What happened
The FBI issued a warning that Iran-linked hackers tied to the country’s Ministry of Intelligence and Security (MOIS) are using Telegram as command-and-control infrastructure in malware campaigns. The activity has been attributed to the Handala hacktivist group and related state-linked actors, who are targeting journalists, dissidents, and opposition groups worldwide. According to the alert, attackers rely on social engineering to infect victims with Windows-based malware, which is then used to exfiltrate files and screenshots from compromised systems. The FBI said the campaigns are part of broader “hack-and-leak” operations aimed at intelligence collection and reputational damage amid heightened geopolitical tensions.
Who is affected
Journalists, political dissidents, and individuals critical of the Iranian government are primarily affected, along with organizations and individuals globally who may be targeted through similar malware delivery tactics.
Why CISOs should care
The campaign shows how attackers are increasingly leveraging widely used messaging platforms like Telegram as covert infrastructure for malware operations, blending social engineering with command-and-control activity.
3 practical actions
- Monitor messaging platforms for abuse. Watch for suspicious links, files, or communications originating from Telegram-based channels.
- Harden defenses against social engineering. The attacks rely on tricking users into executing malware rather than exploiting software flaws.
- Detect data exfiltration behavior. Monitor for unusual file transfers or screenshot capture activity on endpoints.
For more coverage of large-scale incidents and threat activity, explore our reporting on Cyberattacks.
