FBI Warns of Handala Hackers Using Telegram for Malware

The U.S. Federal Bureau of Investigation (FBI) has issued a warning about a growing cyber threat involving Iran-linked hackers using Telegram to launch malware attacks against targets worldwide.

According to the alert, cyber actors tied to Iran’s Ministry of Intelligence and Security (MOIS) are leveraging Telegram as a command-and-control (C2) platform to manage infections and steal sensitive data from compromised systems. 

The campaign has been linked to the Handala hacking group, also known as Handala Hack Team, which has previously been associated with destructive cyberattacks and data-leak operations.

How the attacks work

The FBI says attackers are using social engineering techniques to trick victims into downloading malicious files disguised as legitimate applications.

Once installed, the malware allows hackers to:

• Gain remote access to infected systems
• Capture screenshots and monitor activity
• Steal files and sensitive data
• Exfiltrate information for later leaks or extortion

After infection, the malware connects back to Telegram-based control servers, enabling attackers to issue commands and retrieve stolen data in real time. 

Because Telegram is widely used and encrypted, it provides attackers with a relatively resilient infrastructure that is harder to disrupt compared to traditional command-and-control systems.

The campaign has primarily targeted journalists, activists, and individuals critical of the Iranian government, as well as other opposition figures globally. 

The FBI said the attacks are part of broader “hack-and-leak” operations, where stolen data is selectively released to damage reputations, spread disinformation, or intimidate targets.

Such tactics combine technical cyberattacks with psychological operations, amplifying the impact beyond the initial breach.

The warning comes amid heightened geopolitical tensions and follows a series of cyber incidents linked to the same group.

Handala has been tied to phishing campaigns, data theft, extortion, and destructive malware attacks, including operations targeting organizations in the United States and other countries.

In some cases, the group has also used websites and Telegram channels to publish stolen data and claim responsibility for attacks, blending cyber intrusion with public messaging campaigns.

Security experts say the use of platforms like Telegram highlights a broader trend in cybercrime.

Messaging apps are increasingly being used not just for communication, but also as infrastructure for coordinating attacks, distributing malware, and managing compromised systems.

Telegram’s flexibility including support for bots, channels, and encrypted messaging makes it particularly attractive for threat actors looking to build scalable and resilient attack systems.

FBI urges vigilance

The FBI is urging organizations and individuals to remain vigilant against phishing attempts and suspicious downloads, particularly those delivered through messaging platforms or email.

Recommended precautions include:

• Avoiding unsolicited file downloads
• Verifying sources before opening attachments
• Using multi-factor authentication
• Keeping systems updated with the latest security patches

The agency said it released the alert to raise awareness and help organizations reduce the risk of compromise as cyber threats continue to evolve.