Iranian Hackers Weaponize Telegram for Cyber Espionage
United States federal investigators have issued a formal alert notifying network defenders about a coordinated cyber campaign in which Iranian state-affiliated hackers are exploiting the Telegram messaging platform to command malware deployed against perceived adversaries of the Iranian government.
The hackers, operating under the banner of the Handala hacktivist group — also referred to as Handala Hack Team, Hatef, and Hamsa — along with the state-sponsored Homeland Justice threat group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), are utilizing Telegram as command-and-control (C2) infrastructure to manage Windows-based malware on compromised systems.
Targets and Tactics
The campaign specifically targets journalists who have been critical of the Iranian government, Iranian dissidents living abroad, and a range of opposition organizations active globally. Once the malware is successfully installed on a victim's device, the attackers are able to capture screenshots and exfiltrate sensitive files from the compromised machine.
Social engineering techniques are being employed to trick targets into installing the malicious software. The attackers have refined their approach to appear credible, often posing as trusted contacts or organizations to gain victims' confidence before delivering the malicious payloads.
Related: How to Set Up Secure Intune Conditional Access Policies
Related: Block USB Drives Using Microsoft Intune Attack Surface
Related: Implement EDR Hardening Against Malware Killers in 2026
Associated Threat Groups and Domain Seizures
In a coordinated action, law enforcement authorities seized four internet domains previously operated by the Handala and Homeland Justice groups, as well as a third threat actor known as Karma Below. These domains were used as platforms to publish data and documents stolen during cyberattacks against victims across the United States and internationally.
The same threat actors were also connected to a destructive cyberattack against a major US medical technology corporation, in which they leveraged access to a Windows domain administrator account and executed a mass device wipe affecting approximately 80,000 endpoints, including employee computers and mobile devices managed by the company.
Broader Iranian Cyber Threat Landscape
Authorities linked both the Handala and Homeland Justice groups to Iran's Ministry of Intelligence and Security (MOIS), identifying this campaign as part of a broader pattern of Iranian cyber operations designed to silence dissent, collect intelligence, and inflict reputational damage on targeted individuals and organizations.
The alert describes the dual intent of these operations: gathering actionable intelligence while simultaneously weaponizing stolen data to damage the credibility and reputation of victims. Authorities have emphasized that the elevated geopolitical tensions in the Middle East have directly contributed to an increase in this type of malicious activity.
Mitigation Recommendations
In addition to raising awareness, federal authorities have released a set of recommended mitigation strategies to help organizations and individuals reduce their exposure to these threats. These include enhanced monitoring of network traffic for unusual Telegram-related communications, robust endpoint detection and response capabilities, and user awareness training focused on social engineering tactics commonly used in targeted phishing and malware delivery campaigns.
