FBI warns of Handala hackers using Telegram in malware attacks
Recorded: March 23, 2026, 10 a.m.
| Original | Summarized |
FBI warns of Handala hackers using Telegram in malware attacks News Featured Trivy vulnerability scanner breach pushed infostealer via GitHub Actions Microsoft Azure Monitor alerts abused for callback phishing attacks Musician admits to $10M streaming royalty fraud using AI bots FBI links Signal phishing attacks to Russian intelligence services Varonis Atlas: Securing AI and the Data That Powers It Microsoft Exchange Online service change causes email access issues Block ads and trackers on 9 devices for only $16 in this deal FBI warns of Handala hackers using Telegram in malware attacks Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityFBI warns of Handala hackers using Telegram in malware attacks FBI warns of Handala hackers using Telegram in malware attacks By Sergiu Gatlan March 23, 2026 The U.S. Federal Bureau of Investigation (FBI) warned network defenders that Iranian hackers linked to the country's Ministry of Intelligence and Security (MOIS) are using Telegram in malware attacks. Iranian malware attacks abusing Telegram (FBI) Red Report 2026: Why Ransomware Encryption Dropped 38% Related Articles: C2 Sergiu Gatlan Previous Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Popular Stories Microsoft: March Windows updates break Teams, OneDrive sign-ins CISA orders feds to patch max-severity Cisco flaw by Sunday Microsoft Azure Monitor alerts abused for callback phishing attacks Sponsor Posts Secure your AI agents without sacrificing speed. Overdue a password health-check? Audit your Active Directory for free Are refund fraud methods targeting your brand? You can monitor the underground for these threats. AI is a data-breach time bomb: Read the new report Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast. Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert detailing a significant escalation in cyber activity attributed to Iranian actors, specifically the Handala hacktivist group and the Homeland Justice threat group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). This warning centers on the group’s utilization of Telegram as command-and-control (C2) infrastructure for deploying malware targeting journalists, Iranian dissidents, and other oppositional groups globally. The FBI’s motivation for this alert stems from the heightened geopolitical environment in the Middle East coupled with ongoing conflict, seeking to increase awareness of malicious Iranian cyber activity and to provide mitigation strategies to reduce the risk of compromise. The operation involves social engineering tactics employed to infect devices with Windows malware capable of capturing screenshots or files from compromised computers. Following this initial breach, the malware facilitates the exfiltration of sensitive digital assets. The FBI’s action follows the seizure of four domains – handala-redwanted[.]to, handala-hack[.]to, justicehomeland[.]org, and karmabelow80[.]org – utilized by the Handala and Homeland Justice threat groups, alongside a third actor identified as Karma Below. These domains served as platforms for leaking documents and data obtained from cyberattacks targeting individuals and organizations in the United States and internationally. Notably, this activity follows Handala’s previously publicized cyberattack on Stryker, a U.S. medical giant, which involved the factory resetting of approximately 80,000 devices – encompassing employee personal computers and mobile devices – utilizing the Microsoft Intune wipe command following the compromise of a Windows domain administrator account. The FBI’s alert underscores a broader trend of state-sponsored actors leveraging communication platforms for malicious purposes. It mirrors earlier warnings regarding Russian intelligence-linked threats targeting Signal and WhatsApp accounts, aimed at compromising users of high intelligence value including government officials, military personnel, and journalists. This coordinated campaign highlights the evolving sophistication of cyberattacks and the need for robust security measures across various digital ecosystems. The Handala group's tactics—demonstrated most notably through the Stryker attack—represent a calculated approach leveraging vulnerabilities to inflict significant reputational and operational damage. Ultimately, the FBI’s action reinforces the importance of vigilance and proactive defense against state-sponsored cyberattacks globally. |