FBI warns of Telegram-linked malware spying campaign
2 min read
The Federal Bureau of Investigation (FBI) has raised fresh concerns about a cyber-espionage campaign tied to Iranian state-backed hackers. According to a newly released alert, these attackers are using the popular messaging app Telegram as a tool to quietly steal sensitive data from targets around the world.
The campaign appears to focus on dissidents, journalists, and opposition groups critical of Iran’s government. The attackers reportedly begin by reaching out directly to victims, posing as trusted contacts or even tech support personnel. Their goal is simple: convince the target to download what looks like a legitimate app—often disguised as WhatsApp or Telegram itself.
But once installed, the software reveals its true purpose.
Behind the scenes, the malicious app connects the victim’s device to Telegram-based bots controlled by the hackers. This gives attackers remote access to the system, allowing them to monitor activity, steal files, capture screenshots, and even record private meetings, including calls on platforms like Zoom.
Using Telegram in this way isn’t new, but it’s effective. Because the app is widely used and generates legitimate traffic, it helps attackers blend in and avoid raising red flags with cybersecurity tools. This makes it harder for defenders to detect unusual activity.
The FBI believes the operation is linked to Iran’s Ministry of Intelligence and Security (MOIS), suggesting the attacks are part of a broader effort to advance the country’s geopolitical interests.
The alert also mentions a group known as Handala, which has previously claimed responsibility for cyberattacks aligned with pro-Iran and pro-Palestinian narratives. While it’s unclear if Handala directly carried out these specific attacks, the group has been active in recent high-profile incidents.
Earlier this month, Handala took credit for a cyberattack on Stryker, a major medical technology firm. The breach reportedly led to the wiping of tens of thousands of employee devices. In a filing with the U.S. Securities and Exchange Commission, Stryker confirmed it is still working to recover from the incident.
Meanwhile, the U.S. Department of Justice has accused Handala of acting as a front for Iran’s intelligence services. Authorities say the group is closely tied to MOIS and may have played a role in the Stryker breach.
Law enforcement has already taken action. The FBI recently seized two websites linked to Handala, along with additional sites connected to another Iranian-linked group, Homeland Justice. According to officials, both groups are believed to be operating under MOIS control.
The FBI has not shared further details about the campaign, and Telegram has yet to comment on the findings.
Also read : Blue Origin Eyes Massive Space-Based Data Center Network
