**Iran-Linked Actors Use Telegram as C2 in Malware Attacks on Dissidents and Journalists**
In a concerning trend of Iranian cyber operations, the FBI has released an alert warning about the use of Telegram as a command-and-control (C2) infrastructure for spreading malware targeting dissidents, journalists, and opposition groups worldwide. This tactic reflects ongoing Iranian cyber activities amid rising geopolitical tensions in the Middle East.
According to the FBI's flash alert, Iran's Ministry of Intelligence and Security (MOIS) has been running cyber campaigns using Telegram as a C2 infrastructure to deliver malware. The malware enables surveillance, data theft, and reputational damage against victims. Threat actors rely on social engineering to disguise malware as legitimate software, then deploy multi-stage payloads that connect infected devices to Telegram-based command-and-control.
**Iran's MOIS Links Malware Campaigns to Dissidents and Journalists**
The FBI warns that Iran's MOIS has used multiple malware variants since late 2023 to target Windows systems linked to dissidents, journalists, and opposition groups. Any person of interest could be targeted by these actors. The group "Handala Hack" claimed hack-and-leak operations against critics of Iran in 2025, likely using this malware.
**Malware Infection Chain: Disguising Malware as Legitimate Apps**
The FBI analyzed malware used in Iranian-linked campaigns and identified a multi-stage infection chain. Stage 1 malware disguises itself as legitimate apps like Telegram, KeePass, or WhatsApp and delivers the next payload. Once executed, it installs a persistent implant (stage 2) that connects to a Telegram-based command-and-control system, enabling two-way communication with infected devices.
**How Attackers Use Social Engineering to Deploy Malware**
Attackers use social engineering tactics, posing as trusted contacts or support staff, to convince victims to download these files. They often tailor the malware to the victim's behavior, suggesting prior reconnaissance. For example, attackers convinced a victim to accept a file transfer consisting of the masquerading stage 1 malware. When the victim opened the file, the malware infected their device and launched the persistent implant stage 2 malware.
**After Initial Access: Tools Deployed for Persistence and Evasion**
Additional tools are deployed after initial access to maintain persistence and avoid detection. These include registry changes and PowerShell abuse. The malware can record screens and audio, capture data, compress files, and exfiltrate them via Telegram, giving attackers long-term access and control over compromised systems.
**FBI Urges Caution and Mitigation Measures**
The FBI urges caution with unexpected or unusual messages, even from known contacts. To mitigate the risk of compromise, organizations and individuals are advised to:
* Keep devices updated * Download software only from trusted sources * Use antivirus tools * Enable strong passwords with MFA (Multi-Factor Authentication) * Report suspicious activity to providers or authorities
The use of Telegram as a C2 infrastructure by Iranian actors highlights the importance of cybersecurity awareness in today's digital landscape. By understanding these tactics, defenders can better protect themselves and their organizations from these types of attacks.
**Stay Informed: Follow Cybersecurity News and Updates**
To stay informed about the latest cybersecurity threats and trends, follow reputable sources like Security Affairs on Twitter (@securityaffairs) and Facebook. Stay vigilant and keep your devices secure to avoid falling victim to these malicious campaigns.