FBI: Iranian hackers targeting opponents with Telegram malware | CyberScoop<\/title> <meta name=\"description\" content=\"Iranian government-connected groups are deploying malware via the Telegram messaging app, taking aim at dissidents and other opponents of Tehran around the world, the FBI said in an alert Friday.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"FBI: Iranian hackers targeting opponents with Telegram malware\"> <meta property=\"og:description\" content=\"Iranian government-connected groups are deploying malware via the Telegram messaging app, taking aim at dissidents and other opponents of Tehran around the world, the FBI said in an alert Friday.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-03-23T18:35:10+00:00\"> <meta property=\"article:modified_time\" content=\"2026-03-23T18:39:41+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware-2.jpg\"> <meta property=\"og:image:width\" content=\"1024\"> <meta property=\"og:image:height\" content=\"681\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Tim Starks\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@timstarks\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1773246214g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1772477397g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1773271249g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/88356\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=88356\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffbi-iranian-hackers-targeting-opponents-with-telegram-malware%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffbi-iranian-hackers-targeting-opponents-with-telegram-malware%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-88356 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.017985611511\">\n<div class=\"single-article__header-content\" readability=\"32.917847025496\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware\/\"> <span>Geopolitics<\/span> <\/a> <\/li>\n<\/ul>\n<p> The campaign goes back to 2023 but is the subject of an alert amid conflict in the Middle East. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/88356\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware-2.jpg 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware-2.jpg?resize=768,511 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware-2.jpg?resize=600,399 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware-2.jpg?resize=253,168 253w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware-2.jpg?resize=507,337 507w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware-2.jpg?resize=1015,675 1015w\" sizes=\"(max-width: 1015px) 100vw, 1015px\"><figcaption> This picture taken on October 5, 2020 shows the logo of mobile messaging and call service telegram on a tablet screen in Toulouse, southwestern France. (Photo by LIONEL BONAVENTURE\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"34.155474452555\"><body readability=\"70.293635170604\"><\/p>\n<p>Iranian government-connected groups are deploying malware via the Telegram messaging app, taking aim at dissidents and other opponents of Tehran around the world, the FBI said in an alert Friday.<\/p>\n<p>The FBI said attackers linked to the Ministry of Intelligence and Security are behind the campaign, which stretches back to 2023. The bureau is escalating the alert now, though, because of the conflict between Iran and a U.S.-Israel alliance, it states.<\/p>\n<p>\u201cThe observed victim profile included Iranian dissidents, journalists opposed to Iran, members of organizations with beliefs counter to Government of Iran narratives, and other individuals Iran perceives as a threat to the Iranian government, However, the malware could be used to target any individual of interest to Iran.\u201d <a href=\"https:\/\/www.ic3.gov\/CSA\/2026\/260320.pdf\">the alert reads<\/a>. \u201cThis malware resulted in intelligence collection, data leaks, and reputational harm against the targeted parties.\u201d <\/p>\n<p>Handala \u2014 an Iranian pro-Palestinian group that claimed credit for the hack on medical device maker Stryker this month \u2014 used information it gathered from hacking dissidents to carry out a hack-and-leak campaign in 2025, the FBI assesses. (Stryker <a href=\"https:\/\/www.sec.gov\/Archives\/edgar\/data\/310764\/000119312526118634\/d94012d8k.htm\">sent a notice<\/a> to the Securities and Exchange Commission Monday that provides an update on the incident.)<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>While U.S. officials say they haven\u2019t seen <a href=\"https:\/\/cyberscoop.com\/feds-keep-eyes-peeled-for-iran-cyberattacks-respond-to-stryker-breach\/\">any major increase<\/a> in cyberattacks out of Iran since the conflict began, <a href=\"https:\/\/cyberscoop.com\/stryker-cyberattack-iranian-hackers-handala\/\">experts have noted<\/a> it could be weeks before patterns emerge.<\/p>\n<p>Telegram is a popular communications channel in Iran. Iranian hackers frequent Telegram to discuss planned attacks. On the other hand, the Islamic Revolutionary Guard Corps has also issued warnings to its populace that they could face prosecution if they\u2019re members of Telegram-based opposition channels, IranWire <a href=\"https:\/\/iranwire.com\/en\/news\/150668-irgc-warns-citizens-your-instagram-and-telegram-activity-is-being-watched\/\">reported last week<\/a>.<\/p>\n<p>The FBI said from the malware samples it examined, the scheme begins with hackers masquerading as apps like Pictory, KeePass and Telegram. The hackers configure command and control using a Telegram bot.<\/p>\n<p>To gain initial access, the hackers seek to manipulate victims by posing as someone they know or as tech support for a social media platform. They then trick the victims into accepting a file transfer, which then launches the malware.<\/p>\n<p>\u201cBased on multiple observations, stage 1 of the malware appeared to be tailored to the victim\u2019s pattern of life to increase likelihood of victim downloading the malware, which indicates the Iranian cyber actors likely performed target reconnaissance prior to engaging with the victim,\u201d the FBI said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The FBI alert is the latest in <a href=\"https:\/\/cyberscoop.com\/fbi-cisa-issue-psa-on-russian-intelligence-campaign-to-target-messaging-apps\/\">a series of government warnings<\/a> about attackers using messaging apps to carry out their objectives.<\/p>\n<p>Telegram spokesperson Remi Vaughn said in an emailed response: \u201cBad actors can and do use any available channel to control malware, including other messengers, email or even direct web connections. While there is nothing unique about the use of Telegram to control software, moderators routinely remove any accounts found to be involved with malware.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"author-card\" readability=\"7.7216117216117\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware-1.jpg?w=640&ssl=1\" alt=\"Tim Starks\"> <\/figure>\n<\/p><\/div>\n<div class=\"author-card__details\" readability=\"10.901098901099\">\n<h4 class=\"author-card__name\">Written by Tim Starks<\/h4>\n<p> Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he’s covered cybersecurity since 2003. Email Tim here: <a href=\"mailto:tim.starks@cyberscoop.com\">tim.starks@cyberscoop.com<\/a>. <\/div>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>FBI: Iranian hackers targeting opponents with Telegram malware | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[669,302,6192,513,168,1656,6194,310,3176,288],"tags":[671,306,6199,517,169,1657,6201,311,3178,294],"class_list":["post-8457","post","type-post","status-publish","format-standard","hentry","category-federal-bureau-of-investigation-fbi","category-geopolitics","category-handala","category-iran","category-malware","category-social-media","category-stryker","category-technology","category-telegram","category-threats","tag-federal-bureau-of-investigation-fbi","tag-geopolitics","tag-handala","tag-iran","tag-malware","tag-social-media","tag-stryker","tag-technology","tag-telegram","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/federal-bureau-of-investigation-fbi\/\" rel=\"category tag\">Federal Bureau of Investigation (FBI)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/handala\/\" rel=\"category tag\">Handala<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/iran\/\" rel=\"category tag\">Iran<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/social-media\/\" rel=\"category tag\">social media<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/stryker\/\" rel=\"category tag\">Stryker<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/telegram\/\" rel=\"category tag\">telegram<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8457","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8457"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8457\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8457,"date":"2026-03-23T13:35:10","date_gmt":"2026-03-23T18:35:10","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=88356"},"modified":"2026-03-23T13:35:10","modified_gmt":"2026-03-23T18:35:10","slug":"fbi-iranian-hackers-targeting-opponents-with-telegram-malware","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/03\/23\/fbi-iranian-hackers-targeting-opponents-with-telegram-malware\/","title":{"rendered":"FBI: Iranian hackers targeting opponents with Telegram malware"},"content":{"rendered":"