ACCORDING to FBI, Iran’s Ministry of Intelligence and Security (MOIS) runs cyber campaigns that use Telegram as a command-and-control infrastructure to deliver malware, targeting Iranian dissidents, journalists and opposition groups worldwide. The operation uses a multi-stage infection chain where stage 1 masquerades as legitimate apps such as Telegram, KeePass or WhatsApp before delivering a persistent stage 2 implant that connects to a Telegram-based C2, enabling two-way communication with infected devices.
The malware enables surveillance, data theft, screen and audio capture, and exfiltration via Telegram, with the FBI noting that the persistent implant was deployed after initial access to maintain long-term control. Social engineering, tailored to the victim’s behaviour, is used to coax downloads, and victims are often drawn in by masquerading as trusted contacts or support staff.
In 2025, the group Handala Hack claimed hack-and-leak operations against Iran critics, likely using this malware, a pattern the FBI ties to MOIS and to Homeland Justice. The FBI alert also highlights that MOIS has used multiple malware variants since late 2023 to target dissidents and journalists worldwide.