U.S. intelligence agencies have warned that Iranian government hackers are actively using the Telegram messaging app to infiltrate and steal data from dissidents, journalists, and opposition groups worldwide. The FBI issued a public alert on Friday detailing how these actors leverage Telegram to deploy malware, gain remote access to victims’ devices, and exfiltrate sensitive information.
How the Attacks Work
The operation unfolds in two key stages. First, hackers pose as trusted contacts or technical support to trick targets into downloading malicious files disguised as legitimate applications (like Telegram or WhatsApp itself). Once installed, this malware connects the victim’s computer to Telegram-based bots, allowing the attackers to remotely control the device.
This gives hackers access to steal files, capture screenshots, and even record private communications like Zoom calls.
The attackers exploit Telegram’s infrastructure because it obscures malicious activity within regular network traffic, making detection by cybersecurity tools more difficult. This tactic highlights a growing trend of cyber actors embedding operations within commonly used platforms to evade scrutiny.
State-Sponsored Activity
The FBI attributes these attacks to Iran’s Ministry of Intelligence and Security (MOIS), framing them as part of a broader effort to advance the regime’s geopolitical interests. A linked pro-Iranian hacktivist group, “Handala,” has claimed responsibility for recent high-profile attacks, including a disruptive breach against medical technology firm Stryker.
Stryker confirmed in an SEC filing that it is still recovering from the hack, which involved wiping tens of thousands of employee devices. The U.S. Justice Department has accused Handala of operating as a front for the MOIS, leading to the seizure of websites linked to Handala and another Iranian group, “Homeland Justice.” The FBI maintains that both are controlled by the same state actors.
Telegram’s Response
Telegram’s spokesperson Remi Vaughn stated that the platform actively removes accounts involved with malware distribution. However, the continued use of the service by these actors demonstrates the challenges of policing such activity on a large scale.
The incident underscores the evolving nature of state-sponsored cyber warfare, where seemingly innocuous platforms like Telegram are weaponized to facilitate espionage and disruption. The FBI’s warning serves as a reminder that users must remain vigilant against social engineering tactics and unauthorized software downloads.
