The Federal Bureau of Investigation (FBI) has released a FLASH to disseminate information on malicious cyber activity conducted by actors on behalf of the Government of Iran Ministry of Intelligence and Security (MOIS). Specifically, MOIS cyber actors are responsible for using Telegram as a command-and-control (C2) infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other opposition groups around the world. This malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties. The FBI is releasing this information to maximize awareness of malicious Iranian cyber activity and provide mitigation strategies to reduce the risk of compromise.
Due to the elevated geopolitical climate of the Middle East and current conflict, the FBI is highlighting this MOIS cyber activity. The FBI assessed MOIS cyber actors are responsible for using Telegram as a C2 infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other oppositional groups around the world. This FLASH warns network defenders and the public of continued malicious cyber activity by Iran MOIS cyber actors and outlines the tactics, techniques, and procedures (TTPs) used in this malware campaign.
Background Information
The FBI assesses Iran MOIS cyber actors deployed multiple versions of the malware to infect machines running Windows operating systems, dating back to the Fall of 2023. The observed victim profile included Iranian dissidents, journalists opposed to Iran, members of organizations with beliefs counter to Government of Iran narratives, and other individuals Iran perceives as a threat to the Iranian government. However, the malware could be used to target any individual of interest to Iran. The malware used as part of this cyber activity included a multi-stage payload enabling remote user access to the infected devices. Threat actors used social engineering to customize the first stage of the malware to masquerade as commonly used programs or services on Windows machines. The second stage connected the infected machine to Telegram command and control bots that enabled remote user access to exfiltrate screen captures or files from the victim devices.
In July 2025, the online entity known as “Handala Hack” claimed responsibility for a hack-and-leak operation targeting multiple persons voicing concerns about current events in Iran that conflicted with the Government of Iran’s rhetoric. The FBI assesses some of the information Handala Hack claimed to have acquired and posted online was obtained using malware as part of the group’s ongoing campaign to target dissidents. Handala Hack is known for phishing, data theft, extortion, and destructive attacks involving custom wiper malware. Additionally, the FBI assesses Handala Hack is linked to the online entity “Homeland Justice,” also operated by Iran MOIS cyber actors.
Iran MOIS cyber actors consistently leverage state-directed Advanced Persistent Threats (APT) and proxy groups to carry out hacktivist-style attacks, including hack-and-leak operations, which blend technical compromises with disinformation. The campaigns typically involve the theft of perceived sensitive data, its manipulation or selective exposure, and public distribution through aligned media channels to maximize reputational or political damage. MOIS’ use of Telegram as the C2 to push malware to carry out a campaign targeting Iranian dissidents is an example of Iran MOIS cyber actors’ efforts to advance Iran’s geopolitical agenda.
Read the full FLASH here.
