The Federal Bureau of Investigation has warned that threat actors linked to Iran are using the messaging platform Telegram as part of malware campaigns targeting individuals and organisations. The alert identifies activity associated with groups, including Handala, a pro-Palestine hacktivist group, and Homeland Justice, which US authorities have previously linked to Iran’s Islamic Revolutionary Guard Corps.
According to the FBI, the attackers are using Telegram as part of their command and control infrastructure. This allows them to communicate with compromised systems, issue instructions, and retrieve stolen data without relying on traditional servers. Investigators said this approach can make detection more difficult because it uses a widely available messaging service rather than a dedicated malicious infrastructure.
The campaigns rely on social engineering techniques to deliver malware. Targets receive files or links that appear to be legitimate software or documents. Once opened, these files install malicious programs on Windows devices. The malware is designed to collect information from infected systems, including files, screenshots, and system data, which can then be transmitted back to the attackers.
The FBI said the malware operates in multiple stages. Initial payloads establish access to the system, while subsequent components connect to Telegram-based channels or bots to enable ongoing communication. This setup allows attackers to maintain persistence and continue interacting with the compromised device over time.
Authorities said the activity has targeted a range of individuals, including journalists, government officials, political figures, and others. In some cases, the campaigns have been linked to efforts to gather intelligence or obtain information that may later be disclosed publicly.
The warning follows recent law enforcement actions against infrastructure linked to the same groups, including the seizure of websites used to distribute stolen data. The FBI said the advisory is intended to provide technical details that organisations can use to identify and mitigate similar threats.
Officials recommended that organisations monitor network traffic for unusual connections to messaging platforms and ensure that systems are updated and protected against known vulnerabilities. The investigation into the activity is ongoing.