise (BEC) and financial fraud.
• Accessing and stealing sensitive corporate data.
• Gaining a foothold in the network for follow-on attacks, such as ransomware deployment.
• Selling the credentials on dark web markets.

Because the campaign targets multiple industries, including critical sectors like energy and government, the potential for significant economic and national security impact is high.

IOCs

The primary network indicator for this campaign is traffic to the Telegram Bot API endpoint.

Detection & Response

• Egress Traffic Filtering: The most effective detection is to monitor and alert on all outbound network connections to api.telegram.org from corporate workstations. Unless your organization has a specific business need for Telegram, consider blocking this traffic entirely at the firewall or web proxy. Use D3FEND's Outbound Traffic Filtering.
• Email Attachment Analysis: Configure email security gateways to treat HTML and HTM attachments as high-risk. If possible, use a sandbox to open attachments and analyze their behavior, such as whether they make outbound network connections.
• Endpoint Monitoring: Use EDR to monitor for browsers making POST requests to api.telegram.org. This is highly anomalous behavior for a standard user workstation.

Mitigation

1. Block/Control HTML Attachments: Implement email gateway policies to block, quarantine, or strip HTML/HTM attachments from external emails. If blocking is not feasible, use a 'safe attachments' feature that renders them as PDFs or in a secure viewer.
2. User Training (M1017 - User Training): Train users to be suspicious of all email attachments, especially unexpected ones, even if they appear to be simple document types like HTML. Emphasize that login prompts should only be trusted when the user has navigated to the site themselves.
3. Multi-Factor Authentication (MFA) (M1032 - Multi-factor Authentication): Enforcing MFA is the most effective control against the use of stolen credentials. Even if an employee's password is stolen in this attack, MFA will prevent the attacker from using it to log in.
4. Web Filtering: While the initial email does not contain a malicious URL, web filters can still be used to block connections to api.telegram.org as a C2 channel.