Phishing attack against Armenian users of Telegram using Post Bot

phishing, Telegram

July 10, 2023

Thousands of Armenian users of the Telegram application were subjected to a phishing attack today. Below are the details of the attack.

The attack starts when one of your contacts sends a message as in the screenshot below:

Armenia -- Screenshot of a phishing attack using Post Bot, Yerevan, 10Jul2023

This usually means that your contact has already been attacked and their account has been compromised. The message isn’t actually from your friend, but from an advertising bot called Post Bot.

Armenia -- Screenshot of Post Bot, used to spread a phishing attack among Armenian users of Telegram, Yerevan, 10Jul2023

The text of the message is simple: “please vote for me” and some link, for example, like this hxxps[://]th[.]link/4U8po, or like this hxxps[://]th[.]link/4U7ZK (links were defanged).

When generating the link, a Russian link shortening service was used:, which is branded with the Russian marketing agency. Although the service does not pose any threat itself, a number of anti-virus vendors mark it as phishing, which may mean that unscrupulous users are abusing it to generate phishing links.

Once opened, these links take the user to phishing addresses on the or domains. Both domains (the number of them may increase) are registered by and have the following notation as the place of registration: “pos.-Belovodsk-Belovodskij-r-on,-Luganskaja-obl.” In addition, both domains use Cloudflare as DNS hosting and automatically redirect to when trying to load the main page, which means that many anti-virus programs, when trying to open the page and find it on Google, consider it a safe. Moreover, even sub-links are considered safe, for example, in our case, hxxps[://]uz-golos[.]shop/number4, which is already clearly phishing.

The actual phishing attack looks like this:

Step 1

Armenia -- Telegram Phishing attack, step 1, Yerevan, 10Jul2023

Step 2

Armenia -- Telegram Phishing attack, step 2, Yerevan, 10Jul2023

Step 3

Armenia -- Telegram Phishing attack, step 3, Yerevan, 10Jul2023

!!! URGENT !!! Under no condition enter the code you recive in this window!!!