The U.S. Federal Bureau of Investigation (FBI) warned community defenders that Iranian hackers linked to the nation’s Ministry of Intelligence and Safety (MOIS) are utilizing Telegram in malware assaults.
In a flash alert issued on Friday, the FBI says Telegram is getting used as command-and-control (C2) infrastructure by malware focusing on journalists criticizing the Iranian authorities, Iranian dissidents, and numerous different oppositional teams worldwide.
The bureau linked these assaults to the Iranian-linked and pro-Palestinian Handala hacktivist group (often known as Handala Hack Staff, Hatef, Hamsa) and the Iranian state-sponsored Homeland Justice risk group tied to Iran’s Islamic Revolutionary Guard Corps (IRGC).
In these assaults, the Iranian hackers are utilizing social engineering to contaminate targets’ units with Home windows malware that permits them to exfiltrate screenshots or information from compromised computer systems.
“Because of the elevated geopolitical local weather of the Center East and present battle, the FBI is highlighting this MOIS cyber exercise,” the bureau stated.
“This malware resulted in intelligence assortment, information leaks, and reputational hurt in opposition to the focused events. The FBI is releasing this data to maximise consciousness of malicious Iranian cyber exercise and supply mitigation methods to scale back the chance of compromise.”
This warning was printed someday after the FBI seized 4 domains (handala-redwanted[.]to, handala-hack[.]to, justicehomeland[.]org, and karmabelow80[.]org).
The web sites accessible through the seized clearnet domains had been utilized by the Handala and Homeland Justice risk teams, and a 3rd risk actor tracked as Karma Beneath, throughout their assaults and to leak delicate paperwork and information stolen in cyberattacks focusing on victims in the USA and all over the world.
These actions comply with Handala’s cyberattack on U.S. medical large Stryker, through which they manufacturing facility reset roughly 80,000 units (together with staff’ private computer systems and cell units managed by the corporate) utilizing the Microsoft Intune wipe command after compromising a Home windows area administrator account and creating a brand new World Administrator account.
Final week, the FBI additionally warned that Russian intelligence-linked risk actors are focusing on Sign and WhatsApp customers in phishing campaigns which have already compromised 1000’s of accounts.
“The exercise targets people of excessive intelligence worth, similar to present and former U.S. authorities officers, navy personnel, political figures, and journalists,” stated the FBI in a public service announcement issued after Dutch and French cybersecurity authorities described related account-hijacking operations.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
