How Adversary Telegram Bots Help to Reveal Threats: Case Study 

How Adversary Telegram Bots Help to Reveal Threats: Case Study 

/in

While analyzing malware samples uploaded to ANY.RUN’s Interactive Sandbox, one particular case marked as “phishing” and “Telegram” drew the attention of our security analysts. 

Although this analysis session wasn’t attributed to any known malware family or threat actor group, the analysis revealed that Telegram bots were being used for data exfiltration. This led us to apply a message interception technique for Telegram bots, previously described on the ANY.RUN blog

The investigation resulted in a clear and practical case study demonstrating how intercepting Telegram bot communications can aid in profiling the threat actor behind a relatively obscure phishing campaign. 

Key outcomes of this analysis include: 

  • Examination and technical analysis of a lesser known phishing campaign 
  • Recommendations for detecting this type of threat 

Let’s dive in. 

Technical Analysis of Attack with Telegram Bot 

Let’s take a closer look at the analysis session: 

View analysis session 

The subject of the analysis is a phishing page hosted on a Notion workspace. The page content is in Italian, which, combined with the subdomain name, suggests this is a targeted campaign aimed at Italian-speaking users or organizations. 

The URL submitted for analysis was: 

hxxps[:]//studiosperandio.notion[.]site/1c37ff25a354805f8dd0eed23673d4e8?pvs=4 

Here’s how the page appeared inside ANY.RUN’s Interactive Sandbox: 

Figure 1 – Phishing page designed to appear as an invitation to view a document 

It’s worth noting that the use of Notion workspaces as easily accessible infrastructure for phishing activity is not new.

This is supported by the number and frequency of related samples uploaded to ANY.RUN sandbox, as seen in the following TI Lookup query

Figure 2 – Search results in TI ANY.RUN 

The targeted user is prompted to view a document that was allegedly shared with them.

Level up your team’s malware analysis and threat intelligence capabilities
See all ANY.RUN’s 9th Birthday offers 



Check out offers


To do so, they are asked to sign in using their Microsoft credentials via the following link: 

hxxps[:]//gleaming-foregoing-quicksand[.]glitch[.]me/noter.html 

Clicking the link opens a hastily crafted phishing page designed to mimic a Microsoft OneNote login prompt. The page presents multiple authentication options, including: 

  • Office365 
  • Outlook 
  • Rackspace 
  • Aruba Mail 
  • PEC 
  • Altra Posta 
Figure 3 – Fake OneNote login page  

After selecting a login method, the user is prompted to enter their credentials: 

Figure 4 – Credential input form 

However, clicking the “Login” button does not grant access to the shared document. Instead, several malicious actions are triggered: 

  1. The phishing page uses the ipify[.]org service to retrieve the victim’s IP address. 
Figure 5 – Code snippet used to capture the victim’s IP address 
  1. The collected login, password, and IP address are then exfiltrated via a Telegram bot, with the bot token and chat ID hardcoded directly into the phishing script. 
Figure 6 – Data exfiltration logic using a Telegram bot 
  1. Finally, the user is redirected to the official Microsoft OneNote login page to reinforce the illusion of legitimacy. 
Figure 7 – Official OneNote login page shown after redirection 

As a result, this is a classic case of phishing aimed at credential harvesting

Figure 8 – Request containing credentials sent to the attacker’s Telegram bot 
Figure 9 – Response from the Telegram API 

From the Telegram API response to the data submission request, we were able to extract details about the Telegram bot used by the attacker:  

  • Name: Sultanna  
  • Username: @Sultannanewbot  
  • Token: 7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE  
  • Exfiltration chat ID: 6475928726 

The combination of the Notion → Glitch domain chain appeared suspicious. A search in ANY.RUN’s Threat Intelligence Lookup revealed several additional submissions following the same pattern: 

DomainName:”notion AND domainName:”glitch” 

Figure 10 – Search results for Glitch + Notion domain combination 

In all of these cases, the Notion workspace used is different (as indicated by the subdomain), but the attack vector is entirely the same. Both the phishing design and the page’s functionality are identical to what was described earlier. 

