Iranian government hackers are using Telegram as a means to steal data from hacked dissidents, dissidents, and journalists opposed to the regime around the world, according to an FBI warning released Friday.
In the first stage of the attack, the hacker contacts the target, pretending to be a known contact or technical support, and is tricked into accepting a link to a malicious file disguised as a legitimate app such as Telegram or WhatsApp. Once the target installs the malware, the second stage of the attack connects the infected victim to the Telegram bot, allowing the hacker to remotely command and control the victim’s computer. According to the FBI, this allows hackers to remotely control victims’ devices to steal files, take screenshots, and record Zoom calls.
Using Telegram as a way to remotely control a victim’s device is a common technique used by hackers to hide malicious activity within legitimate network traffic, making it difficult for cybersecurity defenders and anti-malware products to identify.
According to the FBI, the hackers who carried out these attacks are said to be working for Iran’s Ministry of Intelligence and Security (MOIS). The FBI said these attacks were an example of attempts by Iranian government hackers to further the regime’s “geopolitical agenda.”
inquiry
Do you have more information about Handara or other Iran-related hacking activity? You can contact Lorenzo Franceschi-Bicchierai securely from a non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or email.
The FBI mentioned the pro-Iranian and pro-Palestinian pseudo-hacktivist group Handara in the warning, but it is unclear whether the attack mentioned in the warning was carried out by this group.
Earlier this month, Handara claimed responsibility for an attack on medical technology giant Stryker that resulted in tens of thousands of employees’ devices being wiped.
Stryker Inc. said in an 8-K filing with the U.S. Securities and Exchange Commission on Monday that it is still recovering from the hack.
tech crunch event
San Francisco, California
|
October 13-15, 2026
Last week, the US Department of Justice accused Handara of being a frontman for the Iranian government, specifically MOIS, and of being behind the Stryker hack. At the same time, the FBI removed and seized two websites associated with Handara and two others associated with another Iranian hacktivist group called “Homeland Justice.” The FBI said in a recent alert that the two groups are coordinated and controlled by MOIS.
An FBI spokesperson said in an email that the FBI has “nothing further to add.”
Telegram did not respond to a request for comment.
Updated to include FBI response.
Source link
