Iranian government-connected groups are deploying malware via the Telegram messaging app, taking aim at dissidents and other opponents of Tehran around the world, the FBI said in an alert Friday.
The FBI said attackers linked to the Ministry of Intelligence and Security are behind the campaign, which stretches back to 2023. The bureau is escalating the alert now, though, because of the conflict between Iran and a U.S.-Israel alliance, it states.
“The observed victim profile included Iranian dissidents, journalists opposed to Iran, members of organizations with beliefs counter to Government of Iran narratives, and other individuals Iran perceives as a threat to the Iranian government, However, the malware could be used to target any individual of interest to Iran.” the alert reads. “This malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties.”
Handala — an Iranian pro-Palestinian group that claimed credit for the hack on medical device maker Stryker this month — used information it gathered from hacking dissidents to carry out a hack-and-leak campaign in 2025, the FBI assesses. (Stryker sent a notice to the Securities and Exchange Commission Monday that provides an update on the incident.)
While U.S. officials say they haven’t seen any major increase in cyberattacks out of Iran since the conflict began, experts have noted it could be weeks before patterns emerge.
Telegram is a popular communications channel in Iran. Iranian hackers frequent Telegram to discuss planned attacks. On the other hand, the Islamic Revolutionary Guard Corps has also issued warnings to its populace that they could face prosecution if they’re members of Telegram-based opposition channels, IranWire reported last week.
The FBI said from the malware samples it examined, the scheme begins with hackers masquerading as apps like Pictory, KeePass and Telegram. The hackers configure command and control using a Telegram bot.
To gain initial access, the hackers seek to manipulate victims by posing as someone they know or as tech support for a social media platform. They then trick the victims into accepting a file transfer, which then launches the malware.
“Based on multiple observations, stage 1 of the malware appeared to be tailored to the victim’s pattern of life to increase likelihood of victim downloading the malware, which indicates the Iranian cyber actors likely performed target reconnaissance prior to engaging with the victim,” the FBI said.
The FBI alert is the latest in a series of government warnings about attackers using messaging apps to carry out their objectives.
Telegram did not immediately respond to a request for comment on the FBI alert.
