The FBI has issued a critical alert warning that Iranian government hackers are weaponizing Telegram as a command and control (C2) channel to steal data from dissidents, opposition groups, and journalists who oppose the regime around the world.
According to the FBI alert published Friday, hackers working for Iran’s Ministry of Intelligence and Security (MOIS) are conducting sophisticated social engineering campaigns as part of the regime’s “geopolitical agenda.”
Attack Chain Details
Stage 1 – Social Engineering: The hackers initiate contact with targets by impersonating known contacts or tech support personnel. Victims are tricked into accepting links to malicious files disguised as legitimate applications like Telegram and WhatsApp.
Stage 2 – C2 via Telegram: Once installed, the malware connects to Telegram bots that allow hackers to remotely command and control the victim’s computer. This technique exploits Telegram’s legitimate traffic to evade detection by blending malicious communications with normal network activity.
Capabilities
The malware enables attackers to:
- Gain remote control of victim devices
- Steal files from compromised systems
- Take screenshots
- Record Zoom calls
Connection to Handala Hacktivist Group
The FBI alert references the pro-Iranian and pro-Palestinian fake hacktivist group Handala, which the U.S. Justice Department recently accused of being a front for Iran’s MOIS. Handala claimed responsibility for the devastating attack on medical tech giant Stryker earlier this month, which resulted in wiping tens of thousands of employee devices.
According to an SEC filing, Stryker is still recovering from the hack. Last week, the FBI seized websites linked to both Handala and another Iranian hacktivist group called “Homeland Justice,” with the bureau confirming both groups are controlled by the MOIS.
Why Telegram as C2?
Using Telegram as a C2 channel is a common technique employed by threat actors to hide malicious activity among legitimate network traffic. This approach makes it significantly harder for cybersecurity defenders and anti-malware products to identify malicious communications, as Telegram traffic is widely considered benign in most enterprise environments.
Recommendations
Organizations and individuals, particularly those in opposition movements, journalism, or human rights advocacy, should:
- Verify the identity of contacts requesting software installation
- Never install applications from untrusted sources
- Monitor for unusual Telegram traffic patterns in enterprise environments
- Implement application whitelisting where possible
- Train staff on social engineering tactics used by state-sponsored actors
Source: TechCrunch
