FBI Warns of Handala Hackers Using Telegram in Malware Attacks
Summary:
The FBI's FLASH-20260320-001 advisory details a sophisticated and ongoing campaign by the Iranian Ministry of Intelligence and Security (MOIS) that leverages the Telegram messaging platform as a primary command-and-control (C2) infrastructure. Operating since at least the Fall of 2023, these state-sponsored actors have targeted Iranian dissidents, journalists, and opposition groups globally using a multi-stage malware delivery process. The attack chain begins with highly tailored social engineering, where actors perform reconnaissance on a target's "pattern of life" before masquerading as known individuals or technical support to deliver a "Stage 1" payload. This initial malware typically masquerades as legitimate applications such as KeePass.exe, Telegram_authenticator.exe, WhatsApp.exe, or premium software versions to blend into the victim's environment. Once executed, the malware establishes persistence by adding entries to the Windows registry and manipulating antivirus exclusions to allow the silent execution of PowerShell scripts.
The "Stage 2" persistent implant then establishes a bidirectional communication channel with api.telegram.org via dedicated bots, enabling the remote exfiltration of sensitive data. This campaign is formally linked to the online persona "Handala Hack" and the entity "Homeland Justice," both of which have claimed responsibility for "hack-and-leak" operations intended to cause reputational and political damage. Technical analysis reveals that the MOIS uses specialized modules for different collection tasks: MicDriver.exe is designed to record audio and video specifically during active Zoom sessions, while other components like MsCache.exe, winappx.exe, and RuntimeSSH.exe handle screen captures, file compression, and deletion of traces after data has been staged for exfiltration to Telegram.
Security Officer Comments:
The primary concern is the MOIS’s effective use of "living-off-trusted-services" (LOTS) by weaponizing Telegram and legitimate productivity tools to bypass traditional security perimeters. While the current victims are political dissidents, the TTPs, particularly the use of encrypted messaging APIs for C2, are highly adaptable for corporate espionage or supply chain targeting within the IT sector. Furthermore, the involvement of "Handala Hack" introduces a dual threat; this group often pairs data theft with destructive wiper malware and extortion, posing a significant risk of both permanent data loss and prolonged operational downtime for any compromised organization
Suggested Corrections:
The FBI recommends caution with regards to receiving emails or other online communications fromunknown individuals, or communications of an unfamiliar nature from known individuals.
Link(s):
https://www.bleepingcomputer.com/ne...la-hackers-using-telegram-in-malware-attacks/
The FBI's FLASH-20260320-001 advisory details a sophisticated and ongoing campaign by the Iranian Ministry of Intelligence and Security (MOIS) that leverages the Telegram messaging platform as a primary command-and-control (C2) infrastructure. Operating since at least the Fall of 2023, these state-sponsored actors have targeted Iranian dissidents, journalists, and opposition groups globally using a multi-stage malware delivery process. The attack chain begins with highly tailored social engineering, where actors perform reconnaissance on a target's "pattern of life" before masquerading as known individuals or technical support to deliver a "Stage 1" payload. This initial malware typically masquerades as legitimate applications such as KeePass.exe, Telegram_authenticator.exe, WhatsApp.exe, or premium software versions to blend into the victim's environment. Once executed, the malware establishes persistence by adding entries to the Windows registry and manipulating antivirus exclusions to allow the silent execution of PowerShell scripts.
The "Stage 2" persistent implant then establishes a bidirectional communication channel with api.telegram.org via dedicated bots, enabling the remote exfiltration of sensitive data. This campaign is formally linked to the online persona "Handala Hack" and the entity "Homeland Justice," both of which have claimed responsibility for "hack-and-leak" operations intended to cause reputational and political damage. Technical analysis reveals that the MOIS uses specialized modules for different collection tasks: MicDriver.exe is designed to record audio and video specifically during active Zoom sessions, while other components like MsCache.exe, winappx.exe, and RuntimeSSH.exe handle screen captures, file compression, and deletion of traces after data has been staged for exfiltration to Telegram.
Security Officer Comments:
The primary concern is the MOIS’s effective use of "living-off-trusted-services" (LOTS) by weaponizing Telegram and legitimate productivity tools to bypass traditional security perimeters. While the current victims are political dissidents, the TTPs, particularly the use of encrypted messaging APIs for C2, are highly adaptable for corporate espionage or supply chain targeting within the IT sector. Furthermore, the involvement of "Handala Hack" introduces a dual threat; this group often pairs data theft with destructive wiper malware and extortion, posing a significant risk of both permanent data loss and prolonged operational downtime for any compromised organization
Suggested Corrections:
The FBI recommends caution with regards to receiving emails or other online communications fromunknown individuals, or communications of an unfamiliar nature from known individuals.
- Ensure your devices are updated with latest operating system and install software updatesregularly.
- Only download software from trusted sources, such as official app stores or vendor websites.
- Enable antivirus or anti-malware software on your device and run antivirus software regularly.
- Use strong, unique passwords and enable multi-factor authentication.
- Report suspicious emails or messages to the email client. If you suspect a crime, please report toyour local FBI field office.
Link(s):
https://www.bleepingcomputer.com/ne...la-hackers-using-telegram-in-malware-attacks/