A Telegram account-takeover operation by npm publisher shetty123 (shettysaikumar3@gmail.com). Pairs a malicious client (common-tg-service) with the operator's server-side runtime (ams-ssk) deployed at cms.paidgirl.site. Targets Indian Telegram accounts for downstream UPI payments fraud.
Objective
Hijack Telegram accounts at scale via 2FA implantation, IMAP-based confirmation-code harvesting, and forced session eviction; harvest OTP login codes for on-demand account access.
Packages
Indicators
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1539 Steal Web Session Cookieuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1102 Web Serviceuses
- ttp T1556 Modify Authentication Process: implant 2FA on victim Telegram accountuses
- ttp T1098 Account Manipulationuses
- ttp OTP harvesting via Telegram chat 777000uses
