This incident reveals a troubling evolution in threat actor tactics, where credential harvesting is prioritized alongside traditional resource exploitation. The attack chain demonstrates a calculated approach: initial access via weak SSH credentials, followed by systematic reconnaissance to identify high-value targets like Telegram's tdata folder. The tdata directory's vulnerability lies in its ability to bypass 2FA entirely, granting threat actors persistent access to accounts. This aligns with...