Phishing Campaigns Leveraging Pre-Filled Login Pages and Telegram for Credential Theft
Researchers have identified sophisticated phishing campaigns targeting users of major web hosting and email services, employing advanced techniques to steal credentials and payment information. In one case, customers of Aruba S.p.A., a leading Italian web hosting provider, were targeted with phishing emails that mimicked official notifications about expiring services or failed payments. Victims were directed to fake login and payment pages, where their email addresses were pre-filled to enhance credibility. The phishing kit used in this campaign incorporated CAPTCHA filtering to evade detection and utilized Telegram bots for real-time exfiltration of stolen credentials and credit card details.
A parallel campaign has been observed where users receive fake spam filter alerts, claiming that important emails have been blocked due to a supposed system upgrade. These emails, appearing to originate from the recipient's own domain, prompt users to log in via a link to a spoofed webmail page, again with pre-filled email addresses. The phishing sites employ tactics such as repeated invalid login prompts to harvest passwords and use obfuscated code and websockets for instant credential theft. In both campaigns, Telegram is used as the primary channel for attackers to receive stolen data, highlighting a trend in the use of messaging platforms for cybercriminal coordination and data exfiltration.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Technical details published on Aruba-themed phishing kit
Reporting revealed that the phishing kit used advanced evasion and automation features, including CAPTCHA filtering, pre-filled victim data, and real-time exfiltration through Telegram bots. The kit was also described as being offered as a service to other cybercriminals, with Telegram used for both coordination and data theft.
Group-IB uncovers phishing campaign targeting Aruba customers
Researchers discovered a large-scale phishing operation aimed at customers of Aruba S.p.A., using fake Aruba login and payment pages to steal account credentials and credit card data. The campaign used lures about expiring services or failed payments and had not been attributed to a specific threat actor.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Automated Phishing Kit Impersonates Aruba S.p.A. for Credential and Payment Theft
Researchers have identified a sophisticated phishing kit that impersonates the Italian IT and web services provider *Aruba S.p.A.* to steal user credentials and credit card information. The kit is designed to mimic the official Aruba webmail login portal, using spear-phishing emails that create a sense of urgency—such as warnings about expiring services or failed payments—to lure victims into entering their credentials. The phishing infrastructure is fully automated, employing features like CAPTCHA filtering to evade security scans, pre-filled victim data to increase credibility, and Telegram bots for exfiltrating stolen information. This campaign exemplifies the growing trend of phishing-as-a-service, where attackers leverage industrialized, automated platforms to conduct large-scale credential theft with minimal technical skill. The kit's architecture and use of Telegram for data exfiltration highlight how phishing operations are increasingly mirroring legitimate SaaS business models, enabling sustained and efficient attacks against a wide range of targets, particularly those using Aruba's services.
Mar 21, 2026
Phishing Campaigns Abuse Trusted Platforms and Legitimate Workflows to Evade Detection
Multiple campaigns are abusing *legitimate* cloud and platform workflows to make phishing and fraud harder to detect. Attackers are generating real Apple and PayPal invoice/dispute emails and embedding scam phone numbers in user-controlled fields (e.g., “seller notes”), resulting in messages that carry valid **DKIM** signatures and originate from high-reputation domains; this “**DKIM replay**” style abuse bypasses many email controls because authentication validates the sender domain, not the safety of the embedded content. In parallel, threat actors are leveraging free **Google Firebase** developer accounts to host brand-mimicking phishing pages on trusted `firebaseapp.com` / `web.app` subdomains, increasing delivery and click-through rates by exploiting domain reputation and common allowlisting of Google infrastructure. A separate but related social-engineering technique targets **Telegram** users by manipulating Telegram’s official authentication workflows to obtain fully authorized sessions rather than simply stealing passwords. Victims are lured to Telegram-lookalike pages (often on ephemeral domains) that prompt QR scanning or phone-number entry; user interaction triggers a real login attempt initiated by the attacker, and once the victim approves the authorization prompt on their device, the attacker gains persistent account access and can pivot to follow-on attacks via the victim’s contacts. These incidents collectively highlight a shift toward “living off trusted services,” where adversaries avoid compromising vendors and instead weaponize legitimate features, trusted domains, and sanctioned authentication flows to reduce detection and increase victim compliance.
Mar 21, 2026
Phishing Attacks Leveraging Cloudflare Pages and Modern Phishing Kits
Threat actors are increasingly abusing free web hosting services such as Cloudflare Pages to host phishing portals that impersonate banking, insurance, and healthcare organizations. These phishing sites are designed to harvest sensitive information including credentials, security questions, and multifactor authentication codes. Attackers benefit from the speed, scale, and resilience provided by free hosting, as well as the use of mainstream messaging platforms like Telegram for exfiltration, making detection and takedown efforts more challenging for defenders. Modern phishing kits have evolved into sophisticated platforms that enable even low-skilled threat actors to deploy convincing credential-harvesting sites rapidly. These kits often include features such as admin panels, real-time credential delivery, proxy capabilities for MFA bypass, and antibot systems to evade security researchers. The accessibility and advanced capabilities of these kits, combined with the use of free hosting and messaging services, have significantly lowered the barrier to entry for large-scale phishing campaigns targeting organizations and individuals alike.
Mar 21, 2026