A search based on the hash and fragments of the phishing page content led us to several earlier submissions, the oldest of which dates back to August 26, 2024. Let’s examine a few: 

Sample submission 1: September 19, 2024

View sandbox session

Upon analyzing the HTML content of the page, we can confirm it follows the exact same pattern: 

  • OneNote credential phishing 
  • Exfiltration of IP address and credentials via a Telegram bot 
  • A domain chain consisting of two services, the first of which is a Cloud Service Provider (CSP) 

The differences this time lie in the use of a different token and chatID bots, as well as a different domain in the attack chain, involving Google Docs and Backblaze B2

Figure 11 – Identical phishing login page 

The exact same code is used to retrieve the victim’s IP address and exfiltrate the stolen data to a Telegram bot, as described earlier. 

Figure 12 – Same logic used to capture the victim’s IP address 
Figure 13 – Same logic used for interaction with the Telegram bot 

Information obtained about the Telegram bot used in this case: 

  • Name: remaxx24 
  • Username: @remaxx24bot 
  • Token: 7072331661:AAEnFxNxOI162AVQUCmfDHMdy6s4fGrnTZY 
  • Chat ID: 5308217415 

Sample submission 2: August 26, 2024

View sandbox session

The attack vector remains the same, with only a slight variation in the phishing theme, this time impersonating an Aruba PEC login page (in Italian: PEC, Posta Elettronica Certificata). 

Figure 14 – Similar phishing login page 

It’s worth noting that over a relatively long period, only a few elements have changed: 

  • The phishing pretext (e.g., impersonating a OneNote login instead of PEC) 
  • Minor visual adjustments to the page layout 

Meanwhile, the malicious JavaScript used to steal credentials has remained identical except for changes to the Telegram bot token and chat ID. 

Telegram bot used in this instance: 

  • Name: Resultant 
  • Username: @Resultantnewbot 
  • Token: 6741707974:AAHGfsh1hk8WVtAfcISXgpZCTL-bpHNvQ_E 
  • Chat ID: 6475928726 

Based on the analysis above, it can be concluded that this is part of a phishing campaign specifically targeting Italian users and employees of Italian organizations. 

Notable characteristics of the campaign include its low operational tempo (as indicated by the limited number and frequency of submissions) and the overall simplicity of the attacker’s tooling. The threat actor relies on free platforms to host phishing content, such as Notion, Glitch, Google Presentation, and RenderForest, uses no or only rudimentary evasion techniques, and leverages Telegram bots as readily available, off-the-shelf C2 infrastructure. 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

Follow along a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis


Read full guide


Page Hunting 

Using a search by webpage titles on urlscan.io, we were able to identify a number of sites associated with this phishing campaign. 

Query used: page.title:”One Note | Microsoft” OR page.title:”Aruba | PEC” 

The oldest submission dates back to January 29, 2022: https://urlscan.io/result/b4584a98-d35d-4c08-89e8-7208f903fb2d/#summary 

The visual appearance of the phishing page in this case matches what we’ve seen in previously analyzed samples. 

Figure 15 –Malicious page sample from January 29, 2022 

Distinctive features of the older variant: 

  • Uses obfuscation via URL encoding 
  • Employs a different exfiltration method via a POST request to submit data through a web form (the URL was no longer accessible at the time of research), with the login and password entered into designated form fields. 
Figure 16 – Data exfiltration code using a web form submission 

Samples dating back to February 2, 2022, began using the Telegram bot-based exfiltration method described earlier. Obfuscation was implemented through nested URL encoding (typically 2 to 4 levels deep). 

Starting with the sample from August 23, 2023, functionality was added to identify and exfiltrate the victim’s IP address. 

