Back to Intelligence

Threat Intel: 'The Com' Phishing & Extortion — Detection and Defense Guide

SA
Security Arsenal Team
May 31, 2026
5 min read

'The Com' (The Communitarianism Party) represents a distinct threat landscape that blurs the line between cybercrime and real-world violence. This neo-Nazi-affiliated group is not merely financially motivated; they utilize cyber proceeds—derived largely from credential harvesting, SIM swapping, and fraud—to fund violent extremism, sexploitation, and the purchase of weapons.

For security practitioners, this threat actor operates primarily through social engineering platforms, notably Telegram and LinkedIn, to deliver phishing lures. The urgency for defenders is twofold: protect organizational credentials and financial assets, and deny infrastructure to a group funding domestic terrorism. This post details the technical TTPs of 'The Com' and provides actionable detection and remediation strategies.

Technical Analysis

Threat Actor: The Com (The Communitarianism Party) Motivation: Financial gain to support ideological violence, rape, and hate crimes. Attack Vector: Social Engineering, Phishing, Credential Harvesting, SIM Swapping.

Technical Breakdown

'The Com' relies on a decentralized operational model leveraging widely available communication tools to evade traditional perimeter defenses.

  • Command and Control (C2) & Coordination: The group utilizes Telegram channels (e.g., @TheComStation) to recruit members, coordinate phishing campaigns, and distribute stolen data. This reliance on a consumer-grade messaging app is a critical distinct identifier for detection in enterprise environments.
  • Attack Chain:
    1. Initial Access: Targets receive unsolicited messages via Telegram or LinkedIn. These often masquerade as job offers or friend requests.
    2. Payload Delivery: The victim is directed to a credential harvesting site. These sites often mimic legitimate login pages (Microsoft 365, banking portals) and are hosted on infrastructure utilizing residential proxies to bypass geo-blocking and reputation-based filtering.
    3. Objective: Once credentials are captured, the group engages in financial theft (banking fraud) or SIM swapping to bypass MFA, effectively draining accounts.
  • Exploitation Status: Active exploitation confirmed. The group is currently operational and actively recruiting new members for cyber operations.

Detection & Response

Detecting 'The Com' requires a shift from focusing solely on malware signatures to detecting behavioral anomalies associated with social engineering tools and unauthorized communication channels.

Sigma Rules

The following rules target the primary delivery vector: the unauthorized use of Telegram Desktop within the corporate environment and common PowerShell patterns used in phishing kit deployment.

YAML
---
title: 'The Com' - Telegram Desktop Execution
id: a1b2c3d4-5678-90ef-gh12-34567890ijkl
status: experimental
description: Detects the execution of Telegram Desktop in a corporate environment. 'The Com' heavily utilizes Telegram for C2 and phishing delivery. This activity is often unauthorized in managed endpoints.
references:
  - https://www.darkreading.com/threat-intelligence/the-com-cyberattacks-violence-sexploitation
author: Security Arsenal
date: 2025/04/09
tags:
  - attack.command_and_control
  - attack.t1102
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\Telegram.exe'
    ParentImage|endswith:
      - '\explorer.exe'
  condition: selection
falsepositives:
  - Authorized use of Telegram by business development (rare)
level: high
---
title: Potential Phishing Kit Activity via PowerShell
description: Detects PowerShell commands often used to download or interact with phishing kits, specifically targeting user agent spoofing and web requests common in 'The Com' operations.
id: b2c3d4e5-6789-01fg-hi23-45678901jklm
status: experimental
references:
  - https://www.darkreading.com/threat-intelligence/the-com-cyberattacks-violence-sexploitation
author: Security Arsenal
date: 2025/04/09
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_pwsh:
    Image|endswith:
      - '\powershell.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'System.Net.WebClient'
  selection_indicator:
    CommandLine|contains:
      - 'User-Agent'
      - 'telegram.org'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative scripts
level: medium

KQL (Microsoft Sentinel / Defender)

This KQL query hunts for endpoints establishing network connections to Telegram infrastructure or executing the Telegram binary.

KQL — Microsoft Sentinel / Defender
// Hunt for Telegram process execution and network connections
let TelegramProcesses = 
  DeviceProcessEvents
  | where FileName in~ ("Telegram.exe", "Updater.exe") 
  | project Timestamp, DeviceName, AccountName, FolderPath, InitiatingProcessFileName;
let TelegramNetwork = 
  DeviceNetworkEvents
  | where RemoteUrl has "telegram.org" or RemoteIP in ("149.154.160.0/20", "91.108.4.0/22")
  | project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName;
union TelegramProcesses, TelegramNetwork
| summarize count() by DeviceName, bin(Timestamp, 1h)
| order by count_ desc

Velociraptor VQL

This artifact hunts for the presence of the Telegram application on the disk, which may indicate an infected endpoint or insider threat vector associated with 'The Com' recruitment.

VQL — Velociraptor
-- Hunt for 'The Com' associated Telegram binaries
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="C:\Users\*\AppData\Roaming\Telegram Desktop\*.exe")
WHERE Mtime > now() - 30d

Remediation Script (PowerShell)

If Telegram is not authorized for business use, apply the following firewall rule to block executables commonly used by the threat actor. This should be deployed via GPO or Intune.

PowerShell
# Block 'The Com' primary communication vector: Telegram
# Ensure 'Telegram.exe' cannot establish network connections
$RuleName = "Block The Com - Telegram Traffic"
$ExePath = "%AppData%\Telegram Desktop\Telegram.exe"

# Check if rule exists
if (-not (Get-NetFirewallRule -DisplayName $RuleName -ErrorAction SilentlyContinue)) {
    New-NetFirewallRule -DisplayName $RuleName `
                         -Direction Outbound `
                         -Action Block `
                         -Program $ExePath `
                         -Profile Any `
                         -Description "Block traffic for Telegram to mitigate 'The Com' phishing risk"
    Write-Host "Firewall rule '$RuleName' created successfully."
} else {
    Write-Host "Firewall rule '$RuleName' already exists."
}

Remediation

  1. Block Access to Telegram: Implement network-level blocks (DNS Sinkhole or Proxy) for telegram.org and all subdomains. Deploy Application Control (AppLocker/WDAC) policies to block the execution of Telegram.exe on corporate endpoints.
  2. User Awareness Training: Immediately alert your workforce to the specific tactics used by 'The Com'. Emphasize that:
    • Unsolicited job offers via Telegram or LinkedIn should be treated as hostile.
    • Legitimate corporate communications will not direct users to login via Telegram links.
  3. Enhance MFA: Deploy FIDO2/WebAuthn hardware keys. 'The Com' utilizes SIM swapping; SMS-based MFA is vulnerable to their specific TTPs.
  4. Audit Web Proxies: Review logs for connections to residential proxy ranges and anomalies in outbound traffic patterns indicative of C2 beacons or data exfiltration.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionthreat-intelligencethe-comsocial-engineering

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action