Threat actors' methods for breaching user accounts have significantly changed with the resurgence of a sophisticated Telegram phishing campaign. In contrast to conventional credential harvesting, this method manipulates the platform's authentic authentication infrastructure rather than copying login pages to obtain passwords. The attackers can get around common security measures and gain fully authorized user sessions without setting off any alarms by integrating directly with Telegram's official login procedures.

By imitating standard security checks and verification processes, the attack vectors are intended to reduce user suspicion. Fraudulent login interfaces that allow both manual phone number entry and QR-code scanning are shown to victims. These user interfaces are housed on temporary domains that closely mimic authentic Telegram branding.

By interacting with these components, a user unintentionally triggers a legitimate login request that is started by the attacker's device rather than sending data to a hacker's database. After noticing this malware's distinctive ability to pass off authorization prompts as security checks, Cyfirma analysts were able to identify it. According to the researchers, this approach lowers detectable anomalies while dramatically increasing victim compliance.

The attackers obtain instant, permanent access to the account after the user accepts the request on their mobile device, thinking they are confirming their identity. Without requiring exploit-based access or warning the user with typical suspicious login warnings, this enables them to monitor communications and initiate secondary attacks against the victim's contacts.

API Abuse and Dynamic Infrastructure This campaign's use of dynamic backend configurations to avoid detection demonstrates its technical sophistication. The website uses cross-origin API requests to retrieve runtime instructions from a centralized server rather than hardcoding phishing logic into the frontend HTML. In order to render the login interface, this JSON response provides attacker-controlled Telegram API credentials, including the api_id and api_hash, along with localized language data.

prompt for in-app authorization (Source: Cyfirma) The operators can quickly switch between domains while keeping the same authentication logic for globally dispersed targets thanks to this configuration-driven design. Additionally, the phishing pages show false system messages telling users to "verify" their accounts by clicking "Yes" on the in-app notification.

The campaign effectively conceals the malicious nature of the session binding process by moving the crucial action to the reliable Telegram app interface. Users must be extremely cautious when responding to in-app authorization prompts in order to reduce these risks. Even if the prompt says it's a security check or an unusual activity review, you should never approve a login request unless you personally started it.

Avoiding scanning QR codes from unknown websites is crucial, as is routinely checking active sessions in Telegram's "Devices" settings. Lastly, by requiring a secondary password even in the event that a user is duped into accepting the first prompt, Two-Step Verification adds a crucial layer of protection against unauthorized session creation.

Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.