GoKawiilIranian government hackers are using Telegram as a way to steal data from hacked dissidents, opposition groups, and journalists who oppose the regime around the world, according to an FBI alert published on Friday.
In the first stage of the attack, the hackers contact their targets and pretend to be a known contact or tech support, and are tricked into accepting a link to a malicious file masquerading as legitimate apps, such as Telegram and WhatsApp. Once the target installs the malware, the second stage of the attack connects the infected victim with Telegram bots that allow the hackers to remotely command and control the victim’s computer. This allows the hackers to gain remote control of the victims’ devices to steal files, take screenshots, and record Zoom calls, according to the FBI.
Using Telegram as a way to remotely control a victim’s device is a common technique by hackers to hide malicious activity among legitimate network traffic, which makes it harder for cybersecurity defenders and anti-malware products to identify.
According to the FBI, the hackers responsible for these attacks are allegedly working for Iran’s Ministry of Intelligence and Security (MOIS). The FBI said these attacks are an example of Iranian government hackers’ attempts to push the regime’s “geopolitical agenda.”
Contact Us Do you have more information about Handala, or other Iran-linked hacking operations? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or . Do you have more information about Handala, or other Iran-linked hacking operations? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email
In the alert, the FBI mentioned the pro-Iranian and pro-Palestine fake hacktivist group Handala, although it’s not clear if the attacks referenced in the alert were carried out by this group.
Earlier this month, Handala claimed responsibility for an attack on medical tech giant Stryker, which resulted in the wiping tens of thousands of employee devices.
In an 8-K filing with the U.S. Securities and Exchange Commission on Monday, Stryker said it is still recovering from the hack.
Techcrunch event Disrupt 2026: The tech ecosystem, all in one room Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400. Save up to $300 or 30% to TechCrunch Founder Summit 1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
... continue reading