T1556

Modify Authentication Process: implant 2FA on victim Telegram account

Hardcoded 2FA password and recovery email installed on victim accounts via Telegram updateTwoFaSettings, with the operator's IMAP mailbox auto-submitting the confirmation code.

discovered 2026-05-03

View on MITRE ATT&CK ↗

Seen in packages

npmcommon-tg-serviceuses

Campaigns

shetty123 Telegram Hijackattributed-to