Skip to content
Tech News
← Back to articles

FBI warns of Handala hackers using Telegram in malware attacks

2026-03-23 | original
read original get Cybersecurity USB Flash Drive → more articles
Why This Matters

The FBI's warning highlights the growing use of Telegram by Iranian state-linked hackers for malware attacks targeting journalists, dissidents, and opposition groups worldwide. This underscores the evolving tactics in cyber espionage and the importance of heightened cybersecurity awareness, especially amid geopolitical tensions. Recognizing these threats is crucial for organizations and individuals to implement effective mitigation strategies and protect sensitive information.

Key Takeaways

The U.S. Federal Bureau of Investigation (FBI) warned network defenders that Iranian hackers linked to the country's Ministry of Intelligence and Security (MOIS) are using Telegram in malware attacks.

In a flash alert issued on Friday, the FBI says Telegram is being used as command-and-control (C2) infrastructure by malware targeting journalists criticizing the Iranian government, Iranian dissidents, and various other oppositional groups worldwide.

The bureau linked these attacks to the Iranian-linked and pro-Palestinian Handala hacktivist group (also known as Handala Hack Team, Hatef, Hamsa) and the Iranian state-sponsored Homeland Justice threat group tied to Iran's Islamic Revolutionary Guard Corps (IRGC).

In these attacks, the Iranian hackers are using social engineering to infect targets' devices with Windows malware that enables them to exfiltrate screenshots or files from compromised computers.

"Due to the elevated geopolitical climate of the Middle East and current conflict, the FBI is highlighting this MOIS cyber activity," the bureau said.

"This malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties. The FBI is releasing this information to maximize awareness of malicious Iranian cyber activity and provide mitigation strategies to reduce the risk of compromise."

Iranian malware attacks abusing Telegram (FBI)

This warning was published one day after the FBI seized four domains (handala-redwanted[.]to, handala-hack[.]to, justicehomeland[.]org, and karmabelow80[.]org).

The websites available via the seized clearnet domains were used by the Handala and Homeland Justice threat groups, and a third threat actor tracked as Karma Below, during their attacks and to leak sensitive documents and data stolen in cyberattacks targeting victims in the United States and around the world.

These actions follow Handala's cyberattack on U.S. medical giant Stryker, in which they factory reset approximately 80,000 devices (including employees' personal computers and mobile devices managed by the company) using the Microsoft Intune wipe command after compromising a Windows domain administrator account and creating a new Global Administrator account.

... continue reading

Explore topics: fbi handala hack team telegram mois irgc
Related:
The Head of the FBI Just Admitted Something Moderately Horrifying
A Top Democrat Is Urging Colleagues to Support Trump’s Spy Machine
FBI links Signal phishing attacks to Russian intelligence services
US accuses Iran’s government of operating hacktivist group that hacked Stryker
Anthropic just shipped an OpenClaw killer called Claude Code Channels, letting you message it over Telegram and Discord

© 2026 GoKawiil

About | Editorial Policy | Contact