Geopolitics

FBI: Iranian hackers targeting opponents with Telegram malware

The campaign goes back to 2023 but is the subject of an alert amid conflict in the Middle East.

March 23, 2026

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

This picture taken on October 5, 2020 shows the logo of mobile messaging and call service telegram on a tablet screen in Toulouse, southwestern France. (Photo by LIONEL BONAVENTURE/AFP via Getty Images)

Iranian government-connected groups are deploying malware via the Telegram messaging app, taking aim at dissidents and other opponents of Tehran around the world, the FBI said in an alert Friday.

The FBI said attackers linked to the Ministry of Intelligence and Security are behind the campaign, which stretches back to 2023. The bureau is escalating the alert now, though, because of the conflict between Iran and a U.S.-Israel alliance, it states.

“The observed victim profile included Iranian dissidents, journalists opposed to Iran, members of organizations with beliefs counter to Government of Iran narratives, and other individuals Iran perceives as a threat to the Iranian government, However, the malware could be used to target any individual of interest to Iran.” the alert reads. “This malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties.”

Handala — an Iranian pro-Palestinian group that claimed credit for the hack on medical device maker Stryker this month — used information it gathered from hacking dissidents to carry out a hack-and-leak campaign in 2025, the FBI assesses. (Stryker sent a notice to the Securities and Exchange Commission Monday that provides an update on the incident.)

While U.S. officials say they haven’t seen any major increase in cyberattacks out of Iran since the conflict began, experts have noted it could be weeks before patterns emerge.

Telegram is a popular communications channel in Iran. Iranian hackers frequent Telegram to discuss planned attacks. On the other hand, the Islamic Revolutionary Guard Corps has also issued warnings to its populace that they could face prosecution if they’re members of Telegram-based opposition channels, IranWire reported last week.

The FBI said from the malware samples it examined, the scheme begins with hackers masquerading as apps like Pictory, KeePass and Telegram. The hackers configure command and control using a Telegram bot.

To gain initial access, the hackers seek to manipulate victims by posing as someone they know or as tech support for a social media platform. They then trick the victims into accepting a file transfer, which then launches the malware.

“Based on multiple observations, stage 1 of the malware appeared to be tailored to the victim’s pattern of life to increase likelihood of victim downloading the malware, which indicates the Iranian cyber actors likely performed target reconnaissance prior to engaging with the victim,” the FBI said.

The FBI alert is the latest in a series of government warnings about attackers using messaging apps to carry out their objectives.

Telegram spokesperson Remi Vaughn said in an emailed response: “Bad actors can and do use any available channel to control malware, including other messengers, email or even direct web connections. While there is nothing unique about the use of Telegram to control software, moderators routinely remove any accounts found to be involved with malware.”