Iran-Linked Hackers Exploit Telegram to Launch Global Malware Campaign Targeting Dissidents and Journalists

CyberDefender 13 mins0

The Federal Bureau of Investigation (FBI) has issued a FLASH alert regarding a sophisticated cyber campaign linked to threat actors operating on behalf of Iran’s Ministry of Intelligence and Security (MOIS). These actors have been leveraging Telegram as a command-and-control (C2) platform to distribute malware and maintain access to compromised systems.

The campaign primarily targets Iranian dissidents, journalists critical of the Iranian government, and individuals or groups whose views oppose state narratives. However, the tactics observed suggest that the malware framework is flexible enough to be used against a broader set of targets globally.

The attack chain involves carefully crafted social engineering techniques, multi-stage malware deployment, and data exfiltration capabilities designed to collect sensitive information, leak it publicly, and damage reputations. This activity reflects a broader pattern of Iranian state-aligned cyber operations combining espionage, psychological influence, and disinformation.

Background and Context

Based on FBI analysis, these cyber operations have been active since at least late 2023. The attackers deployed multiple malware variants specifically designed for Windows systems. The victims were not randomly selected; instead, they were chosen based on their political views, affiliations, or perceived opposition to the Iranian government.

The malware campaign aligns with Iran’s broader cyber strategy, which often blends traditional espionage with influence operations. The goal is not only to collect intelligence but also to manipulate narratives and create public pressure through data leaks.

In mid-2025, a group calling itself “Handala Hack” publicly claimed responsibility for several hack-and-leak incidents targeting individuals critical of Iran. According to FBI assessments, some of the leaked data was obtained through this malware campaign. The same group has been associated with activities such as phishing, extortion, and destructive cyberattacks using custom-built wiper malware.

Further analysis indicates a connection between Handala Hack and another entity known as “Homeland Justice,” both believed to be linked to MOIS operations. These groups often operate under the guise of hacktivism, but their activities are strategically aligned with state objectives.

Technical Breakdown of the Malware Campaign

Malware Architecture Overview

The malware used in this campaign follows a structured, multi-stage design:

  • Stage 1 (Masquerading Malware): Disguised as legitimate applications.
  • Stage 2 (Persistent Implant): Maintains long-term access and connects to C2 infrastructure.
  • Auxiliary Payloads: Additional tools used for surveillance and data theft.

The initial stage is designed to look like trusted software such as KeePass, Telegram, or multimedia tools. Once executed, it deploys the second-stage payload, which establishes persistent access and communicates with Telegram bots.

Command-and-Control via Telegram

One of the most notable aspects of this campaign is the use of Telegram as a C2 channel. Instead of relying on traditional infrastructure, attackers use Telegram bots to:

  • Send commands to infected systems
  • Receive stolen data
  • Maintain encrypted communication channels

This approach helps them blend malicious traffic with legitimate user activity, making detection significantly more difficult.

Attack Lifecycle

Initial Access

The attackers rely heavily on social engineering. They initiate conversations with targets through messaging platforms, often impersonating:

  • Known contacts
  • Technical support staff
  • Trusted service providers

Victims are then persuaded to download and open malicious files. These files are customized to match the victim’s interests or behavior patterns, indicating prior reconnaissance.

Execution

Once the victim opens the malicious file, execution begins. Observed file names include:

  • Telegram_authenticator.exe
  • WhatssApp.exe
  • KeePass.exe
  • Pictory_premium_ver9.0.4.exe

These files act as loaders for the next stage of the attack.

Persistence Mechanisms

After execution, the malware establishes persistence through several techniques:

  • Modifying Windows registry keys for autorun
  • Using PowerShell to execute scripts silently
  • Excluding certain directories to evade detection

This ensures the malware remains active even after system reboots.

Data Collection and Exfiltration

The attackers deploy additional tools to gather sensitive information. These tools are capable of:

  • Recording screen activity and audio
  • Capturing cached data
  • Compressing files with password protection
  • Deleting traces after exfiltration

Collected data is then transmitted to Telegram servers via API endpoints.

