The U.S. Federal Bureau of Investigation (FBI) published a FLASH advisory warning that Iranian state-linked cyber actors are expanding their operational playbook by leveraging messaging platforms such as Telegram as command-and-control channels to deliver malware to targeted victims. The activity reflects a shift toward blending social engineering with covert delivery mechanisms, enabling attackers to communicate directly with compromised systems while evading traditional detection methods. The campaign highlights how adversaries are increasingly exploiting widely used applications to bypass security controls and maintain persistent access within victim environments.
Released by the FBI Internet Crime Complaint Center, the advisory underscores that these operations are part of a broader pattern of state-backed cyber activity focused on intelligence gathering, surveillance, and potential disruption. By using legitimate platforms and targeted delivery techniques, threat actors can scale operations while reducing visibility, complicating both detection and response. The findings reinforce the need for organizations to strengthen monitoring of trusted communication channels, implement strict access controls, and prioritize user awareness, as attackers continue to refine tactics that blend into normal digital behavior.
“The FBI assesses Iran MOIS cyber actors deployed multiple versions of the malware to infect machines running Windows operating systems, dating back to the fall of 2023,” according to the advisory. “The observed victim profile included Iranian dissidents, journalists opposed to Iran, members of organizations with beliefs counter to Government of Iran narratives, and other individuals Iran perceives as a threat to the Iranian government. However, the malware could be used to target any individual of interest to Iran. The malware used as part of this cyber activity included a multi-stage payload enabling remote user access to the infected devices. Threat actors used social engineering to customize the first stage of the malware to masquerade as commonly used programs or services on Windows machines.”
The second stage connected the infected machine to Telegram command and control bots that enabled remote user access to exfiltrate screen captures or files from the victim devices. In July 2025, the online entity known as ‘Handala Hack’ claimed responsibility for a hack-and-leak operation targeting multiple persons voicing concerns about current events in Iran that conflicted with the Government of Iran’s rhetoric.
The FBI assesses some of the information Handala Hack claimed to have acquired and posted online was obtained using malware as part of the group’s ongoing campaign to target dissidents. Handala Hack is known for phishing, data theft, extortion, and destructive attacks involving custom wiper malware. Additionally, the FBI assesses Handala Hack is linked to the online entity ‘Homeland Justice,’ also operated by Iran MOIS cyber actors.
The advisory identified that Iran MOIS cyber actors consistently leverage state-directed APT (advanced persistent threats) and proxy groups to carry out hacktivist-style attacks, including hack-and-leak operations, which blend technical compromises with disinformation. The campaigns typically involve the theft of perceived sensitive data, its manipulation or selective exposure, and public distribution through aligned media channels to maximize reputational or political damage. MOIS’ use of Telegram as the C2 to push malware to carry out a campaign targeting Iranian dissidents is an example of Iran’s MOIS cyber actors’ efforts to advance Iran’s geopolitical agenda.
“Threat actors relied upon social engineering to deliver malware and infect victim devices. The Iranian cyber actors engaged with a targeted victim via social messaging applications and masqueraded as a known individual or technical support from the social messaging platform,” according to the FBI FLASH advisory. “The Iranian cyber actors then convinced the victim to accept a file transfer consisting of the masquerading stage 1 malware. When the victim opened the file, the malware infected the victim’s device and launched the persistent implant stage 2 malware. Based on multiple observations, stage 1 of the malware appeared to be tailored to the victim’s pattern of life to increase likelihood of victim downloading the malware, which indicates the Iranian cyber actors likely performed target reconnaissance prior to engaging with the victim.”
Malware analysis flagged the execution of numerous malware samples as part of the malware campaign. Once the initial access was established to the victim system, the malware downloaded follow-on malware. The stage 1 or masquerading malware included Telegram_authenticator[dot]exe, WhatssApp[dot]exe, KeePass[dot]exe, and Pictory_premium_ver9.0.4[dot]exe.
The advisory observed that malware performed defensive evasion, which excluded directories and allowed PowerShell to execute malware without warning. Furthermore, a reference to malware was added to the Windows registry to autorun stage 2 malware. Stage 2 malware samples served as persistent implants.
The malware campaign used multiple malware samples to exfiltrate data. These included samples of MicDriver[dot]exe/MicDriver[dot]dll, Winappx[dot]exe, MsCache[dot]exe, RuntimeSSH[dot]exe, and smqdservice[dot]exe. Functionality of the malware samples included screen recordings and audio, cache captures, perform file compression with a password, perform file deletion, and stage compressed files to be sent to api.telelgram[.]org.
The FBI recommends exercising caution when receiving emails or online communications from unknown individuals, as well as messages that appear unusual or out of character, even if they come from known contacts. Devices should be kept up to date with the latest operating system and software updates installed regularly to reduce exposure to known vulnerabilities.
Software should only be downloaded from trusted sources, such as official app stores or verified vendor websites, to avoid inadvertently installing malicious applications. Systems should also have antivirus or anti-malware protection enabled and routinely updated and scanned to detect and remove threats.
Strong, unique passwords should be used across accounts, with multi-factor authentication enabled wherever possible for an additional security layer. Suspicious emails or messages should be reported through the appropriate email client tools, and any suspected cybercrime activity should be reported to the nearest FBI field office.
