AN Iranian government hacking collective known as the Handala group has been targeting dissidents, journalists and opposition groups in a campaign dating back to autumn 2023, according to the FBI. The group, which claimed responsibility for a recent wiper attack on US medtech firm Stryker, is said to be linked to Tehran’s Ministry of Intelligence and Security (MOIS).
The FBI report describes a multi-stage malware approach, with stage one tailored to the victim’s pattern of life to increase downloads, and stage two connecting the infected machine to Telegram command-and-control bots to enable remote access and exfiltration of screen captures or files. Investigators found samples disguising the malware as software from Pictory, KeePass, WhatsApp and Telegram, using PowerShell to execute and defending evasion by excluding directories.
Social engineering was used to persuade victims to accept a file transfer containing the malware, including a case where actors masqueraded as tech support from a social messaging platform.