At some point, the threat actor experimented with using Base64 obfuscation for the phishing page but later abandoned this technique for unknown reasons. 

Figure 17 – Example of Base64 obfuscation in the phishing page payload  

Observation period for Base64 obfuscation:  July 1, 2024December 3, 2024 

Evolution of the Phishing Page Mechanisms 

Sample Date   Sample Link  Changes 
January 29, 2022  https://urlscan.io/result/b4584a98-d35d-4c08-89e8-7208f903fb2d/#summary Oldest known sample. URL encoding used. Data exfiltration via form submission. 
February 2, 2022  https://urlscan.io/result/f8663734-6a7a-430c-9f0c-66ea2cdccd8f/ Telegram bot-based exfiltration. Nested (2–4 levels) URL encoding. 
August 23, 2023  https://urlscan.io/result/48457c87-98eb-4844-8156-ab5e6950367c/ Added functionality to collect and exfiltrate victim’s IP address. 
July 1, 2024 – December 3, 2024  https://urlscan.io/result/ab2ab801-d844-493b-8804-925d01515a8d/#summary

https://urlscan.io/result/65b676fa-d076-4e86-8e60-d0aaa6fff685/#summary

Experimented with Base64 obfuscation. Technique was later abandoned for unknown reasons. 
August 26, 2024  https://app.any.run/tasks/2eb1ee0a-66e1-45fd-82e7-5b12aeda9a0b/ Oldest observed sample on app.any.run. Shift in phishing theme to PEC login (Posta Elettronica Certificata). Infrastructure used: RenderForest + Glitch. 
September 19, 2024  https://app.any.run/tasks/691515d9-3a54-49b3-9ab1-a19635e90bf5/ Infrastructure chain updated to: Google Docs + BackBlazeB2 
April 7, 2025  https://app.any.run/tasks/6e05ff83-09e4-4eaf-9b5f-b6628b3919f1/ Last studied sample on app.any.run at the time of research. Infrastructure chain: Notion + Glitch. 

Key Insights on the Phishing Campaign 

As a result of this analysis, we’ve outlined key insights into the nature and structure of the phishing campaign under investigation. 

We identified the active timeline, clarified the target audience, and examined the technical details of the phishing tools used throughout the campaign. While the operation is relatively low in volume and visibility compared to other campaigns, it remains active to this day with phishing pages and Telegram-based exfiltration infrastructure still operational, indicating a continued potential for harm. 

The primary objective of the campaign is the harvesting of credentials for Microsoft 365 services (including Outlook, OneNote, etc.) and Italy’s PEC (Posta Elettronica Certificata), a national certified email system. These stolen credentials are likely intended for brokered access resale within cybercriminal ecosystems. 

From a technical standpoint, the campaign is neither advanced nor innovative: 

  • Low-effort phishing pages, both in terms of social engineering and evasion techniques 
  • Reliance on easily accessible, off-the-shelf infrastructure (e.g., Notion, Glitch, Google Docs, RenderForest) 

This suggests either a low level of technical expertise on the part of the attacker or a lack of focus on the credential theft process itself, supporting the hypothesis that the campaign’s true value lies in access brokering, not execution. 

Investigating the Attacker’s Profile Through Telegram Bot Exfiltration 

In this section, we’ll attempt to refine the attacker profile by analyzing the structure and contents of the stolen data, based on insights gathered during the technical analysis of the exfiltration infrastructure. 

With access to information about the Telegram bots used by the threat actor, we can attempt to retrieve the chat data where victims’ credentials were sent. To do this, we’ll follow the methodology outlined in ANY.RUN’s previously published guide. 

This section focuses on the practical application of that approach. For a deeper dive into the underlying mechanics, refer to the original source: How to Intercept Data Exfiltrated by Malware via Telegram and Discord 

Telegram Exfil Interception

Let’s start with the bot identified in the following analysis: View analysis session 

  • Name: Sultanna 
  • Username: @Sultannanewbot 
  • Token: 7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE 
  • Exfiltration Chat ID: 6475928726 

To proceed safely, we’ll create a private Telegram group and enable the anonymous message sending option to protect our identity during the interaction. 

