State-sponsored cyber actors have been executing a targeted malware campaign using fake versions of popular software to infect computers. Once installed, the malware allows the attackers to secretly record screens, capture audio, and steal files by communicating through the Telegram messaging network.

Who was behind the attack?

The attacks are directed by the Government of Iran’s Ministry of Intelligence and Security (MOIS). They also utilize proxy hacktivist groups, such as "Handala Hack" (which is linked to another group called "Homeland Justice"), to carry out attacks and publicly leak the stolen information.

What are the nature and goals of the attack?

The primary goals are intelligence gathering and intimidation through "hack-and-leak" operations. The attackers steal sensitive data, manipulate it, and selectively release it to aligned media channels to cause political and reputational damage to their targets.

What is the scope or scale of the targeting?

While the attacks can theoretically be deployed against anyone of interest to Iran, the campaign is highly specific rather than globally widespread. It is carefully aimed at individuals and groups whose beliefs conflict with the Iranian government's narratives.

Were specific industries or people targeted?

Yes, the primary targets are Iranian dissidents, journalists who oppose the Iranian regime, and members of various opposition groups around the world. The attackers are specifically hunting individuals they perceive as political or ideological threats.

How was the attack carried out from a high-level perspective?

Attackers first study a target's habits, then reach out via social messaging apps pretending to be a friend or tech support. They trick the victim into downloading a file that looks like a normal app (like WhatsApp or KeePass); when opened, it secretly connects the computer to the attackers via a Telegram bot, giving them remote access to steal data.

Why might the targeted entities be attractive to attackers?

These individuals are targeted because their voices, reporting, or activism counter the official rhetoric of the Iranian government. By stealing and leaking their private information, the attackers hope to silence them, discredit their work, and disrupt opposition movements.

What actions should organizations or individuals take to protect themselves?

Individuals should be extremely cautious of unsolicited messages and file transfers on social media, even from people they think they know. Organizations should monitor their networks for unusual connections to Telegram and ensure security systems are configured to block unverified programs from automatically running on their computers.

Is this a widespread issue or a targeted one?

This is a highly targeted issue. The attackers perform specific reconnaissance on their victims beforehand, tailoring the initial trap to fit the individual target's daily life and increasing the chances of a successful infection.

Threats Feed|Homeland Justice|Last Updated 26/03/2026|AuthorCertfa Radar|Publish Date20/03/2026

Iran MOIS Cyber Actors Deploy Telegram C2 Malware Against Global Dissidents and Journalists

Actor Motivations: Disinformation,Espionage,Exfiltration,Extortion
Attack Vectors: Downloader,RAT,Spyware,Trojan,Wiper,Pretexting,Spear Phishing
Attack Complexity: Medium
Threat Risk: High Impact/Low Probability

Threat Overview

Iran Ministry of Intelligence and Security (MOIS) cyber actors are executing a global malware campaign targeting Iranian dissidents, journalists, and opposition groups. Using social engineering via messaging platforms, attackers deliver first-stage malware disguised as legitimate software, such as Telegram or KeePass. Upon execution, a persistent second-stage implant establishes a command-and-control channel via Telegram bots. This allows the attackers to harvest and exfiltrate sensitive data, including screen and audio captures from active Zoom sessions. Linked to proxy groups like "Handala Hack," these operations fuel hack-and-leak campaigns and deploy custom wiper malware. The attacks ultimately aim to conduct intelligence collection and inflict reputational damage on individuals threatening the Government of Iran's narratives.

Reference and Credit: FBI - March 2026

Government of Iran Cyber Actors Deploy Telegram C2 to Push Malware to Identified Targets

Detected Targets

Type	Description	Confidence
Sector	Dissident	Verified
Sector	Journalists	Verified

Extracted IOCs

1e6b601f733bc40eaa58916986bfc5b9
2965817d063f1e8f9889f9126443d631
3e7a2fcef1d038d05b20148c573a6499
481c5b5e69a08c3df206c59fd8ddc0dc
7402f2f9263782a4c469570035843510
7e23ffadb664b0e53d821478a249d84c
a3394ef7ffa7e88b2e7efaee4617fe04
b9086413e7b6a0c6a11c25d14c22615f
d70ebf20e3d697897bad5bebf72ea271
e51ff37fb431767dcdec0b5e6d2a786a
ebdd9595b79b39f53909d862499dbc94
f8b5554808428291acc65d1fd2efe01c

download

Tip: 12 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 12 file hash) to this threat have been found.

FAQs

Iranian MOIS Telegram Malware Campaign

: State-sponsored cyber actors have been executing a targeted malware campaign using fake versions of popular software to infect computers. Once installed, the malware allows the attackers to secretly record screens, capture audio, and steal files by communicating through the Telegram messaging network.
: The attacks are directed by the Government of Iran’s Ministry of Intelligence and Security (MOIS). They also utilize proxy hacktivist groups, such as "Handala Hack" (which is linked to another group called "Homeland Justice"), to carry out attacks and publicly leak the stolen information.
: The primary goals are intelligence gathering and intimidation through "hack-and-leak" operations. The attackers steal sensitive data, manipulate it, and selectively release it to aligned media channels to cause political and reputational damage to their targets.
: While the attacks can theoretically be deployed against anyone of interest to Iran, the campaign is highly specific rather than globally widespread. It is carefully aimed at individuals and groups whose beliefs conflict with the Iranian government's narratives.
: Yes, the primary targets are Iranian dissidents, journalists who oppose the Iranian regime, and members of various opposition groups around the world. The attackers are specifically hunting individuals they perceive as political or ideological threats.
: Attackers first study a target's habits, then reach out via social messaging apps pretending to be a friend or tech support. They trick the victim into downloading a file that looks like a normal app (like WhatsApp or KeePass); when opened, it secretly connects the computer to the attackers via a Telegram bot, giving them remote access to steal data.
: These individuals are targeted because their voices, reporting, or activism counter the official rhetoric of the Iranian government. By stealing and leaking their private information, the attackers hope to silence them, discredit their work, and disrupt opposition movements.
: Individuals should be extremely cautious of unsolicited messages and file transfers on social media, even from people they think they know. Organizations should monitor their networks for unusual connections to Telegram and ensure security systems are configured to block unverified programs from automatically running on their computers.
: This is a highly targeted issue. The attackers perform specific reconnaissance on their victims beforehand, tailoring the initial trap to fit the individual target's daily life and increasing the chances of a successful infection.

About Affiliation

Homeland Justice

Associate threats

Homeland Justice Phishing Operation Hits Diplomatic and Government Sectors Globally