Researchers at Group-IB have uncovered a sophisticated phishing framework that demonstrates how cybercriminals are industrializing credential theft through automation, evasion techniques, and Telegram-based data exfiltration.
The kit targets explicitly Aruba S.p.A., an Italian IT services provider serving over 5.4 million customers, highlighting the significant financial and operational risks posed by modern phishing-as-a-service operations.
The analyzed phishing kit transcends traditional cloned web pages it represents a fully automated, multi-stage platform engineered for efficiency and stealth.
What makes this framework particularly concerning is its layered approach to evading security detection while maximizing credential harvesting.
Rather than deploying a single malicious page, the kit operates as a complete application with specialized templates for each attack phase, demonstrating the level of sophistication now common in underground phishing ecosystems.
The kit begins with a CAPTCHA challenge designed to filter out security bots and automated scanners, ensuring that phishing pages are delivered exclusively to human targets.
This anti-bot gateway represents a deliberate strategy to bypass traditional security monitoring, making detection significantly more challenging for defensive teams.
The Four-Stage Attack Process
The attack sequence unfolds systematically across four distinct stages. First, after bypassing the CAPTCHA filter, victims encounter a high-fidelity replica of the Aruba. It customer login portal, where credentials are harvested.
The kit employs a particularly effective social engineering technique: pre-filling victim email addresses into login URLs, creating a false sense of legitimacy that significantly increases the likelihood of successful credential submission.
Following credential capture, victims are presented with a fake payment page requesting a small, plausible fee (approximately €4.37) under the guise of service renewal or validation. This psychological tactic extracts full credit card information including the cardholder name, card number, expiration date, and CVV code.
The final stage involves a fake 3D Secure or one-time password verification page that captures the OTP sent by the victim’s bank.
This information grants attackers everything necessary to authorize fraudulent transactions in real-time, with victims remaining largely unaware of the complete data compromise. The victim is then redirected to a loading screen before landing on the legitimate Aruba.it website, minimizing suspicion.
Telegram as Command and Control
Telegram serves as the operational backbone for this criminal infrastructure, functioning simultaneously as a distribution channel, community forum, and data exfiltration endpoint.
The kit’s architecture includes multiple Telegram bots configured to receive stolen credentials and payment information instantly. This approach proves significantly stealthier than traditional infrastructure, as messaging traffic blends seamlessly with ordinary platform activity.
Group-IB analysts identified dual exfiltration channels hardcoded into the kit, with a backup system ensuring data reaches attackers even if primary channels fail.
Additionally, the researchers documented Telegram communities dedicated to kit distribution, sales, and technical support functioning as fully operational cybercriminal software-as-a-service ecosystems.
The emergence of phishing-as-a-service represents a critical evolution in cybercriminal operations. These pre-built frameworks drastically reduce technical barriers to entry, enabling less sophisticated actors to launch convincing campaigns at scale.
The automation observed in this particular kit demonstrates how phishing has transformed from isolated scams into a systematized supply chain.
This industrialization demands a fundamental shift in defensive strategies. Organizations can no longer treat phishing as isolated incidents but must recognize them as components of an agile, market-driven ecosystem designed for rapid deployment and continuous innovation. Intelligence-driven, collaborative defense measures are essential for countering this evolving threat landscape.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.