Silent Push uses content similarity scanning to map out Telegram phishing campaign targeting Eastern Europe and Central Asia

Telegram phishing

CyberHUB-AM, an Armenian cyber security organization supporting regional NGO’s and journalists, recently published research about a Telegram phishing campaign conducted throughout 2023 and 2024.

Silent Push Threat Analysts have used this information to identify and monitor phishing infrastructure targeting Armenian and Uzbekistani Telegram users, including live phishing domains and portal spoofing infrastructure.

Delivery Method

The attack chain begins with an Armenian Telegram message asking the user to cast a vote for the sender in a contest they claim to be participating in, and asking them to follow a link.

The link appears to resolve to the non-existent URL daxcearm[.]wve (there is no .wve top-level domain), but actually uses the cutt[.]ly URL shortener to send the user to a final malicious URL – https://dolbaebshesp[.]in/.

The final URL hosts a Telegram phishing page in the Uzbek language. 2023 phishing kits previously reported on by CyberHUB-AM used Armenian.

This recent campaign could indicate a unique threat actor, or an updated campaign using the wrong language on the landing page. Although it is unclear why a message in Armenian would link to an Uzbek phishing page, these kinds of mistakes are fairly commonplace in regional cybercrime.

Tracking the Telegram phishing pages

Threat actors deploy their infrastructure to a set of definable (and searchable) parameters.

Our analysts were able to isolate the phishing infrastructure involved in the campaign using proprietary fingerprinting that maps out malicious domains, using a combination of content similarity checks, and the Silent Push Live Scan feature.

Using these methods, we discovered 26 phishing domains, three of which are still live at the point of investigation: uzgolos[.]shop, uzvvots[.]shop, and vote-uzbekistan48[.]top.

Screenshot of vote-uzbekistan48[.]top using the Silent Push 'Live Scan' screenshot feature.
Screenshot of vote-uzbekistan48[.]top using Silent Push Live Scan

We confirmed the domains were actively phishing for Telegram login codes by accessing the URL in a browser, entering a phone number linked to a Telegram account, after which a code was sent to that account:

Telegram phishing message showing fake login code for user.
Telegram login code message

Though the three live URLs, and other domain names in the campaign, suggest that Uzbekistan is the geographic region that’s being targeted, we also discovered older URLs from August and September 2023 that can be reasonably linked to the same campaign.

These domain names, including tajikistan-vote[.]site, arm-vote[.]space, and ukr-vote[.]site, and the likely related http://uz-golos[.]shop/, suggest active targeting of other countries too.

Here’s a list of the domains involved:

  • amnezisep[.]org
  • animraov[.]cc
  • beriishovoz[.]space
  • berishovoz[.]pw
  • dismashep[.]in
  • dolbaebshesp[.]in
  • dubproduction[.]org
  • hilupfoxs[.]ru
  • ihavdick[.]lol
  • losntinster[.]lol
  • mudkoskonkine[.]in
  • osding-mosting[.]in
  • ovber[.]pro
  • ovoz-berish[.]co
  • ovozberishuz[.]space
  • ovoziberish[.]lol
  • rahmatgolos[.]cc
  • sudoko-inline[.]org
  • tables-mite[.]info
  • uzbek1voits3[.]lol
  • uzbgolos[.]co
  • uzgolos[.]shop
  • uzsimkarta[.]space
  • uzvvots[.]shop
  • vinorozoavos[.]in
  • vote-uzbekistan48[.]top

Telegram phishing mitigation with Silent Push

The domains that are currently live have been added to a threat feed that is available to Silent Push Enterprise users – Phishing – Telegram Phishing Targeting Eastern Europe and Central Asia.

New domains that match the signature will be automatically added to the feed.

Register for Community Edition

Silent Push Community Edition is a free threat hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types, including Silent Push ‘Web Scanner’ and ‘Live Scan’ that we used to track the phishing campaign in this blog.

Click here to sign-up for a free Community Edition account.