Figure 18 – Newly created private Telegram group 

Next, we’ll check whether the bot in question is using webhooks. If webhooks are enabled, the attacker is likely to detect the interception attempt quickly, since webhook requests also transmit the secret bot token, potentially alerting the operator in real time. 

Figure 19 – Description of the secret_token parameter in the Telegram Bot API webhook documentation 

We’ll now send a request to the /getWebhookInfo endpoint via a browser to check the current webhook status for the bot. The response is in JSON format:

https://api.telegram.org/bot7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE/getWebhookInfo

Figure 20 – Response to endpoint request ‘/getWebhookInfo’ 

This bot does not have any webhooks configured (no URLs are listed in the API’s JSON response), which reduces the likelihood of the attacker detecting interference with the exfiltration infrastructure. 

After completing the initial checks, we’ll use the script set provided in the following article:  https://github.com/anyrun/blog-scripts/tree/main/Scripts/TelegramAPI 

First, let’s prepare the bot for analysis: 

  1. Run the prepare_bot.py script, passing the bot token as an argument 
  1. Synchronize the bot’s update history 
  1. Add the bot to the previously created private group 
  1. Delete the message that logs the bot’s addition to the group 
  1. Retrieve the group ID, which will be needed in the next stage of analysis 

Prepare_bot.py

python3 prepare_bot.py bot7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE 
Figure 21 – Output of the prepare_bot.py utility 

Now, let’s run the forward_message.py script to make the bot forward messages from the exfiltration chat (the chat_id specified in the phishing page) to our newly created private group: 

Forward_message.py: 

python3 forward_message.py bot7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE 6475928726 -1002412181543 
Figure 22 – forward_message.py utility in action 

As a result, we begin to see the messages forwarded by the bot appearing in our group chat: 

Figures 23 – Messages exfiltrated by the attacker’s Telegram bot (combined view) 

To intercept messages in bulk rather than one at a time, we can run the forward_messages.py script using the same arguments as forward_message.py. This approach allows us to quantify the scale of the data leakage caused by the phishing campaign under analysis. 

Figure 24 – Example output from the forward_messages.py utility 

After analyzing the email addresses of users whose data was stolen during the phishing campaign, we can confirm our initial assumption: the campaign is primarily targeting Italian users and businesses. Examples of affected domains include: 

  • aedsrl.it – warehouse logistics and automation 
  • legalmail.it – certification authority and PEC (certified email) solutions for corporate communications 
  • gruppoamag.it – public utilities and environmental services 

This conclusion is further supported by: 

  • The use of Italian language in phishing lures and page content 
  • Subdomain names hosting the phishing content, which include Italian words 

To expand or refine our understanding of the threat landscape, we will now examine the bot found in a sandbox session featuring an English-language phishing page: 

View analysis session 

Bot information: 

  • Name: remaxx24 
  • Username: @remaxx24bot 
  • Token: 7072331661:AAEnFxNxOI162AVQUCmfDHMdy6s4fGrnTZY 
  • Chat ID: 5308217415 

We repeated the same steps as described earlier, and as a result, retrieved another batch of messages forwarded by the bot, containing freshly stolen credentials. 

Figures 25 – Intercepted messages from the remaxx24 bot (combined view) 

This time, based on the intercepted IP addresses and email data, the victims appear to be located primarily in the United States, with no clear pattern regarding affected companies or industries. 

Finally, let’s examine another bot identified in the task dated August 26, 2024: View analysis session 

Bot details: 

  • Name: Resultant 
  • Username: @Resultantnewbot 
  • Token: 6741707974:AAHGfsh1hk8WVtAfcISXgpZCTL-bpHNvQ_E 
  • Chat ID: 6475928726 

An interesting detail here is that the bot from the older sandbox analysis session (over six months old) appears to be connected to the bot from a recent sandbox session dated April 7, 2025.

