Scammers created thousand of fake websites mimicking Telegram

A large phishing campaign against Telegram was detected.

The threat actors created thousand of websites mimicking Telegram.

At the time of writing, thousand of users are impacted.

The impact could lead to data theft such as PII, Financial lost and further.

Most of the phishing domains are hosted under CLOUDFLARENET.

CLOUDFLARE is offering free features such as fastest DNS resolver, Delivery Network (CDN), Free SSL certificate

which makes the service the best choice for threat actors to compromise the user, the user must enter his/her PII as a newly register user. Once done, the data will be sent to the malicious server and stored.

The certificates used on the domains are either from Google Trust Services WE1 or CLOUDFLARE, INC. Cloudflare TLS Issuing ECC CA 1, with the availability time set between 2025–03–20–2025–06–18  which means that the phishing domains might stay longer than expected .

Taking a precaution such as taking down the domains will be the best approach to protect the users.

Some of the Phishing domains:

elegeqwt[.]kim

telegmvev[.]lat

telegtrwe[.]kim

telegcmzb[.]hair

telegzmcb[.]lat

telegzcmz[.]hair

telegqtre[.]monster

telegzmbc[.]icu

telegbzmc[.]lat

telegmexv[.]icu

telegwrte[.]monster

telegwret[.]monster

telegbzmc[.]lat

telegmexv[.]icu

telegwrte[.]monster

telegwret[.]monster

telegrrm[.]fans

telegwrqt[.]monster

telegqtre[.]ren

telegjhgk[.]cam

telegrwtq[.]ren

Recommendations:

The domains should be taken down.

Blocked the domains if visible within your environment.

In case a user clicked on any domain, reset the user’s password.

For those who use Telegram, activate 2FA on Telegram.

Set up a password policy

In case a user entered financial information such Bank account number (Contact your bank and change the information ASAP)

Scan the host to ensure that no malicious payload was downloaded.