The Federal Bureau of Investigations (FBI) has warned that Iranian government–linked hackers are abusing Telegram to remotely control malware and extract sensitive data from dissidents, opposition groups, and journalists worldwide. The alert describes a social engineering campaign that delivers booby-trapped apps, then pivots to Telegram-based command and control to stay hidden in plain sight.

Investigators say the operation aligns with Iran’s Ministry of Intelligence and Security, underscoring how state-backed actors are blending consumer platforms with espionage tradecraft to evade defenses and advance geopolitical goals.

According to the FBI, victims are first contacted by impostors posing as trusted acquaintances or tech support. The targets are steered to install malware disguised as familiar communications tools, including lookalike versions of Telegram or WhatsApp installers.

Once on a device, a second stage initiates a covert link to Telegram bots that handle attacker commands. Through this channel, operators can browse and exfiltrate files, capture screenshots, log keystrokes, and even record conferencing sessions such as Zoom—capabilities designed to siphon both documents and context from sensitive communications.

By tunneling instructions and stolen data through Telegram’s API and encrypted traffic, the malware blends with routine network activity. This makes it harder for endpoint tools and intrusion detection systems to distinguish the malicious stream from legitimate messaging use.

Why Telegram Appeals to Attackers as a Command-and-Control Channel

Security researchers have tracked a steady rise in “living off the land” command-and-control techniques that co-opt popular cloud and chat apps. Telegram’s bot framework is simple for operators to script, its traffic is commonly allowed on corporate networks, and its infrastructure provides reliability across regions where other services may be filtered.

Past investigations by firms such as Check Point and ESET have detailed families like ToxicEye, TeleRAT, and Masad Stealer using Telegram for exfiltration and tasking. The pattern mirrors broader trends in which adversaries piggyback on Slack, Discord, Dropbox, and Google Drive to hide activity behind reputable domains and TLS encryption.

The upshot for defenders: blocking one-off IPs and domains is less effective when malware routes through sanctioned platforms. Network monitoring needs to focus on anomalous client behavior—who is using Telegram, from what endpoints, and in what volumes—rather than the destination alone.

Attribution and the Handala Link to Iran’s MOIS

The FBI’s alert attributes the activity to operators working for Iran’s Ministry of Intelligence and Security. It also references Handala, a pro-Iran and pro-Palestinian hacktivist brand that U.S. officials have described as a front for MOIS-run operations.

Handala recently claimed responsibility for a disruptive intrusion at medical technology company Stryker that led to the wiping of tens of thousands of employee devices. In a regulatory filing, Stryker said it continues to recover from the incident, illustrating how politically motivated personas can inflict real-world operational damage.

U.S. authorities have also tied another influence-hacking brand, Homeland Justice, to MOIS and moved to seize infrastructure linked to both groups. The FBI’s assessment is that these clusters are coordinated, with hack-and-leak theatrics masking state direction.

Who Is Being Targeted by the Telegram-Enabled Campaign

The campaign focuses on individuals and organizations critical of the Iranian regime, including diaspora activists, human rights groups, journalists, and academic or policy circles. These are classic espionage targets where inboxes, cloud drives, and meeting recordings can provide strategic insight into networks, plans, and sources.

While the focus is on civil society, enterprises with links to healthcare, technology, and media are at risk as collateral or opportunistic targets, particularly when employees overlap with advocacy communities or public-facing roles.

Defense Playbook for High-Risk Users and NGOs

Validate all software from official app stores or vendor sites; avoid sideloaded installers sent via email or messaging. Use application allowlisting to prevent unauthorized binaries, and deploy endpoint detection capable of flagging Telegram-controlled malware behaviors.

Harden egress: if your mission does not require Telegram, block it at the network edge, or tightly scope access to managed devices only. Monitor for unusual Telegram API connections, large outbound file transfers, and long-lived sessions from atypical hosts.

For at-risk communities, adopt phishing-resistant multifactor authentication (such as security keys), enforce out-of-band verification for unexpected tech-support messages, and limit meeting recording privileges. CISA and FBI guidance emphasizes continuous security awareness training tailored to journalists and NGOs.