Specifically, both bot configurations share the same chat ID: 

  • Name: Sultanna 
  • Username: @Sultannanewbot 
  • Token: 7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE 
  • Exfiltration Chat ID: 6475928726 

Once again, we launch the previously mentioned utilities and retrieve: 

Figure 26 – Extracted messages from the Resultant bot 

Both of these bots appear to be linked to a Telegram account named Don, which was responsible for initiating the bots in the exfiltration group/channel via the /start command. Using the Telegram API, we were able to retrieve information about this account: 

https://api.telegram.org/bot6741707974:AAHGfsh1hk8WVtAfcISXgpZCTL-bpHNvQ_E/getChatMember?chat_id=6475928726&user_id=6475928726

Figure 27– Fragment of raw message dump referencing the ‘Don’ account 
Figure 28 – Telegram API response for user ‘Don’ 

However, we were unable to investigate the retrieved data any further. A lookup using the sender’s user_id did not yield any additional information. 

Attacker Profile 

By consolidating the clues uncovered during phishing page analysis and Telegram bot interception, we can outline the characteristics of the phishing campaign and enrich its threat context. 

Attack Vector

Phishing pages and email lures impersonating login portals for Microsoft services (OneNote, Outlook) and Italy’s Aruba PEC (Posta Elettronica Certificata). 

Phishing Mechanics

  • Victim credentials are collected through fake login forms (email + password), and the IP address is gathered using the ipify service. 
  • When the victim clicks the “Login” button, the stolen data is exfiltrated via Telegram bots through interactions with the Telegram API. 
  • After submission, the user is redirected to the legitimate Microsoft login page to maintain the illusion of legitimacy. 

Victimology: 

  • Countries: United States, Italy 
  • Industries affected: Natural resources (gas), business/financial consulting, environmental services, energy, logistics, and digital identity providers (e.g., PEC and e-signature services) 

Objectives: 

  • BEC (Business Email Compromise) 
  • Credential Harvesting (MS OneNote, MS Outlook, etc.) 

Attribution & Threat Actor Assessment: 

There is not enough reliable evidence to attribute this campaign to any specific group or APT. Attribution is further complicated by the low number of samples and the slow operational tempo of the malicious activity. 

Distinct characteristics of the threat actor’s profile include: 

  • Lack of obfuscation or only weak techniques (e.g., atob, nested URL encoding) 
  • Poor mimicry of legitimate web content (low-quality phishing page design) 
  • Use of off-the-shelf solutions (Telegram bots) as exfiltration and C2 infrastructure 
  • Rudimentary defensive mechanisms; the only protection observed is a redirect to a legitimate login page after credentials are captured and exfiltrated 

These factors suggest a particular level of the attacker’s skill and motivation. Either the actor lacks technical sophistication, or they simply choose not to invest resources into more advanced phishing payloads, focusing instead on other parts of their operation, such as access brokering (selling harvested credentials to third parties for further exploitation). 

Conclusion and Detection Recommendations 

This case study demonstrated the practical application of the Telegram bot interception technique previously described on the ANY.RUN blog, using it to expand the threat landscape around a lesser-known phishing campaign focused on harvesting Microsoft and PEC credentials. 

Insights gained from the analysis of intercepted data allowed us to broaden the visibility of the campaign, from a single isolated case to a long-running trend that, as evidence suggests, may still be active today. 

The findings also helped refine the attacker profile potentially responsible for this phishing operation. 

