A Telegram Bot Told Iranian Hackers When They Got a Hit

DMCA / Correction Notice
- Advertisement -

when iranian Hacking group APT35 wants to know if any of its digital lures have bitten, all he has to do is check Telegram. Whenever a person visits one of the copycat sites they have set up, a notification appears in a public channel on the messaging service, with details of the potential victim’s IP address, location, device, browser, and more. details occur. This is not a push notification; This is a fish notification.

- Advertisement -

Google’s Threat Analysis Group as outlined The novel technology as part of a broader look at the APT35, also known as Charming Kittens, is a state-sponsored group that has spent the past several years trying to get high-priced funds to click on the wrong links and cough up their credentials. Tried to achieve the target. And while APT35 isn’t the most successful or sophisticated threat on the international stage—it’s the same group, after all, that accidentally leaked hours of videos of themselves hacking—their use of Telegram stands out as an innovative wrinkle. can pay dividends.

The group uses a variety of methods to try to get people to look for their phishing pages for the first time. Google outlined some of the scenarios it’s seen recently: the compromise of a UK university website, a fake VPN app that briefly broke into the Google Play Store, and phishing emails in which hackers pretend to be the organizers of real conferences, And try to trap their traces through malicious PDFs, Dropbox links, websites, and more.


In the case of a university website, hackers direct potential victims to a hacked page, which encourages them to log in with the service provider of their choice to watch webinars—from Gmail to Facebook to AOL. Everything is on offer. If you enter your credentials, they go straight to APT35, which also asks for your two-factor authentication code. It’s such an old technology that it’s got a mustache; APT35 has been running it since 2017 to target people in government, education, national security and other areas.

- Advertisement -

Phishing page hosted on a compromised website.

Courtesy of Google Tags

The fake VPN isn’t particularly innovative, and Google says it booted the app from its store before anyone managed to download it. If someone did fall for this trick, though — or installed it on another platform where it’s still available — spyware could steal call logs, texts, location data, and contacts.

Frankly, the APT35s aren’t exactly high achievers. While he reassured officials at the Munich Security Conference and Think-20 Italy in recent years, that too is straight out of Phishing 101. “It’s a very prolific group that has a broad goal set, but that broad goal set is not representative of the level of success actors have,” says Ajax Bash, security engineer at Google TAG. “Their success rates are really very high. is less.”

However, there is a mention of this new use of Telegram. APT35 embeds JavaScript in its phishing pages which is designed to notify them every time the page is loaded; It manages those notifications through a bot it creates with the Telegram API sendMessage function. The setup gives attackers instant information not only about whether they successfully got someone to click on the wrong link, but where that person is, what device they’re on, and a wealth of other useful information. “In the context of phishing, they can see if the target user has clicked on the link, or if the page being analyzed Google Safe BrowsingBash says. “

Public Telegram channel used for attacker information.

Google Tags. courtesy of

The charming feline didn’t limit itself to classy conference pages, according to security firm Mandient, which also saw the use of Telegram in July. “The actors created an adult content website and malicious webpage in the form of a free audio/video calling and instant messenger software,” wrote Mandient Associate Analyst Emil Heghebert and Senior Principal Analyst Sarah Jones in an emailed comment. Back to the page and the visitor sent information to a Telegram channel that we suspect threatened actors to be monitored.”

Hackers have abused Telegram in the past; In April, security firm Check Point met That the platform was being used as part of a command and control infrastructure for malware called ToxicEye. And the company has done much to make up for its failure to keep extremists and fraudsters away from its channels. But while Telegram bots’ use of the APT35 as a notification service is less extreme than those abuses, it’s also much harder to detect consistently.

“The content in question is random messages that do not contain visible signs of abuse,” says Telegram spokesman Mike Ravdonikas. “They can be anything, for example some programmers debugging their code.” Telegram says it removed all bots and channels as soon as Google reported them, as well as “similar public channels and bots that we were able to identify thanks to the report,” says Ravdonikas. But unless you can connect to an active phishing campaign with a list of IP addresses and so on, he says, you can’t say with certainty that the bots broadcasting them have malicious intent.

The good news is that the APT35 probably isn’t going to follow you, unless you work in an industry with sensitive information. Its new twist on phishing alerts, however, could give criminal hackers copying it another edge in a fight that is already unfair.

  • The latest on tech, science and more: Receive our newsletter!
  • Rain Boots, Turning Tide, and the Search for a Missing Boy
  • Astronomers prepare to probe Europa’s ocean for life
  • Clearview AI has new tools to identify you in photos
  • Dragon Age And why it sucks to play cult favorites
  • How a Google Geofence Warrant Helped Catch DC Rioters
  • ️ Explore AI like never before with our new database
  • Wired Games: Get the Latest Tips, Reviews, and More
  • Torn among the latest phones? Never fear – check us out iPhone Buying Guide And favorite android phone


- Advertisement -

Stay on top - Get the daily news in your inbox

Recent Articles

Related Stories