Advertisement
Live broadcast

Don't open it to anyone: hackers have started disguising malicious links under Telegram

The main target of cybercriminals are defense enterprises and government agencies.
0
Photo: IZVESTIA/Yulia Khramtsova
Озвучить текст
Select important
On
Off

In December and January, hackers carried out a series of attacks on Russian defense industry enterprises and government agencies, cybersecurity companies told Izvestia. They were massively sent links supposedly to download working documents that looked like Telegram file storage. However, when clicking on the link, the potential victim downloaded malware that gave the attackers access to the account. Such captured profiles further allow hackers to impersonate company employees and obtain confidential information from work chats. How the scheme works is described in the Izvestia article.


How criminals attacked businesses

The hacker group Vortex Werewolf carried out a series of attacks on Russian defense industry enterprises and government agencies in December 2025 - January 2026, BI.ZONE Threat Intelligence told Izvestia.

This group, also known as SkyCloak, has been active since 2024 and has been engaged in targeted attacks on enterprises of the military-industrial complex of Russia and Belarus, explained a data analyst at the Coordination Center for domains .RU/.Russian Federation Evgeny Pankov. Her main interest is confidential and proprietary information.

The latest series of attacks began with phishing: a potential victim was offered to download "important working documents" from a link that looked like a Telegram file storage. Clicking on such a link allowed attackers to install malware on the user's Windows device, as well as intercept access to his account on the social network.

In some cases, the phishing link was sent to the user directly in Telegram, but email could also be used. If the user clicked on it, the process of restoring access to his Telegram account was started. The victim was asked to enter a code received on another device, and if the account was protected by two-factor authentication, then also a cloud password, ostensibly so that the document could be displayed in full. Thus, the attackers gained access to the active Telegram session, all correspondence and user contacts.

— The received contacts can be used to further send phishing links, and to do this from a hijacked account, so that the messages look reliable and do not arouse suspicion, — said the head of BI.ZONE Threat Intelligence Oleg Skulkin.

In addition, according to him, many users keep photos and scans of documents, links to work resources, as well as usernames and passwords in their Favorites.

But the criminals did not limit themselves to hijacking the account. After the user entered the necessary codes and passwords, a zip archive was downloaded to his device. Inside was a malicious file disguised as a pdf document, as well as a hidden directory with another archive that contained many files. By opening the "document", the user ran a malicious script, which eventually provided attackers with remote access to the system.

Code summary: how cyber attacks in Russia have changed in 2025
The actions of hackers in recent months have become more destructive.

Where are the cyber attacks on Russia coming from?

The growth of attacks using malicious software has become one of the main trends of the past year. According to the Domain Patrol project, 10.6 thousand domains distributing malicious software were found on the Runet, which is twice as many as in 2024.

"Malware is increasingly being used as an integral part of phishing attacks," said Evgeny Pankov. — It allows attackers to gain remote access to devices and discreetly collect correspondence, audio and video data, documents, credentials, passwords and other confidential information.

In the ten months of 2025, 18 hacker clusters and groupings were discovered, seven of which are new, which is at least twice as many as last year, said Ivan Syukhin, head of the incident investigation group at the Solar 4RAYS Research Center, Solar Group.

— Among the most active today are GOFFEE, Shedding Zmiy, Lifting Zmiy, Partizan Zmiy, Erudite\Obstinate Mogwai and many others, — he noted.

According to the expert, in 2026, Rare Werewolf (Librarian Ghouls, Rezet) was already active, which directed its attacks, including on employees of industrial enterprises and technical universities.

— Then the attacks began with phishing emails disguised as official messages from real organizations to their employees, — Ivan Syukhin added. — In fact, he was running a malicious script that helps steal credentials and infiltrate cryptocurrency miners.

In total, Russian organizations are attacked by more than 100 hacker groups. These are mainly hacktivists, as well as APT associations (Advanced Persistent Threat, targeted long-term attack), said Dmitry Galov, head of Kaspersky GReAT in Russia. The main targets for most of them are the public sector and industry.

"Phishing is still one of the main ways to break into the infrastructure of companies," he said. — Attackers are increasingly using multi-stage scenarios with real documents and disguising themselves as real organizations, as well as adapting to the industry and the current agenda in order to infect the victim's computer with malware.

How the dice will fit: Scammers use the Telegram dice game to cheat
Since the beginning of 2026, 800 fraudulent websites for stealing cryptocurrencies have already been recorded.

Why do hackers need Telegram?

Telegram as a messenger may be of interest to attackers, for example, to gain access to confidential correspondence between people and files sent, including in work chats, Ivan Syukhin said.

"This allows you to find out the most up—to—date information about the company's status, for example, or confidential data that can be used in a phishing attack," the expert said. — Also, some companies may have two—factor authentication systems set up - gaining access to an account in a messenger may allow you to bypass the requirements of the second factor.

No less dangerous is the fact that the hijacked account allows hackers to impersonate an employee or the head of the company, Evgeny Pankov added. On his behalf, they can send messages and malicious files, involving colleagues, partners, and customers in the attack. As a result, one hacked account often becomes the starting point of a large-scale chain of attacks and serious reputational and financial losses.

"Attacks are becoming more complex and invisible, so it's impossible to guarantee 100 percent protection, but you can reduce the risk of a successful attack," he said.

For example, companies can restrict the launch of suspicious files on work computers, regularly update security systems, and monitor abnormal activity on devices.

Переведено сервисом «Яндекс Переводчик»

Live broadcast
Subscribe and get the news first
Menu
Advertisement
RSS

Copyright for the iz.ru portal content visualisation system, as well as for the source data, including texts, photos, audio and video materials, graphic images, other works and trademarks, belongs to "MIC Izvestia" LLC

Partial quotation is possible only with a hyperlink to en.iz.ru

The site is operated with the financial support of the Ministry of Digital Development, Communications and Mass Media of the Russian Federation.

The advertiser is responsible for the content of any advertising materials posted on the portal.

The information resource uses recommendation technologies. More detailed

The news, analytics, forecasts and other materials presented on this website do not constitute an offer or recommendation to buy or sell any assets.

Registered by the Federal Service for Supervision of Communications, Information Technology and Mass Communications. Certificates of registration Certificate of registration: EL № FS 77 - 76208 dated July 8, 2019. , Certificate of registration: EL № FS 77 - 72003 dated December 26, 2017.

All rights reserved © «MIC «Izvestia» LLC, 2026