FBI warns Iranian hackers are using Telegram to carry out data-stealing malware attacks

Iranian government-linked hackers are using Telegram as a tool to steal data from dissidents, opposition groups, and journalists worldwide, according to an alert issued by the FBI on Friday.

The attack unfolds in multiple stages. Initially, hackers reach out to their targets while impersonating a trusted contact or posing as technical support. Victims are then persuaded to click on a link that delivers a malicious file disguised as legitimate software, such as Telegram or WhatsApp. Once the file is installed, the second phase begins, in which the infected system connects to Telegram bots. These bots allow attackers to control the compromised device remotely.

Through this access, hackers can carry out a range of activities, including stealing files, capturing screenshots, and even recording Zoom calls, the FBI said.

Using Telegram in this way helps attackers conceal their operations within normal internet traffic. This makes it more difficult for cybersecurity tools and defenders to detect malicious behaviour, as the activity appears similar to standard platform usage.

The FBI stated that the individuals behind these campaigns are believed to be working on behalf of Iran’s Ministry of Intelligence and Security. The agency described the attacks as part of broader efforts by Iranian state-backed hackers to advance the country’s geopolitical objectives.

In its alert, the FBI also referenced Handala, a pro-Iranian and pro-Palestinian group that presents itself as a hacktivist organisation. However, it remains unclear whether this group directly carried out the specific attacks outlined in the alert.

Earlier this month, Handala claimed responsibility for a cyberattack on medical technology company Stryker, which led to the wiping of tens of thousands of employee devices. In a filing with the U.S. Securities and Exchange Commission, Stryker confirmed that it is still working to recover from the incident.

Last week, the U.S. Justice Department alleged that Handala is not an independent hacktivist group but instead operates as a front for Iran’s government, specifically the Ministry of Intelligence and Security. Authorities also said the group was behind the Stryker attack.

At the same time, the FBI seized two websites linked to Handala, along with two additional domains associated with another Iranian-linked group, Homeland Justice. According to the FBI, both groups are connected and controlled by the same intelligence apparatus.

An FBI spokesperson said the bureau had no additional comments beyond the information included in the alert.

Telegram spokesperson Remi Vaughn responded that the platform actively removes accounts engaged in malicious activity, noting that moderators routinely take action against users distributing malware.