FBI flags Telegram in Iran-linked cyber attacks

U.S. agency warns Iranian hackers use Telegram-based malware to spy on dissidents, expanding covert surveillance tactics globally.The FBI has warned that Iranian state-linked hackers are exploiting Telegram to conduct sophisticated cyber espionage campaigns targeting dissidents, journalists, and opposition groups worldwide.

The alert, issued on March 21, said attackers are using social engineering and malware disguised as legitimate apps to gain persistent access to victims’ devices.According to the FBI advisory, the attacks begin with hackers impersonating trusted contacts or technical support staff.

Read More: Cabinet approves National Cyber Security Policy

Targets are persuaded to download malicious files presented as secure versions of messaging platforms such as Telegram and WhatsApp. Once installed, the malware enables remote access through Telegram bots, allowing attackers to extract sensitive data and monitor user activity.The agency said the malware allows operators to steal files, capture screenshots, and record online meetings, including Zoom calls.

These capabilities indicate a high level of operational sophistication and sustained surveillance intent. Cybersecurity analysts note that using Telegram infrastructure helps attackers blend malicious traffic with legitimate encrypted communications, complicating detection efforts.

The FBI attributed the campaign to actors linked with Iran’s Ministry of Intelligence and Security. Officials said the operations reflect broader attempts by Tehran to expand its geopolitical influence through cyber capabilities. Iran has increasingly relied on cyber tools to monitor critics abroad and disrupt perceived adversaries.Cybersecurity data supports the growing scale of such threats.

According to a 2025 report by cybersecurity firm Mandiant, Iran-linked groups accounted for nearly 10% of state-sponsored cyber operations globally. These groups have shifted from disruptive attacks to intelligence gathering and long-term surveillance campaigns.

The report noted increased targeting of diaspora communities and foreign-based journalists critical of Iranian policies.Telegram’s role in these operations highlights ongoing challenges in moderating encrypted platforms. The messaging app, which has over 800 million active users globally as of 2025 company disclosures, offers bot integration and cloud-based messaging features that can be exploited for command-and-control functions.

Security experts say such platforms are increasingly used by threat actors due to their resilience and widespread adoption.The FBI alert also referenced the pro-Iranian hacktivist group Handala, although it did not confirm direct involvement in the specific campaign.

Earlier this month, Handala claimed responsibility for a cyberattack on U.S.-based medical technology firm Stryker. The attack reportedly wiped tens of thousands of employee devices, causing operational disruption.Stryker disclosed in a regulatory filing with the U.S. Securities and Exchange Commission that recovery efforts were ongoing following the breach.

The incident underscores the growing risk to corporate infrastructure from politically motivated cyber groups. Analysts say healthcare and critical infrastructure sectors remain particularly vulnerable due to legacy systems and high-value data.

The U.S. Justice Department recently accused Handala of acting as a front for Iranian intelligence operations. Authorities said the group was linked to the same ministry identified in the FBI alert. Law enforcement agencies also seized multiple websites associated with Handala and another group, Homeland Justice, describing both as coordinated elements of a broader cyber strategy.Global cyber activity linked to Iran has intensified in recent years.

Data from the Center for Strategic and International Studies shows that Iran was responsible for at least 20 publicly reported cyber incidents in 2024 alone. These ranged from espionage campaigns to disruptive attacks on infrastructure and private companies.The use of malware disguised as common applications reflects a wider trend in cybercrime.

According to Kaspersky’s 2025 threat landscape report, more than 30% of malware infections globally originate from social engineering tactics involving fake software updates or messaging apps. This method remains effective due to user trust in widely used platforms.Security experts advise users to verify software sources and avoid downloading applications from unsolicited links. Organizations are also urged to implement multi-factor authentication and network monitoring tools to detect unusual activity. Governments worldwide have increased coordination to counter state-sponsored cyber threats, but enforcement remains complex due to jurisdictional challenges.

The FBI said it continues to monitor Iran-linked cyber activity and is working with international partners to mitigate risks. The agency urged potential targets, particularly activists and journalists, to remain vigilant against impersonation attempts and suspicious communications.The alert reflects broader concerns about the weaponization of commercial digital platforms for intelligence operations.

As encrypted messaging services expand globally, regulators and cybersecurity firms face increasing pressure to balance privacy protections with security oversight.The evolving threat landscape suggests that such campaigns will persist as geopolitical tensions remain elevated. Analysts expect continued use of platforms like Telegram in covert operations due to their accessibility and technical flexibility.

The FBI warning signals a growing need for coordinated policy and cybersecurity responses to counter Iran-linked digital surveillance efforts involving Telegram.