The Federal Bureau of Investigation has warned that Iranian government-linked hackers are using Telegram-based tools to infiltrate and control the devices of dissidents, journalists, and opposition groups worldwide.
In an alert published Friday, the FBI said the attacks involve a multi-stage process designed to gain access to victims’ systems and extract sensitive data while avoiding detection.
Multi-Stage Attack Using Malware And Telegram Bots
According to the FBI, attackers first contact targets by impersonating trusted individuals or technical support. Victims are then persuaded to download malicious files disguised as legitimate applications, including Telegram or WhatsApp.
Once installed, the malware connects the compromised device to Telegram bots. These bots enable attackers to remotely control the system, allowing them to access files, capture screenshots, and record Zoom calls.
Using Telegram as a control channel allows attackers to blend malicious activity with normal network traffic, making detection more difficult for cybersecurity tools.
Links To Iranian Intelligence Operations
The FBI attributed the campaign to hackers allegedly working for Iran’s Ministry of Intelligence and Security. The agency said the activity reflects efforts to advance the government’s geopolitical objectives.
The alert also referenced the hacktivist persona Handala, though it did not confirm whether the group directly carried out the attacks described.
Connection To Recent Cyberattacks
Handala has recently been linked to other incidents. The group claimed responsibility for a cyberattack on Stryker earlier this month, which resulted in the wiping of tens of thousands of employee devices. In a filing with the US Securities and Exchange Commission, Stryker said it is still recovering from the incident.
The U.S. Department of Justice has also accused Handala of acting as a front for Iran’s intelligence services. Authorities previously seized websites linked to Handala and another group, “Homeland Justice,” which the FBI said are connected and operated by the same entity.
Platform Response And Ongoing Monitoring
A spokesperson for Telegram, Remi Vaughn, said the company removes accounts associated with malware as part of its moderation efforts.
Featured image credits: Flickr
For more stories like it, click the +Follow button at the top of this page to follow us.