Full Report
The campaign goes back to 2023 but is the subject of an alert amid conflict in the Middle East. The post FBI: Iranian hackers targeting opponents with Telegram malware appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Iranian Ministry of Intelligence and Security (MOIS)
## Attribution & Identity
* **Identification:** Attributed to the Iranian government, specifically the **Ministry of Intelligence and Security (MOIS)**.
* **Associated Groups:** **Handala** (an Iranian pro-Palestinian group assessed by the FBI to be using information gathered by these MOIS-linked actors).
* **Associated Individuals:** While not directly tied to this Telegram campaign in the text, the article mentions a $10M reward for **Mohammad Bagher Shirinkar** and **Fatemeh Sedighian Kashi** (associated with the IRGC-linked Shahid Shushtari group).
## Activity Summary
The FBI issued an alert in March 2026 regarding a campaign active since at least 2023. The actors are using the Telegram messaging app to distribute malware. The operation was escalated to a public alert due to heightened tensions in the Middle East and a "hack-and-leak" campaign performed in 2025 using data exfiltrated from dissidents.
## Tactics, Techniques & Procedures
* **Target Reconnaissance:** Actors perform detailed reconnaissance of a victim's "pattern of life" to tailor invitations and increase the likelihood of a successful infection.
* **Social Engineering/Masquerading:**
* Posing as acquaintances or technical support for social media platforms.
* Masquerading as legitimate applications (Pictory, KeePass, and Telegram).
* **Initial Access:** Trick victims into accepting file transfers via Telegram.
* **Command and Control (C2):** Use of specialized **Telegram bots** for managing the malware and communicating with infected hosts.
* **Hack-and-Leak:** Exfiltrating sensitive data and publicly leaking it to cause reputational harm and intimidate opponents.
## Targeting
* **Sectors:** Media, Non-Governmental Organizations (NGOs), Healthcare (e.g., Stryker), and Technology.
* **Geography:** Global (targeting opponents of Tehran "around the world").
* **Victims:**
* Iranian dissidents.
* Journalists opposed to the Iranian government.
* Members of organizations countering Government of Iran narratives.
* Medical device maker **Stryker** (targeted by Handala).
## Tools & Infrastructure
* **Malware Families:**
* Stage 1 tailored malware (unnamed in the text).
* Malicious versions of **KeePass**, **Pictory**, and **Telegram**.
* **Infrastructure:**
* Telegram messaging platform.
* Custom Telegram bots for Command and Control.
## Implications
This campaign demonstrates Iran’s continued focus on "soft" targets—dissidents and journalists—to suppress opposition and control domestic narratives. The use of hack-and-leak operations by associated groups like Handala indicates a strategic shift toward utilizing cyber espionage for psychological operations and public reputational damage. The FBI's alert suggests that while focused on dissidents, the tooling is flexible enough to target any individual or entity of interest to the Iranian state.
## Mitigations
* **Social Engineering Awareness:** Educate high-risk individuals on the dangers of accepting file transfers from suspected tech support or unsolicited contacts on messaging apps.
* **App Verification:** Ensure applications like KeePass and Telegram are downloaded only from official, verified sources.
* **Messaging Security:** Be wary of Telegram bots or automated accounts requesting interaction or file execution.
* **Operational Security:** High-risk targets (journalists/dissidents) should minimize the sharing of personal "pattern of life" details on public social media to hinder attacker reconnaissance.