T1556

Modify Authentication Process: implant 2FA on victim Telegram account

discovered 2026-05-03

Hardcoded 2FA password and recovery email installed on victim accounts via Telegram updateTwoFaSettings, with the operator's IMAP mailbox auto-submitting the confirmation code.

View on MITRE ATT&CK

Seen in packages

npm common-tg-serviceuses

Campaigns

shetty123 Telegram Hijackattributed-to