Vortex Werewolf spies impersonate Telegram

In the crosshairs are defense and government organizations

February 6, 2026

In December 2025—January 2026, BI.ZONE Threat Intelligence observed a series of attacks by the Vortex Werewolf group targeting defense and government institutions. The attacks began with a highly convincing phishing move: victims were prompted to download "important work documents" via a link that appeared to originate from Telegram’s file storage service. In reality, clicking the link allowed the adversaries to install malware on the victim’s Windows device and hijack access to their Telegram account.

Several indicators suggest that the attackers sent the phishing link directly to victims via Telegram, though email may have also been used.

When a user clicked the link, a fake Telegram account recovery process was initiated. The victim was prompted to enter a code received on another device and—if two‑factor authentication was enabled—a cloud password, ostensibly for the document to load fully. In fact, this granted the attackers full access to the user’s active Telegram session, including all chats and contacts.

Telegram account compromise is valuable to attackers for several reasons. Stolen contacts can be used to send further phishing links from a hijacked trusted account. This way, the messages will appear legitimate and won´t raise suspicions. Moreover, many users still store sensitive information in their Saved Messages folder: photos and scans of documents, links to internal resources, and even credentials—anything they want readily available. Unfortunately, attackers actively exploit this practice, as such data holds significant value.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

The attackers did not stop at account theft. After the victim entered the required codes and passwords, a ZIP archive was downloaded to their device. Inside was a malicious file disguised as a PDF document, along with a hidden directory containing another archive with multiple files. By opening the "document," the user unknowingly ran a malicious script that ultimately granted the attackers remote access to the system. To maintain covert control, the attackers installed OpenSSH and Tor on the compromised host. While OpenSSH is a legitimate tool for secure remote administration, the adversaries repurposed it to connect to their C2 server. To conceal the connection, they routed all traffic through Tor.

Vortex Werewolf is an espionage actor that has been active since at least December 2024. Shortly before this winter campaign against Russian targets, researchers from Cyble and Seqrite identified a similar operation by the same cluster focused on Belarusian defense and government organizations.

Earlier, BI.ZONE Digital Risk Protection recorded a surge in fraudulent domains designed specifically to steal Telegram accounts.

Phishing remains the top attack vector. To protect themselves, organizations should train employees on cyber hygiene and conduct regular awareness exercises. This greatly increases the chances of recognizing malicious actors, even on messengers or social media. For email protection, companies can deploy specialized filtering solutions such as BI.ZONE Mail Security. To build effective defenses and respond swiftly to incidents, they can leverage portals similar to BI.ZONE Threat Intelligence, which deliver insights into emerging threats.