The Federal Bureau of Investigation (FBI) has issued a warning about Iran’s state-sponsored cyber operations group, which is using Telegram to carry out its cyberattacks. According to the FBI alert, these hackers are carrying out cyberattacks and stealing sensitive information from government dissidents, opposition groups, and journalists. The report claims that these hackers are working for Iran’s Ministry of Intelligence and Security (MOIS) during the ongoing war between Iran and Israel.
The FBI report states that these hackers are primarily targeting people who speak against the Iranian government. Many experts are therefore calling it an effort by the Iranian regime to monitor and control its opponents online.
How hackers are using Telegram to spread malware?
The attack usually starts with a fake message. Hackers pretend to be someone the victim trusts, like a friend or a tech support person. They send links or files that look safe but actually contain harmful software.
When the victim downloads the file, malware gets installed on their device. This malware then connects to Telegram bots controlled by the hackers. Once connected, hackers can access personal data, read messages, take screenshots, and even record calls without the user knowing.
Who are these hackers?
In the alert, the FBI mentioned the pro-Iranian and pro-Palestinian fake hacktivist group Handala, although it’s not clear if the attacks referenced in the alert were carried out by this group.
Earlier this month, Handala claimed responsibility for an attack on medical tech giant Stryker, which resulted in wiping tens of thousands of employees’ devices.
Handala (also known as the Handala Hack Team) is a sophisticated “faketivist” persona allegedly operated by the Iranian Ministry of Intelligence and Security (MOIS), specifically as a unit tracked as Void Manticore. Unlike traditional hacktivists, Handala specialises in “disruptive-leak” operations, using custom wiper malware (such as the BiBi Wiper) to permanently destroy data rather than holding it for ransom. Their tactics often involve psychological warfare, such as using countdown timers and doxxing to humiliate victims.
In recent high-profile attacks, the group targeted the medical tech giant Stryker Corp in March 2026, allegedly wiping out over 200,000 devices across 79 countries. It also previously claimed a massive data breach at Israel’s Soreq Nuclear Research Center.
Despite aggressive law enforcement actions by the US, the group has demonstrated resilience in maintaining its online presence. When the FBI and international partners seized their primary domains, Handala was able to restore its websites within 24 hours by utilising. They quickly migrated to new top-level domains (TLDs) and leveraged their highly active Telegram channels to redirect followers to the new mirrors.
Why is Handala using Telegram for its attack?
Experts say hackers use Telegram as a platform to spread malware because it is popular and its traffic is hard to detect. Since many people use the app daily, malicious activity can easily blend in with normal communication.
Telegram also offers end-to-end encrypted messaging, which makes it more difficult for security systems to track these attacks. This makes it an attractive tool for cybercriminals.
The FBI believes these attacks are connected to Iran’s intelligence agencies. Some hacker groups supporting Iran have also been linked to similar cyberattacks in the past. These groups often carry out operations to spy on people or disrupt systems
While there has been no official statement from Iran on these allegations, Telegram’s spokesperson Remi Vaughn said that the platform’s “moderators routinely remove any accounts found to be involved with malware.”