**Iran-Linked Actors Use Telegram as C2 in Malware Attacks on Dissidents**

In a disturbing trend, Iranian-linked threat actors have been using the popular messaging app Telegram as a command-and-control (C2) infrastructure to spread malware targeting dissidents, journalists, and opposition groups worldwide. The FBI has issued an alert warning of this tactic, used by Iran's Ministry of Intelligence and Security (MOIS), in its cyber campaigns.

According to the FBI, these actors have been using multiple malware variants since late 2023 to target Windows systems linked to dissidents, journalists, and opposition groups. The malware enables surveillance, data theft, and reputational damage against victims, reflecting ongoing Iranian cyber operations amid rising geopolitical tensions in the Middle East.

**The Malware Campaign: A Multi-Stage Infection Chain**

The FBI analyzed the malware used in Iran-linked campaigns and identified a multi-stage infection chain. Stage 1 malware disguises itself as legitimate software, such as Telegram, KeePass, or WhatsApp, and delivers the next payload. Once executed, it installs a persistent implant (stage 2) that connects to a Telegram-based C2 system, enabling two-way communication with infected devices.

The persistent implant malware spawns following the masquerading malware's execution and possible user interaction with the malicious application. At this stage, the Iran MOIS cyber actors configured a C2 using a Telegram bot, allowing bidirectional communication between the compromised device and api.telegram[.]org.

**Social Engineering and Targeted Attacks**

Attackers use social engineering to convince victims to download these files by posing as trusted contacts or support staff. They often tailor the malware to the victim's behavior, suggesting prior reconnaissance. The Iranian cyber actors then convinced the victim to accept a file transfer consisting of the masquerading stage 1 malware.

When the victim opened the file, the malware infected the device and launched the persistent implant stage 2 malware. Based on multiple observations, stage 1 of the malware appeared to be tailored to the victim's pattern of life to increase the likelihood of downloading the malware, indicating the Iranian cyber actors likely performed target reconnaissance prior to engaging with the victim.

**Additional Tools and Persistence**

After initial access, additional tools are deployed to maintain persistence and avoid detection, including registry changes and PowerShell abuse. The malware can record screens and audio, capture data, compress files, and exfiltrate them via Telegram, giving attackers long-term access and control over compromised systems.

**Mitigation Measures**

The FBI urges caution with unexpected or unusual messages, even from known contacts. To reduce the risk of compromise, organizations and individuals should:

* Keep devices updated * Download software only from trusted sources * Use antivirus tools * Enable strong passwords with MFA (Multi-Factor Authentication) * Report suspicious activity to providers or authorities

By understanding these tactics, defenders can better protect themselves against these types of attacks.

**Stay Vigilant: Protecting Yourself Against Cyber Threats**

In today's digital age, cybersecurity is more important than ever. By staying informed and taking proactive measures, you can reduce the risk of falling victim to these types of attacks. Remember, even trusted contacts can be compromised. Stay vigilant, and always err on the side of caution.

**Follow Security Affairs for the Latest Cybersecurity News and Analysis**

Stay up-to-date with the latest cybersecurity news and analysis by following Security Affairs on Twitter: @securityaffairs and Facebook and Mastodon.