Over the past few months, I've been tracking a sophisticated Telegram phishing campaign orchestrated by Iran's Islamic Revolutionary Guard Corps. These attacks specifically target human rights activists and journalists, attempting to compromise their Telegram accounts.
What makes this campaign particularly alarming is its technical sophistication. Unlike typical phishing attempts, this operation perfectly replicates Telegram's authentication flow, making it challenging even for security-conscious users to detect.
The attack begins when targets receive what appears to be a legitimate security alert from Telegram. The phishing kit then executes a precise sequence of steps:
Initially, users face a login page that automatically detects and fills in their country code based on their IP - a clever trick that adds legitimacy to the fake page. After entering their phone number, the core part of the attack begins:
The attackers leverage Telegram's actual authentication system, causing victims to receive genuine Telegram codes on their other devices.
This is where it gets dangerous. Since the verification code comes from Telegram itself, even cautious users might fall for this trap. For accounts protected by Two-Step Verification, the attackers have implemented another cunning trick: they display the actual password hint from the victim's account, making their fake password entry screen nearly identical to Telegram's legitimate one.
In the final stage, the phishers employ advanced social engineering tactics. They show users that someone is accessing their account and, using a 30-second countdown timer, force them to make a quick decision. Users are presented with two options: "Yes, it's me" or "No, it's not me." This technique creates stress and urgency, increasing the likelihood of clicking the "Yes" option.
The https://TelegramAware.com website provides comprehensive technical documentation of these phishing attacks, including attack indicators (IoCs) such as suspicious domains and addresses. This website offers essential information for both security researchers and regular users. Its purpose is to raise awareness about the complexity of state-sponsored phishing attacks and help identify and counter them.
What's particularly concerning about this campaign is how it demonstrates the evolution of state-sponsored phishing operations. We're no longer dealing with simple phishing attempts, but rather with attacks that integrate legitimate authentication flows into their deception strategy.
For Iranians abroad and activists inside Iran, the message is clear: even when you receive seemingly legitimate verification codes from Telegram, be extremely careful about where you enter them. Most importantly, never enter your Telegram cloud password on any website.
Stay safe online.