Attack Chain, Source : FBI

Indicators of Compromise (IOCs)

Below are the identified malware samples and their corresponding MD5 hashes:

KeePass.exe                         7402F2F9263782A4C469570035843510
MicDriver.dll                      F8B5554808428291ACC65D1FD2EFE01C
MicDriver.exe                      D70EBF20E3D697897BAD5BEBF72EA271
MsCache.exe                        3E7A2FCEF1D038D05B20148C573A6499
Pictory_premium_ver9.0.4.exe       1E6B601F733BC40EAA58916986BFC5B9
rantom.txt                         A3394EF7FFA7E88B2E7EFAEE4617FE04
rantom.txt                         2965817D063F1E8F9889F9126443D631
RuntimeSSH.exe                     EBDD9595B79B39F53909D862499DBC94
RuntimeSSH.exe                     E51FF37FB431767DCDEC0B5E6D2A786A
smqdservice.exe                    7E23FFADB664B0E53D821478A249D84C
Telegram_Authenticator.exe         B9086413E7B6A0C6A11C25D14C22615F
winappx.exe                        481C5B5E69A08C3DF206C59FD8DDC0DC

These indicators should be analyzed within the broader context of system activity, as some may not independently confirm a compromise.

Recommended Mitigation Strategies

To reduce the risk of infection, organizations and individuals should adopt the following security practices:

Maintain updated operating systems and apply patches regularly. Many attacks exploit outdated software vulnerabilities.

Download applications only from verified sources such as official vendor websites or trusted app stores. Avoid files received through unsolicited messages.

Use reputable antivirus and endpoint detection tools, ensuring they are updated and actively scanning for threats.

Implement strong password policies and enable multi-factor authentication wherever possible to prevent unauthorized access.

Exercise caution when interacting with unexpected messages, even if they appear to come from known contacts.

Report suspicious activities to relevant authorities or cybersecurity teams promptly.

Our Analysis and Opinion

This campaign highlights a significant shift in how state-sponsored cyber actors are operating in today’s threat landscape. Instead of relying solely on traditional infrastructure like dedicated servers or hidden networks, the use of widely adopted platforms such as Telegram represents a more adaptive and resilient approach. By embedding their command-and-control operations within a legitimate service, attackers gain both anonymity and operational efficiency.

What stands out in this case is the level of personalization involved in the attack. The tailoring of malware to match the victim’s behavior suggests that these actors are investing time in reconnaissance before launching their operations. This is not opportunistic hacking; it is targeted, calculated, and aligned with broader geopolitical goals.

Another important observation is the blending of cyber espionage with psychological operations. The hack-and-leak model used by groups like Handala Hack is not just about stealing information. It is about controlling narratives, influencing public perception, and creating fear or mistrust among specific communities. This dual-purpose strategy makes such campaigns more impactful than traditional cyberattacks.

From a defensive standpoint, this case reinforces the importance of user awareness. Even the most advanced security systems can be bypassed if a user is convinced to execute a malicious file. Social engineering continues to be one of the most effective attack vectors, and organizations must prioritize training alongside technical defenses.

It also raises concerns about the misuse of legitimate platforms. As attackers increasingly exploit trusted services for malicious purposes, detection becomes more complex. Security teams need to focus on behavioral analysis and anomaly detection rather than relying solely on signature-based methods.

In our view, this campaign is a clear example of how cyber operations are evolving into multi-dimensional tools of statecraft. It is no longer just about gaining access to systems; it is about shaping information, controlling narratives, and achieving strategic influence. Organizations must adapt to this reality by adopting a more holistic approach to cybersecurity that includes threat intelligence, user education, and advanced monitoring capabilities.

Conclusion

The FBI’s findings underline the growing sophistication of state-sponsored cyber threats. The use of Telegram as a C2 channel, combined with multi-stage malware and targeted social engineering, demonstrates how modern cyber campaigns are evolving.

Organizations must remain vigilant, continuously update their defenses, and educate users to recognize and respond to such threats effectively.

CyberDefender