Iranian government hackers are using Telegram as a way to steal data from hacked dissidents, opposition groups and anti-regime journalists around the world, according to an FBI alert published on Friday.
In the first stage of the attack, hackers contact their targets and pretend to be a known contact or tech support, and trick them into accepting a link to a malicious file disguised as legitimate apps, such as Telegram and WhatsApp. Once the target installs the malware, the second stage of the attack connects the infected victim to Telegram bots that allow hackers to control and remotely control the victim’s computer. This allows hackers to gain remote control of victims’ devices to steal files, take screenshots and record Zoom calls, according to the FBI.
Using Telegram as a way to remotely control a victim’s device is a common technique used by hackers to hide malicious activity between legitimate network traffic, making it more difficult for cybersecurity defenders and anti-malware products to detect.
According to the FBI, the hackers responsible for these attacks allegedly work for Iran’s Ministry of Intelligence and Security (MOIS). The FBI said these attacks exemplified efforts by Iranian government hackers to advance the regime’s “geopolitical agenda.”
Contact us
Do you have more information about Handala or other hacking activities linked to Iran? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
In the alert, the FBI cited the pro-Iranian and pro-Palestinian fake hacktivist group Handala, although it is unclear whether the attacks cited in the alert were carried out by that group.
Earlier this month, Handala claimed responsibility for an attack on medical technology giant Stryker that wiped out tens of thousands of employee devices.
In an 8-K filing with the US Securities and Exchange Commission on Monday, Stryker said it is still recovering from the hack.
Techcrunch event
San Francisco, California
|
13-15 October 2026
Last week, the US Department of Justice accused Handala of being a front for the Iranian government, specifically MOIS, and of being behind the Stryker hack. At the same time, the FBI took down and seized two websites linked to Handala and two other websites linked to another Iranian hacktivist group called “Homeland Justice”. In the FBI’s recent warning, the bureau said the two groups are connected to and controlled by MOIS.
An FBI spokesman said in an email that the bureau “has nothing further to add.”
Telegram did not respond to a request for comment.
Updated to include FBI response.