Finally, based on the collected technical evidence, we can define practical recommendations for detecting and hunting malicious activity linked to this newly profiled phishing campaign: 

  • Monitor behavioral patterns of suspicious pages, such as domain chains following the pattern: 

“Notion → Glitch → Telegram API” 

  • Implement signature-based detection rules that identify Telegram bot activity in corporate network traffic 
  • Monitor for activity matching the Tactics, Techniques, and Procedures (TTPs) associated with the threat actor described in this report 

TI Lookup Queries

urlscan.io Query

page.title:”One Note | Microsoft” OR page.title:”Aruba | PEC” 

Indicators of Compromise

  • studiosperandio.notion[.]site 
  • gleaming-foregoing-quicksand[.]glitch[.]me 
  • seabbz.notion[.]site 
  • ergonperizie.notion[.]site 
  • f004.backblazeb2[.]com 
  • charming-separated-rhubarb[.]glitch[.]me 
  • 25348255-1243060.renderforestsites[.]com 

Urlscan.io IOCs

  • inshared0-onenote-asx.pages[.]dev 
  • onedriv-shared0-apx.pages[.]dev 
  • onedriv1-switchview-asx.pages[.]dev 
  • view0-onenote-doc3hmlgroup.pages[.]dev 
  • doc91173-onenote-viewapx[.]vercel[.]app 
  • file01173-onenote-view.vercel[.]app 
  • hampshiredownsheepwales[.]com 
  • charming-separated-rhubarb[.]glitch[.]me 
  • lucky-leaf-dogwood.glitch[.]me 
  • kindly-tropical-icicle.glitch[.]me 
  • 1noteindex-view-apx.pages[.]dev 
  • butternut-acidic-bambiraptor.glitch[.]me 
  • onenote-shared-5a03.note46.workers[.]dev 
  • saber-mercurial-tang.glitch[.]me 
  • familiar-pewter-night.glitch[.]me 
  • regular-classic-spade.glitch[.]me 
  • trusting-impossible-koi.glitch[.]me 
  • harmless-utopian-sodalite.glitch[.]me 

Hashes of HTML phishing pages (SHA-256)

  • 2049afb27b7d71b311ef83205ec8c1397ed9b705b4f84517471cc41c8c1f29d1 
  • 8a1cecaf7c6df616fae15dca013cea78d209f0e813b9aa75964de1f813d614e0 
  • 7e5a3bb0cff67b2c1ff50544f956a903a6ff364c006033c0887d17019875040e 
  • B1145accfe9485052186f5db3507a3ebd8796b8246bee3990711dc2381c703b4 
  • 7bfccbc16df79c1b837b764bb19f15400b9be80f0d3d88130dbeba1e1965c5ae 
  • 2969a13ecc2540287fe0f2971bc523c5668781944e5daad34d23e1291a3e67f3 
  • A2346c9d602323359f99007eac73bc3bf4d62d0fed1af2e3e20e9a7d74cbf190 
  • Faefef284cd76c17ecb747ed2c5a443e0b0653af29de972b62cea14f7c54edd2 
  • F31113f3167e1d62f1908bf366892576cd521e0122a76d5f79eefaa9764e5d04 
  • a5ca3ceebe83e4049ed5affc3403ddc2030ba0fad80392895df2f50711ad54ce 

Telegram Exfil Bot Tokens | chatID pairs

  • 7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE | 6475928726 
  • 7072331661:AAEnFxNxOI162AVQUCmfDHMdy6s4fGrnTZY 
  • 6741707974:AAHGfsh1hk8WVtAfcISXgpZCTL-bpHNvQ_E | 6475928726 
  • 5305890750:AAHJnWdIMel23kaV_UWs9eha5IgXppE-b58 | 5308217415 
  • 6875925240:AAG5htB1kiH-G8fYV4kzBs-GWOE0Q784oxM | 6978226203 
  • 6913021003:AAFMWDSrZSLOxX34nOVRXmoOA8SUTMXiOgg | 5668726693 
  • 6848015467:AAHTt8TTTYFKRX6B5euTg47sZF8j6q01oxQ | 1270872185 
     

The post How Adversary Telegram Bots Help to Reveal Threats: Case Study  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More