Iranian government hackers are using Telegram to steal data from dissidents, opposition groups, and journalists around the world, according to a recent FBI alert. The attacks begin when hackers contact their targets, pretending to be a known contact or tech support. They trick the victim into accepting a link to a malicious file disguised as a legitimate app like Telegram or WhatsApp.
Once the malware is installed, the attack enters a second stage. It connects the infected device to Telegram bots, which allow the hackers to remotely command and control the victim’s computer. This remote access enables the hackers to steal files, capture screenshots, and record Zoom calls.
Using Telegram to remotely control a device is a common technique for hiding malicious activity within legitimate network traffic. This makes it more difficult for cybersecurity defenders and anti-malware products to detect the threat.
The FBI states that the hackers responsible are allegedly working for Iran’s Ministry of Intelligence and Security. These attacks represent an example of Iranian government hackers attempting to advance the regime’s geopolitical agenda.
In its alert, the FBI mentioned the pro-Iranian and pro-Palestine fake hacktivist group known as Handala, though it is not clear if this group carried out the specific Telegram-based attacks. Earlier this month, Handala claimed responsibility for an attack on medical technology giant Stryker, which resulted in the wiping of tens of thousands of employee devices. In a recent filing, Stryker confirmed it is still recovering from that hack.
Last week, the U.S. Justice Department accused Handala of being a front for Iran’s government, specifically the Ministry of Intelligence and Security, and held it responsible for the Stryker hack. Simultaneously, the FBI seized two websites linked to Handala and two other sites linked to another Iranian group called Homeland Justice. The recent FBI alert states these two groups are linked and controlled by the Iranian ministry.
The FBI did not respond to a request for additional information. Telegram also did not respond to a request for comment.