A recent investigation by Cyble Research and Intelligence Labs (CRIL) has uncovered a sophisticated phishing campaign exploiting globally recognized and regional brands to steal user credentials, marking an escalation in adversary tradecraft and reach.
Unlike conventional phishing threats, this operation delivers meticulously crafted HTML attachments often camouflaged as procurement documents or invoices directly through email, successfully circumventing many standard security controls.
In this campaign, attackers distribute emails with HTML attachments bearing innocuous filenames, such as RFQ_4460-INQUIRY.HTML.
These files mimic routine business communications like requests for quotation (RFQ) or invoices and urge recipients to “sign in to view” the attached document.
When viewed in a browser or, in some cases, a compatible PDF viewer the HTML file displays a blurred invoice background and a login prompt, commonly themed after Adobe or other trusted brands.
Unlike typical phishing tactics, there’s no inclusion of suspicious URLs or external web hosting. The malicious code, embedded directly within the file, launches a JavaScript-powered credential capture process from the moment credentials are entered.
Credential Theft and Exfiltration
On submitting their email and password in the fake login modal, victims trigger a JavaScript routine that collects their credentials, device IP address, and user-agent data.
This harvested data is exfiltrated to attacker-controlled Telegram bots using the Telegram Bot API via HTTP POST requests, a method that bypasses traditional Command and Control (C2) infrastructure and complicates detection by security teams.
Two representative malware samples provide insight into the campaign’s technical sophistication:
- Sample 1: Employs CryptoJS AES encryption, collects credentials, IP, and device info, requires users to re-enter credentials (increasing success rates), uses services like api.ipify.org to confirm the victim’s IP, and redirects to a legitimate Adobe website post-capture.
- Sample 2: Uses the native Fetch API for credential exfiltration, displays “login invalid” errors to prompt repeated input, and implements anti-forensics by blocking keyboard shortcuts, mouse actions, and browser tools used by analysts.
Both variants reveal a core reliance on Telegram bots for credential delivery, effectively decentralizing the infrastructure and shifting detection challenges to API-based communications.
Attackers tactically impersonate a spectrum of global and regional brands to maximize the reach and believability of the phishing campaign. High-profile brands such as Adobe, Microsoft, WeTransfer, DocuSign, FedEx, DHL, Telekom Deutschland, and Roundcube have all been impersonated. Templates and branding are customized based on the target region and industry, with frequent use of blurred backgrounds and modals to reinforce authenticity.
The campaign is particularly active across Central and Eastern Europe, including the Czech Republic, Slovakia, Hungary, and Germany. Targeted industries are broad spanning agriculture, automotive, construction, media, government, retail, manufacturing, and IT where procurement-related emails and document workflows are routine.
Modular and Scalable Threat
Analysis of threat infrastructure exposed multiple Telegram bots, evidencing involvement from several distinct threat actors.
The attackers’ modular toolkit enables rapid brand-switching and language localization, further complicating detection. Infrastructure reuse is common, as are recurring bot tokens across themed variants.
Campaign evolution is marked by advancing obfuscation (including AES encryption), enhanced anti-analysis features (blocking forensic tools), polished UI, and expanded language support. Some samples execute exfiltration only if real credentials are entered, allowing the malware to evade detection in sandboxes.
Security teams are urged to block HTML attachments at the email gateway, restrict access to the Telegram API, and retroactively review user activity for signs of compromise.
This campaign, leveraging a blend of trusted brand impersonation and novel technical controls, represents a scalable and ongoing threat to organizations worldwide.
Organizations must remain proactive, continuously updating technical defenses and educating employees about these evolving phishing tactics. As adversaries develop more sophisticated strategies, thorough email vetting, user training, and threat intelligence integration become critical pillars for effective mitigation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.