The FBI is warning that cyber actors tied to Iran's intelligence network are using the messaging platform Telegram to deploy malware targeting dissidents, journalists, and opposition figures worldwide.
In a FLASH alert Friday, the bureau said hackers linked to Iran's Ministry of Intelligence and Security are leveraging Telegram as a command-and-control system to infect targets' computers running Windows operating systems, enabling surveillance, data theft, and reputational attacks.
The alert comes amid heightened tensions over U.S.-Israeli military operations targeting Iran's political leadership and military infrastructure, with U.S. officials increasingly warning that state-backed cyber operations are being used alongside traditional geopolitical tactics.
The campaign, which dates to at least the fall of 2023, has focused primarily on Iranian dissidents and critics of the regime, though officials warned the tools could be used against "any individual of interest to Iran."
According to the FBI, the operation relies heavily on social engineering, with attackers impersonating trusted contacts or technical support personnel on messaging platforms to trick people into downloading malicious files.
Once such a file has been opened, the malware installs a multistage payload that gives remote access to infected devices and allows hackers to capture screens, steal files, and monitor activity.
The second stage of the malware connects to Telegram-based bots, allowing communication between the compromised system and Iranian operators, effectively turning the popular messaging service into a covert control channel.
The bureau also linked the activity to "hack-and-leak" operations, in which stolen data is selectively released or manipulated to damage targets politically or reputationally.
One group, known as Handala Hack, has claimed responsibility for operations targeting individuals critical of Iran, with the FBI assessing that some of the leaked material was obtained through this malware campaign.
The alert stated that the cyber actors often disguise malicious programs as legitimate software, including password managers and messaging tools, and tailor attacks based on a target's behavior, suggesting prior surveillance and reconnaissance.
The FBI urged individuals and organizations to avoid downloading files from unknown or suspicious sources, keep systems updated, and enable multifactor authentication to reduce the risk of compromise.
Iran has long been accused by U.S. intelligence agencies of conducting cyber espionage and influence campaigns through proxy groups and advanced persistent threat networks. The FBI said such operations frequently blend technical intrusions with disinformation efforts to amplify their impact.
Earlier this month, an Iranian-linked group said it was behind a cyberattack that crippled operations at the medical technology giant Stryker, knocking systems offline across the company's global network.
The disruption reportedly left thousands of employees unable to access internal systems, with some workers told not to log into company computers or use Stryker mobile apps.
Michael Katz ✉
Michael Katz is a Newsmax reporter with more than 30 years of experience reporting and editing on news, culture, and politics.
© 2026 Newsmax. All rights reserved.