The FBI has warned of Iran-linked Handala hackers using Telegram in malware attacks:
The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate information on malicious cyber activity conducted by actors on behalf of the Government of Iran Ministry of Intelligence and Security (MOIS). Specifically, MOIS cyber actors are responsible for using Telegram as a command-and-control (C2) infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other opposition groups around the world. This malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties. The FBI is releasing this information to maximize awareness of malicious Iranian cyber activity and provide mitigation strategies to reduce the risk of compromise.
Due to the elevated geopolitical climate of the Middle East and current conflict, the FBI is highlighting this MOIS cyber activity. The FBI assessed MOIS cyber actors are responsible for using Telegram as a C2 infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other oppositional groups around the world. This FLASH warns network defenders and the public of continued malicious cyber activity by Iran MOIS cyber actors and outlines the tactics, techniques, and procedures (TTPs) used in this malware campaign.
Commenting on this news is Ensar Seker, CISO at SOCRadar:
“The use of Telegram as command-and-control infrastructure is not surprising, it reflects a broader shift where threat actors deliberately blend malicious traffic into trusted, encrypted platforms. By leveraging a widely used application like Telegram, groups such as Handala significantly reduce the likelihood of detection, because security controls are often tuned to allow this traffic by default.
What makes this particularly concerning is the targeting profile. These operations are not opportunistic; they are highly intentional, focusing on journalists, dissidents, and opposition voices. This aligns with state-sponsored objectives, where cyber operations are used as an extension of intelligence gathering and influence campaigns rather than purely financial gain.
From a defensive standpoint, this highlights a critical gap: many organizations still rely too heavily on traditional indicators like IP blocking or domain reputation. When attackers operate inside legitimate platforms, defenders must shift toward behavioral detection, monitoring anomalies in application usage, data flows, and endpoint activity rather than trusting the platform itself.
The bigger implication is that encrypted messaging platforms are becoming dual-use infrastructure for both communication and covert operations. Security teams need to reassess their trust assumptions and implement visibility controls around sanctioned apps, including logging, anomaly detection, and strict access policies.
Ultimately, this is not about Telegram specifically, it’s about the normalization of “living off trusted services.” Organizations that fail to adapt to this model will continue to miss early-stage intrusions, especially those tied to advanced persistent threat actors with geopolitical motivations.”
This highlights the fact that warfare is different now because the battlefield has expanded to the cyber world. Thus you need to keep that in mind in order to keep your organization safe from this new generation of threats.
Like this:
Like Loading...
Related
This entry was posted on March 23, 2026 at 1:47 pm and is filed under Commentary with tags FBI, Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
FBI Warns Of Iran-Linked Threat Actors Using Telegram For Attacks
The FBI has warned of Iran-linked Handala hackers using Telegram in malware attacks:
The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate information on malicious cyber activity conducted by actors on behalf of the Government of Iran Ministry of Intelligence and Security (MOIS). Specifically, MOIS cyber actors are responsible for using Telegram as a command-and-control (C2) infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other opposition groups around the world. This malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties. The FBI is releasing this information to maximize awareness of malicious Iranian cyber activity and provide mitigation strategies to reduce the risk of compromise.
Due to the elevated geopolitical climate of the Middle East and current conflict, the FBI is highlighting this MOIS cyber activity. The FBI assessed MOIS cyber actors are responsible for using Telegram as a C2 infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other oppositional groups around the world. This FLASH warns network defenders and the public of continued malicious cyber activity by Iran MOIS cyber actors and outlines the tactics, techniques, and procedures (TTPs) used in this malware campaign.
Commenting on this news is Ensar Seker, CISO at SOCRadar:
“The use of Telegram as command-and-control infrastructure is not surprising, it reflects a broader shift where threat actors deliberately blend malicious traffic into trusted, encrypted platforms. By leveraging a widely used application like Telegram, groups such as Handala significantly reduce the likelihood of detection, because security controls are often tuned to allow this traffic by default.
What makes this particularly concerning is the targeting profile. These operations are not opportunistic; they are highly intentional, focusing on journalists, dissidents, and opposition voices. This aligns with state-sponsored objectives, where cyber operations are used as an extension of intelligence gathering and influence campaigns rather than purely financial gain.
From a defensive standpoint, this highlights a critical gap: many organizations still rely too heavily on traditional indicators like IP blocking or domain reputation. When attackers operate inside legitimate platforms, defenders must shift toward behavioral detection, monitoring anomalies in application usage, data flows, and endpoint activity rather than trusting the platform itself.
The bigger implication is that encrypted messaging platforms are becoming dual-use infrastructure for both communication and covert operations. Security teams need to reassess their trust assumptions and implement visibility controls around sanctioned apps, including logging, anomaly detection, and strict access policies.
Ultimately, this is not about Telegram specifically, it’s about the normalization of “living off trusted services.” Organizations that fail to adapt to this model will continue to miss early-stage intrusions, especially those tied to advanced persistent threat actors with geopolitical motivations.”
This highlights the fact that warfare is different now because the battlefield has expanded to the cyber world. Thus you need to keep that in mind in order to keep your organization safe from this new generation of threats.
Share this:
Like this:
Related
This entry was posted on March 23, 2026 at 1:47 pm and is filed under Commentary with tags FBI, Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.