An Overview of Malicious Activities in Q1; Telegram Bots in Spotlight

Key observations 

• The volume of malicious email campaigns abusing Telegram bots observed in the first three months of 2023 exceeded the entire volume of attacks in 2022 by 310%. 
• The volume of credential phishing attacks also increased significantly by 527%, which is an increase of 40% when compared to the same period last year.
• During Q1 2023, threat actors were also observed experimenting with a variety of delivery mechanisms, including OneNote attachments, to disseminate malware to target systems. However, in many cases, the zip file remained a popular attack vector to deliver malware and phishing resources.
• Additionally, YouTube was listed in the top 10 domains being used by threat actors to launch redirect phishing attacks.

What makes Telegram bots a suitable attack vector?

• The utilization of Telegram bots to exfiltrate sensitive information from targets has overall increased by 800%, between 2021 and 2022.
• These bots have become a popular choice for threat actors since they are easy to set up in private group chats and are compatible with a wide range of programming languages.
• They can, furthermore, be integrated into malicious mediums such as malware or credential phishing kits.  

Prevalent malware

• AgentTesla keylogger was used in a significant number(38%) of phishing attacks throughout January, followed by FormBook and Remcos.
• Besides, QakBot was found in 185% more than Emotet in email phishing campaigns between January and March.

Conclusion