FBI Warns Iranian Hackers Use Telegram to Steal Data

The FBI has issued a comprehensive warning about a sophisticated cyber campaign orchestrated by Iranian government hackers.

These hackers are leveraging Telegram as a command-and-control platform to steal sensitive data from targets worldwide.

Bleeping Computer

According to multiple sources, these attacks are being conducted by hackers tied to Iran's Ministry of Intelligence and Security (MOIS).

The campaign specifically targets individuals and organizations critical of the Iranian regime.

The operation represents a significant escalation in Iran's cyber capabilities.

The campaign has also been linked to Homeland Justice, another influence-hacking brand.

The FBI assessment indicates that these clusters are coordinated, with hack-and-leak theatrics masking state direction.

The attacks highlight Iran's increasing use of cyber operations to advance its geopolitical agenda and suppress dissent both domestically and internationally.

The campaign employs a sophisticated two-stage attack methodology that begins with social engineering tactics and progresses to remote malware deployment.

In the initial phase, hackers masquerade as trusted contacts or tech support personnel.

CyberScoop

They trick victims into accepting file transfers that appear to be legitimate applications such as Telegram, WhatsApp, Pictory, and KeePass.

This reconnaissance-based approach is tailored to individual victims' patterns of life to increase the likelihood of successful malware installation.

Once the malicious file is downloaded and executed, the second stage connects the compromised system to Telegram-based control servers through specially configured bots.

This infrastructure enables attackers to issue commands in real-time and retrieve stolen data while leveraging Telegram's encrypted communication to hide malicious activity.

This makes detection significantly more challenging for cybersecurity defenders and anti-malware products.

The Iranian hackers' capabilities extend beyond simple data theft, enabling comprehensive surveillance and control of compromised systems.

“The FBI has warned that Iranian government–linked hackers are abusing Telegram to remotely control malware and extract sensitive data from dissidents, opposition groups, and journalists worldwide”

FindArticles

Once the malware is established, attackers can gain remote access to infected devices.

They can capture screenshots, monitor user activity, steal files and sensitive data, and record Zoom calls and other communications.

This level of access provides strategic insight into networks, plans, and sources of targeted individuals and organizations.

The stolen information is then selectively released through 'hack-and-leak' operations.

These operations are designed to damage reputations, spread disinformation, or intimidate targets.

The campaign is reportedly part of broader Iranian government efforts to push the regime's geopolitical agenda.

The Handala hacking group (also known as Handala Hack Team) is specifically implicated in these operations alongside other influence-hacking brands.

In response to this emerging threat, cybersecurity authorities and experts have issued comprehensive defense recommendations to protect against these sophisticated attacks.

The FBI and CISA guidance emphasizes continuous security awareness training tailored specifically to journalists and NGOs.

mezha.net

There's a need for phishing-resistant multifactor authentication such as security keys.

Technical recommendations include validating all software from official app stores or vendor sites.

Organizations should avoid sideloaded installers sent via email or messaging.

They should deploy application allowlisting to prevent unauthorized binaries.

Organizations are urged to harden their network infrastructure by blocking Telegram at the network edge if not required.

Monitoring protocols should focus on unusual Telegram API connections, large outbound file transfers, and long-lived sessions from atypical hosts.

For at-risk communities, additional measures include enforcing out-of-band verification for unexpected tech-support messages and limiting meeting recording privileges.

The use of Telegram by Iranian hackers represents a broader trend in modern espionage where everyday communication platforms are weaponized to extend surveillance capabilities beyond national borders.

“The FBI has warned that Iran is using Telegram as a tool to spy on dissidents, journalists, and opposition groups across the globe”

SQ Magazine

This campaign highlights the complex paradox faced by digital security: the same tools that enable secure communication for activists can be co-opted to compromise them.

SQ Magazine

Telegram's flexibility, including support for bots, channels, and encrypted messaging, makes it particularly attractive for threat actors.

Threat actors use it to build scalable and resilient attack systems that blend in with legitimate network traffic.

The FBI's warning signals a sustained pressure campaign against civil society by Iran-linked operators.

This reflects the evolving nature of cyber warfare where technical attacks are increasingly combined with psychological operations.

As more command-and-control traffic rides on common apps, defenders must pivot from blunt blocking to behavior analytics.

Defenders need strict software provenance, making targeted defense and verified trust more critical than ever.