FBI Warns Iranian Hackers Using Telegram to Target Dissidents, Journalists

Hackers working on behalf of Iran's Ministry of Intelligence and Security have been using Telegram as live command-and-control infrastructure to push malware at Iranian dissidents, journalists opposed to the regime, and opposition groups around the world, the FBI disclosed in a flash alert that exposed a surveillance operation running since at least late 2023.

The FBI assessed that MOIS cyber actors deployed multiple malware variants since late 2023 to target Windows systems linked to dissidents, journalists, and opposition groups, though any person of interest could be targeted. The bureau escalated its alert now, citing "the elevated geopolitical climate of the Middle East and current conflict."

The attack chain is deliberately mundane. Attackers first pose as known contacts or tech support to deliver malicious files disguised as common applications, including the AI video tool Pictory, the password manager KeePass, and Telegram itself. The Iranian cyber actors convinced victims to accept a file transfer consisting of the masquerading stage 1 malware; when the victim opened the file, the malware infected the device and launched a persistent implant as stage 2. That implant does not reach back to a traditional server. Instead, the persistent implant malware, spawned following the masquerading malware's execution and possible user interaction, configured command-and-control using a Telegram bot, allowing bidirectional communication between the compromised device and api.telegram.org.

The personalization of the initial lure was deliberate. Stage 1 of the malware appeared to be tailored to the victim's pattern of life to increase the likelihood of downloading it, indicating the Iranian cyber actors likely performed target reconnaissance prior to engaging with the victim. Once inside a device, the malware could record screens and audio, capture data, compress files, and exfiltrate them via Telegram, giving attackers long-term access and control. Some variants went further: certain samples were designed to record screen and audio during active Zoom sessions, highlighting a focus on capturing sensitive, real-time information.

The malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties. The July 2025 hack-and-leak operation attributed to "Handala Hack" illustrates the downstream use of that access: the online entity known as Handala Hack claimed responsibility for an operation targeting multiple persons voicing concerns about current events in Iran that conflicted with the government's rhetoric, and the FBI assessed some of the information Handala posted was obtained using malware from this ongoing campaign.

The bureau linked these attacks to the Iranian-linked and pro-Palestinian Handala hacktivist group, also known as Handala Hack Team, Hatef, and Hamsa, as well as the Iranian state-sponsored Homeland Justice threat group tied to Iran's Islamic Revolutionary Guard Corps. MOIS cyber actors consistently leverage state-directed advanced persistent threat groups and proxy organizations to carry out hacktivist-style attacks, including hack-and-leak operations that blend technical compromises with disinformation, typically involving the theft of perceived sensitive data, its manipulation or selective exposure, and public distribution through aligned media channels to maximize reputational or political damage.

Handala's portfolio extends well beyond espionage. These actions follow Handala's cyberattack on U.S. medical giant Stryker, in which the group factory-reset approximately 80,000 devices, including employees' personal computers and mobile devices managed by the company, using the Microsoft Intune wipe command after compromising a Windows domain administrator account. Stryker said in an SEC 8-K filing it is still recovering from the hack, and last week the U.S. Justice Department accused Handala of being a front for Iran's government, specifically the MOIS, and of being behind the Stryker attack.

The FBI also seized four domains connected to the campaign. The warning was published one day after the bureau seized handala-redwanted.to, handala-hack.to, justicehomeland.org, and karmabelow80.org, websites used by Handala, Homeland Justice, and a third actor tracked as Karma Below to leak sensitive documents and data stolen in cyberattacks targeting victims in the United States and around the world.

Telegram pushed back on the framing that its platform is uniquely exploitable. Spokesperson Remi Vaughn told CyberScoop: "moderators routinely remove any accounts found to be involved with malware." Security analysts noted the technique is not novel but is effective precisely because of its camouflage. Beaconing to Telegram infrastructure makes malicious use harder to detect because of the platform's possible benign use.

The FBI issued two separate cybersecurity advisories on March 20, attributing active campaigns by both Iranian and Russian government-linked actors to the exploitation of commercial encrypted messaging platforms against journalists, dissidents, and current and former U.S. government personnel, a pairing that underscored how thoroughly authoritarian states have colonized the same apps their citizens rely on for private communication.