According to the alert, cyber actors tied to Iran’s Ministry of Intelligence and Security (MOIS) are leveraging Telegram as a command-and-control (C2) platform to manage infections and steal sensitive data from compromised systems.
The campaign has been linked to the Handala hacking group, also known as Handala Hack Team, which has previously been associated with destructive cyberattacks and data-leak operations.
How the attacks work
The FBI says attackers are using social engineering techniques to trick victims into downloading malicious files disguised as legitimate applications.
Once installed, the malware allows hackers to:
Gain remote access to infected systems
Capture screenshots and monitor activity
Steal files and sensitive data
Exfiltrate information for later leaks or extortion
After infection, the malware connects back to Telegram-based control servers, enabling attackers to issue commands and retrieve stolen data in real time.
Because Telegram is widely used and encrypted, it provides attackers with a relatively resilient infrastructure that is harder to disrupt compared to traditional command-and-control systems.
The campaign has primarily targeted journalists, activists, and individuals critical of the Iranian government, as well as other opposition figures globally.
The FBI said the attacks are part of broader “hack-and-leak” operations, where stolen data is selectively released to damage reputations, spread disinformation, or intimidate targets.
Such tactics combine technical cyberattacks with psychological operations, amplifying the impact beyond the initial breach.
The warning comes amid heightened geopolitical tensions and follows a series of cyber incidents linked to the same group.
Handala has been tied to phishing campaigns, data theft, extortion, and destructive malware attacks, including operations targeting organizations in the United States and other countries.
In some cases, the group has also used websites and Telegram channels to publish stolen data and claim responsibility for attacks, blending cyber intrusion with public messaging campaigns.
Security experts say the use of platforms like Telegram highlights a broader trend in cybercrime.
Messaging apps are increasingly being used not just for communication, but also as infrastructure for coordinating attacks, distributing malware, and managing compromised systems.
Telegram’s flexibility including support for bots, channels, and encrypted messaging makes it particularly attractive for threat actors looking to build scalable and resilient attack systems.
FBI urges vigilance
The FBI is urging organizations and individuals to remain vigilant against phishing attempts and suspicious downloads, particularly those delivered through messaging platforms or email.
Recommended precautions include:
Avoiding unsolicited file downloads
Verifying sources before opening attachments
Using multi-factor authentication
Keeping systems updated with the latest security patches
The agency said it released the alert to raise awareness and help organizations reduce the risk of compromise as cyber threats continue to evolve.
Paul Balo is the founder of TechBooky and a highly skilled wireless communications professional with a strong background in cloud computing, offering extensive experience in designing, implementing, and managing wireless communication systems.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
