Iran-linked actors use Telegram as C2 in malware attacks on dissidents

Iran-linked actors use Telegram as C2 to spread malware targeting dissidents and journalists, enabling surveillance and data theft.

The FBI warns that Iran’s Ministry of Intelligence and Security (MOIS) runs cyber campaigns using Telegram as a command-and-control infrastructure to deliver malware. Threat actors target Iranian dissidents, journalists, and opposition groups worldwide.

Once deployed, the malware enables surveillance, data theft, and reputational damage against victims. The activity reflects ongoing Iranian cyber operations amid rising geopolitical tensions in the Middle East.

The FBI released this alert to raise awareness and help defenders understand the tactics used in these campaigns, urging organizations and individuals to adopt mitigation measures to reduce the risk of compromise.

The FBI says Iran’s MOIS has used multiple malware variants since late 2023 to target Windows systems linked to dissidents, journalists, and opposition groups, though any person of interest could be targeted. Attackers rely on social engineering to disguise malware as legitimate software, then deploy multi-stage payloads that connect infected devices to Telegram-based command-and-control, enabling remote access, screen capture, and data theft.

In 2025, the group “Handala Hack” claimed hack-and-leak operations against critics of Iran, likely using this malware. The FBI links it to MOIS and to “Homeland Justice.” These actors combine APT tactics with disinformation, stealing and selectively leaking data to cause reputational and political damage, supporting Iran’s broader geopolitical goals.

The FBI analyzed malware used in Iran-linked campaigns and identified a multi-stage infection chain. Stage 1 malware disguises itself as legitimate apps like Telegram, KeePass, or WhatsApp and delivers the next payload. Once executed, it installs a persistent implant (stage 2) that connects to a Telegram-based command-and-control system, enabling two-way communication with infected devices.

“The persistent implant malware spawned following the masquerading malware’s execution and possible user interaction with the malicious application. At this stage, the Iran MOIS cyber actors configured a command and control (C2) using a Telegram bot, allowing bidirectional communication between the compromised device and api.telegram[.]org.” reads the Flash alert published by FBI. “FBI considered the masquerading malware and persistent implant to be core functionality for the malware campaign.”

Attackers use social engineering, posing as trusted contacts or support staff, to convince victims to download these files. They often tailor the malware to the victim’s behavior, suggesting prior reconnaissance.

“The Iranian cyber actors then convinced the victim to accept a file transfer consisting of the masquerading stage 1 malware. When the victim opened the file, the malware infected the victim’s device and launched the persistent implant stage 2 malware.” continue the report. “Based on multiple observations, stage 1 of the malware appeared to be tailored to the victim’s pattern of life to increase likelihood of victim downloading the malware, which indicates the Iranian cyber actors likely performed target reconnaissance prior to engaging with the victim.”

After initial access, additional tools are deployed to maintain persistence and avoid detection, including registry changes and PowerShell abuse.

The malware can record screens and audio, capture data, compress files, and exfiltrate them via Telegram, giving attackers long-term access and control over compromised systems.

“The malware campaign used multiple malware samples to exfiltrate data.” concludes the report. “These included the following samples:

• MicDriver.exe/MicDriver.dll
• Winappx.exe
• MsCache.exe
• RuntimeSSH.exe
• smqdservice.exe

Functionality of the above-mentioned malware samples included: Screen recordings and audio, cache captures, perform file compression with a password, perform file deletion, and stage compressed files to be sent to api.telelgram[.]org.”

The FBI urges caution with unexpected or unusual messages, even from known contacts. Keep devices updated, download software only from trusted sources, use antivirus tools, and enable strong passwords with MFA. Report suspicious activity to providers or authorities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)