Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportAn ongoing malware campaign conducted by Iran’s Ministry of Intelligence and Security (MOIS), active since Fall 2023, uses Telegram as command-and-control infrastructure to deliver multi-stage malware targeting Iranian dissidents, journalists, and opposition groups worldwide. The Iranian MOIS cyber actors use social engineering to deliver malware disguised as legitimate applications, which then establishes persistent access for screen and audio recording, data theft, and exfiltration. This MOIS Telegram C2 activity is attributed to the MOIS-linked entities Handala Hack (aka HomeLand Justice, Karma, Storm-0842, Banished Kitten, Void Manticore) and MuddyWater (aka Earth Vetala, Mango Sandstorm, MUDDYCOAST, Seedworm, TEMP.Zagros, Static Kitten, Mercury, TA450, Cobalt Ulster, ATK 51, T-APT-14, ITG17, BoggySerpens, Yellow Nix), as well as Prince of Persia (aka Infy, Operation Mermaid, APT-C-07), known for hack-and-leak operations, phishing, extortion, and destructive wiper attacks. The MOIS Telegram campaign blends technical compromise with information operations, leveraging stolen data for public exposure to inflict reputational and political damage in support of Iran’s geopolitical objectives targeting government, NGOs, human rights organizations, media and journalism, energy, marine services, telecommunications, and critical infrastructure sectors.
An ongoing malware campaign linked to Iran’s Ministry of Intelligence and Security (MOIS), the attackers use Telegram as a command-and-control platform to target Iranian dissidents, journalists, opposition groups, and others seen as threats to the Iranian government. The MOIS Telegram C2 campaign has been active since at least Fall 2023 and is used to collect intelligence, steal data, and sometimes leak that data publicly to damage victims. The FBI has connected this Iranian MOIS activity to a group called Handala Hack, which claimed responsibility for a July 2025 hack-and-leak operation targeting individuals voicing concerns about current events in Iran, known for phishing, data theft, extortion, and destructive attacks.
The Iranian MOIS Telegram attack uses multiple stages and mainly targets Windows systems. The MOIS campaign starts with social engineering, where attackers pretend to be trusted contacts or support staff on messaging apps. Iranian cyber actors trick victims into downloading malware disguised as legitimate software, such as Telegram or WhatsApp-related files, KeePass, or other tools. These malicious files are often customized for each victim, which shows the Iranian MOIS attackers study their targets in advance. Once the victim runs the file, it installs another hidden malware component that connects to attacker-controlled Telegram bots for command and control infrastructure.
After infection, the Iranian MOIS malware tries to stay hidden and avoid detection. The Telegram C2 malware changes system settings to bypass security tools and uses Windows registry entries to stay active even after reboot. Additional tools such as MicDriver.exe/dll, Winappx.exe, MsCache.exe, RuntimeSSH.exe, and smqdservice.exe are used to collect and send data, including recording the screen and audio, capturing cache data, and compressing stolen files with password protection before exfiltrating them via Telegram. One tool, MicDriver, is designed to record screen and audio specifically during Zoom meetings, showing that Iranian MOIS attackers are interested in capturing private virtual conversations.
This Iranian MOIS campaign also shows how attackers combine hacking with information operations. Stolen data can be manipulated or selectively exposed and leaked online through aligned media channels to embarrass or pressure victims. Using Telegram helps Iranian MOIS attackers hide their activity because it is a trusted and widely used platform, making it harder for defenders to detect or block Telegram-based command and control infrastructure.
Notably, the abuse of Telegram as C2 is not limited to this campaign alone, it reflects a broader tactical shift among multiple Iranian state-sponsored actors. MuddyWater, another MOIS-linked APT group, adopted Telegram bot-based C2 in its Operation Olalampo campaign (first observed January 2026), deploying a Rust-based backdoor called CHAR controlled via a Telegram bot to target organizations across the MENA region.
The Prince of Persia (Infy) APT group, active since 2007, also shifted from its legacy FTP-based C2 to Telegram with its updated Tonnerre v50 malware, detected in September 2025, to conduct long-term surveillance of dissidents and academics. Additionally, a newly identified campaign dubbed RedKitten, first observed in early January 2026, uses Telegram for C2 alongside GitHub and Google Drive to target Iranian NGOs and human rights documenters. This convergence of multiple Iranian threat actors on Telegram as C2 infrastructure underscores a deliberate strategic trend of exploiting trusted commercial platforms to blend malicious traffic with legitimate usage, complicating detection and attribution for defenders.
Overall, this is a sophisticated and long-term Iranian MOIS campaign focused on espionage, intelligence gathering, and inflicting reputational damage, while also maintaining the capability for destructive attacks through custom wiper malware. It highlights how advanced Iranian threat actors are improving their methods and abusing trusted platforms to evade detection, making strong security practices and user awareness more important than ever.
Download software only from official app stores or verified vendor websites, as this Iranian MOIS campaign relies on victims downloading malware disguised as trusted applications like Telegram, WhatsApp, KeePass, and Pictory. Exercise heightened caution with communications on messaging platforms, especially from unknown individuals or contacts making unusual requests, and verify identities through a separate trusted channel before downloading any files to prevent Iranian social engineering attacks.
Monitor network traffic for connections to api.telegram[.]org from endpoints where Telegram is not an approved application. Unexpected outbound traffic to Telegram’s API infrastructure may indicate C2 activity associated with this Iranian MOIS campaign. Implementing network monitoring can help detect Telegram-based command and control communications from Iranian threat actors.
Enable and regularly run antivirus or anti-malware solutions across all endpoints. Configure security tools to monitor PowerShell activity and flag unauthorized registry modifications, as this Iranian MOIS campaign uses both techniques for evasion and persistence. Keep all devices updated with the latest operating system patches to defend against Iranian malware.
Enforce strong, unique passwords across all accounts and implement multi-factor authentication (MFA) wherever possible. This adds an additional layer of defense even if credentials are compromised during data exfiltration by Iranian MOIS attackers.
Educate employees and at-risk individuals about social engineering tactics, particularly the impersonation methods used in this Iranian MOIS campaign. Training should cover how Iranian attackers pose as known contacts or platform support staff to build trust before delivering malicious files, and how to recognize and report such attempts.
Reconnaissance:
Resource Development:
Initial Access:
Execution:
Persistence:
Defense Evasion:
Collection:
Exfiltration:
Command and Control:
Get through updates and upcoming events, and more directly in your inbox