Full Report
The U.S. Federal Bureau of Investigation (FBI) published a FLASH advisory warning that Iranian state-linked cyber actors are... The post FBI warns Iran-linked cyber campaign uses Telegram bots to control compromised systems, scale attacks appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Iran MOIS (Ministry of Intelligence and Security)
## Attribution & Identity
* **Actor Identification:** Iranian state-linked cyber actors operating under the Ministry of Intelligence and Security (MOIS).
* **Known Aliases:** MOIS Cyber Actors.
* **Associated Groups/Proxies:**
* **Handala Hack:** An online entity used for hack-and-leak operations and destructive attacks.
* **Homeland Justice:** An online persona/entity linked to the same MOIS infrastructure and actors.
## Activity Summary
Since at least the fall of 2023, MOIS actors have conducted a campaign utilizing social engineering and messaging platforms to deploy multi-stage malware. A significant escalation was noted in July 2025, where the "Handala Hack" persona claimed responsibility for targeting individuals critical of the Iranian government. The campaign focuses on using Telegram as a primary Command-and-Control (C2) channel to exfiltrate data and maintain persistence, blending technical exploitation with disinformation and "hack-and-leak" tactics.
## Tactics, Techniques & Procedures
* **Social Engineering:** Posing as known individuals or technical support representatives on messaging applications to build trust.
* **Masquerading:** Customizing first-stage payloads to appear as legitimate Windows programs or services.
* **Telegram C2:** Leveraging Telegram bots as a C2 channel to bypass traditional network security controls and blend in with legitimate traffic.
* **Multi-Stage Payloads:** Use of a first-stage dropper followed by a second-stage malware that enables remote access.
* **Data Exfiltration:** Capturing screenshots and stealing files from infected devices.
* **Hack-and-Leak:** Stealing sensitive data and selectively leaking or manipulating it via aligned media channels to cause reputational damage.
* **Destructive Actions:** Use of custom wiper malware (associated with the Handala Hack persona).
**MITRE ATT&CK IDs (Inferred from context):**
* T1566 (Phishing)
* T1036 (Masquerading)
* T1102.002 (Web Service: Bidirectional Communication/Telegram)
* T1113 (Screen Capture)
* T1567 (Exfiltration Over Web Service)
* T1485 (Data Destruction/Wiper)
## Targeting
* **Sectors:** Dissident organizations, media/journalism, and groups opposing Iranian government narratives.
* **Geography:** Global (focused on the Iranian diaspora and political opponents), with specific mention of U.S. FBI interest.
* **Victims:** Iranian dissidents, journalists, and any individuals perceived as a threat to the Iranian government.
## Tools & Infrastructure
* **Malware Families:**
* Unspecified multi-stage remote access malware (Windows-based).
* Custom wiper malware (Handala Hack).
* **Infrastructure:**
* **Telegram Bots:** Used for C2 communication and command delivery.
* **Social Messaging Platforms:** Used for initial delivery.
* **C2:** telegram\[.\]org (utilized via bot API).
## Implications
This campaign represents a strategic shift toward "asymmetric" cyber operations where state-backed actors use legitimate consumer applications (Telegram) to scale attacks and evade enterprise-grade detection. By utilizing "hack-and-leak" personas like Handala Hack, the MOIS can distance itself from direct attribution while effectively silencing or intimidating political opposition and achieving geopolitical objectives through disinformation.
## Mitigations
* **Communication Monitoring:** Strengthen monitoring and inspection of traffic to messaging platforms like Telegram within corporate or high-risk environments.
* **Access Controls:** Implement strict application whitelisting and access controls to prevent the execution of unauthorized programs.
* **User Awareness:** Conduct specific training on social engineering tactics used on messaging apps, emphasizing that attackers may spoof "technical support" or known associates.
* **Endpoint Detection:** Deploy EDR (Endpoint Detection and Response) tools to identify suspicious multi-stage payload execution and unauthorized screen capture activity.
* **Network Filtering:** Restrict or alert on the use of Telegram bot API traffic from sensitive administrative systems.