We’ve been seeing these types attacks for a couple of months, mostly not from telegram links. The way they work is pretty ingenious, in that is leverages the fact that everyone has gotten used to the various “do this thing to prove you’re human”. In this case the attack works like:

• User is directed to a link controlled by the attacker. The link will claim to be something the user wants.
  • In my experience, this has been movie or software downloads.
• This site presents a page which basically says “prove you are human to get the thing”.
• In the background, the attack site uses javascript to pre-load the user’s clipboard with a malicious PowerShell command.
• The site’s instructions to “prove you are human” looks like:
  1. Press the key combination Win+R
  2. Press the key combination Ctrl+V
  3. Press Enter
• The user being trained to “prove they are human” follows these instructions, resulting in a PowerShell command being run which downloads the malicious payload and executes it.

The payloads we’ve seen have been info stealers (RedLine, Lumma Stealer, etc.). They also drop some type of Remote Access Tool (e.g. AnyDesk) which the attacker could come back to later, move laterally and try to deploy ransomware.