A prolific threat group that has been selling phishing scam kits that target more than 300 brands globally is working to regain its footing after the channel it was using the controversial messaging service Telegram was shut down late last month, according to researchers with cybersecurity firm Fortra.

The group, SpartanWarriorz, has been selling its services at least since September 2022 and had a subscriber base of more than 5,300 on its Telegram channel that was managed by two moderators. It was selling more than 300 kits and even was giving many away to expand their reputation in the phishing community.

The group since the channel was shut down on November 21 has created another Telegram channel and is pushing to rebuild its subscriber base, according to Alexis Ober, a threat intelligence analyst at Fortra. It’s unclear why the channel was shut down last month, Ober told Security Boulevard.

“Though we can’t say for sure, this ban may have followed a larger pattern of action taken against illicit activity on the platform,” she said. “Telegram has promised to better crack down on criminal channels after the arrest of their CEO in August.”

The founder and CEO, Pavel Durov, was arrested by French authorities in August on a range of charges, accused of letting the messaging app be used by criminals for such crimes as drug trafficking, child pornography distributions, fraud, and money laundering. In addition, the Russian citizen allegedly refused law enforcement requests for information and documents connected to criminal activity on Telegram.

A month after his arrest, Durov, who founded Telegram in 2013, said the messaging service would start sharing with authorities the phone numbers and IP addresses of user who violate the app’s policies. He also said the company had removed “problematic content” from the site.

Telegram and Cybercrime

Flare, which monitors cybercriminal communities, late last year wrote about what it said was the growing use of Telegram by bad actors to leak stolen credentials, coordinate fraud schemes against businesses, and share consumer banking information. Kaspersky researchers said they saw 22% year-over-year growth in the number of phishing and scam links on Telegram and the U.S. Justice Department in a report in 2022 noted challenges linked to the growing use by cybercriminals of such services as Telegram for everything from ransomware to money laundering, fraud, and theft.

SpartanWarriorz may have lost its initial channel in the purge of problematic content, but the group isn’t going away, creating the new channel the same day and using the same two moderators.

The bad actors are “doing what they can to repost a lot of the phishing kits they previously offered, though they seem to be taking more precautions regarding who gets invited to what channel,” Ober said. “They have also been seen in other phishing community telegrams advertising their new channel and calling out to any of the old subscribers they lost while looking for new ones.”

A Prolific Operation

Before the first site was shut down, SpartanWarriorz’s scam kits targeted a wide range of industries, including financial institutions in North America and Europe as well as retail, delivery services, and social media platforms, Fortra researchers wrote in a report shared with Security Boulevard.

The group uses Telegram to offer a range of services, including not only the phishing kits and pages but also access to compromised websites, phishing lures, and email spamming.

“SpartanWarriorz advertises mailer tools that allow threat actors to send out phishing campaigns using pre-authored lure emails available from the seller,” the researchers wrote. “The group also offers access to web server shells through their Telegram platform. These shells have been installed on compromised servers and can be used to carry out phishing attacks.”

The kits also allow bad actors to input a Telegram API token and chat ID to exfiltrate stolen credentials, such as one-time password codes. In addition, they include antibot lists that block specific IP addresses and ranges, user agents, and known web crawlers, and web crawlers from access the phishing pages within the kits.

“This code sends all blocked visitors to Google.com or a fake 404 error page,” they wrote. “Other configuration settings frequently seen include options to require victims to sign in twice or complete a CAPTCHA.”

Not Flashy, but Persistent

Ober said that what’s made SpartanWarriorz stand out among phishing kit authors is the tenacity of its operation.

“While their kits are not the most sophisticated on the market, the large selection of brands targeted and the persistent marketing done by their team has given them a healthy amount of business,” she said. “The group’s willingness from the beginning to give away kits for sought-after brands has allowed them to successfully continue growing their user base.”

Ober added that the “expansive collection of pages offered range from international government entities to small local banks. They have been keen to target brands that historically may not have experienced much phishing activity.”