The FBI warned that Iranian-linked hackers tied to the Ministry of Intelligence and Security (MOIS) and the IRGC are using Telegram as command-and-control infrastructure to deliver Windows malware against journalists, dissidents, and other opponents. The alert links campaigns to the Handala hacktivist group, state-aligned Homeland Justice, and actors like Karma Below, noting seizure of leak domains and citing the Handala attack on Stryker that used Microsoft Intune to wipe devices. #Handala #HomelandJustice #KarmaBelow #MOIS #IRGC #Stryker #Telegram #MicrosoftIntune #Signal #WhatsApp
Keypoints
- The FBI issued a flash alert that Iranian-linked actors are abusing Telegram as C2 for malware campaigns.
- Attribution points to Handala (Handala Hack Team) and state-associated Homeland Justice, with involvement from Karma Below.
- Attackers use social engineering to deploy Windows malware that exfiltrates screenshots and files from victims.
- Authorities seized four domains used by the groups to host leaks and coordinate attacks.
- Handalaβs notable Stryker attack involved compromising admin accounts and using Microsoft Intune to factory-reset roughly 80,000 devices.