{
	"id": "871b4eed-6c8a-49db-b35c-0156e25de67f",
	"created_at": "2026-04-29T02:20:43.70503Z",
	"updated_at": "2026-04-29T08:21:49.624673Z",
	"deleted_at": null,
	"sha1_hash": "1ece5414b21495039c276b44deb296abbfb9fd0f",
	"title": "Government of Iran Cyber Actors Deploy Telegram C2 to Push Malware to Identified Targets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "2026-03-20T15:41:54Z",
	"file_modification_date": "2026-03-20T15:41:54Z",
	"file_size": 762349,
	"plain_text": "TLP:CLEAR\r\n \r\nTLP:CLEAR\r\n20 March 2026\r\nFLASH Number\r\nFLASH-20260320-001\r\nGovernment of Iran Cyber Actors Deploy Telegram C2 to\r\nPush Malware to Identified Targets\r\n \r\nSummary\r\nThe Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate information on malicious\r\ncyber activity conducted by actors on behalf of the Government of Iran Ministry of Intelligence and Security\r\n(MOIS). Specifically, MOIS cyber actors are responsible for using Telegram as a command-and-control\r\n(C2) infrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other\r\nopposition groups around the world. This malware resulted in intelligence collection, data leaks, and\r\nreputational harm against the targeted parties. The FBI is releasing this information to maximize awareness\r\nof malicious Iranian cyber activity and provide mitigation strategies to reduce the risk of compromise.\r\nDue to the elevated geopolitical climate of the Middle East and current conflict, the FBI is highlighting this\r\nMOIS cyber activity. The FBI assessed MOIS cyber actors are responsible for using Telegram as a C2\r\ninfrastructure to push malware targeting Iranian dissidents, journalists opposed to Iran, and other\r\noppositional groups around the world. This FLASH warns network defenders and the public of continued\r\nmalicious cyber activity by Iran MOIS cyber actors and outlines the tactics, techniques, and procedures\r\n(TTPs) used in this malware campaign.\r\n \r\nBackground Information\r\nThe FBI assesses Iran MOIS cyber actors deployed multiple versions of the malware to infect machines\r\nrunning Windows operating systems, dating back to the Fall of 2023. The observed victim profile included\r\nIranian dissidents, journalists opposed to Iran, members of organizations with beliefs counter to\r\nGovernment of Iran narratives, and other individuals Iran perceives as a threat to the Iranian government.\r\nHowever, the malware could be used to target any individual of interest to Iran. The malware used as part\r\nof this cyber activity included a multi-stage payload enabling remote user access to the infected devices.\r\nThreat actors used social engineering to customize the first stage of the malware to masquerade as\r\ncommonly used programs or services on Windows machines. The second stage connected the infected\r\nmachine to Telegram command and control bots that enabled remote user access to exfiltrate screen\r\ncaptures or files from the victim devices.\r\nIn July 2025, the online entity known as “Handala Hack” claimed responsibility for a hack-and-leak\r\noperation targeting multiple persons voicing concerns about current events in Iran that conflicted with the\r\nGovernment of Iran’s rhetoric. The FBI assesses some of the information Handala Hack claimed to have\r\nacquired and posted online was obtained using malware as part of the group’s ongoing campaign to target\n\nTLP:CLEAR\r\n \r\nTLP:CLEAR\r\ndissidents. Handala Hack is known for phishing, data theft, extortion, and destructive attacks involving\r\ncustom wiper malware. Additionally, the FBI assesses Handala Hack is linked to the online entity\r\n“Homeland Justice,” also operated by Iran MOIS cyber actors.\r\nIran MOIS cyber actors consistently leverage state-directed Advanced Persistent Threats (APT) and proxy\r\ngroups to carry out hacktivist-style attacks, including hack-and-leak operations, which blend technical\r\ncompromises with disinformation. The campaigns typically involve the theft of perceived sensitive data, its\r\nmanipulation or selective exposure, and public distribution through aligned media channels to maximize\r\nreputational or political damage. MOIS’ use of Telegram as the C2 to push malware to carry out a\r\ncampaign targeting Iranian dissidents is an example of Iran MOIS cyber actors’ efforts to advance Iran’s\r\ngeopolitical agenda.\r\n \r\nTechnical Details\r\nMalware Overview\r\nFBI obtained malware samples through investigations. The samples were categorized as masquerading\r\nmalware (stage 1), persistent implant (stage 2), and related stage 2 malware that contained additional or\r\nunique functions (Figure 1 shows the observed behavioral cluster of the malware). Stage 1 usually\r\nmasqueraded as commonly used applications like Pictory, KeePass, and Telegram and contained the\r\nbinaries for the next stage of malware. The persistent implant malware spawned following the\r\nmasquerading malware’s execution and possible user interaction with the malicious application. At this\r\nstage, the Iran MOIS cyber actors configured a command and control (C2) using a Telegram bot, allowing\r\nbidirectional communication between the compromised device and api.telegram[.]org. FBI considered the\r\nmasquerading malware and persistent implant to be core functionality for the malware campaign. Related\r\nmalware was usually found on compromised devices in addition to the core functionality. For example,\r\nmalware found in MicDriver.zip contained logic to record screen and audio while a Zoom session was\r\nactive.\n\nTLP:CLEAR\r\n \r\nTLP:CLEAR\r\n \r\nFigure 1. Observed Behavioral Cluster – While all malware samples function differently, each serve a\r\nspecific purpose and can be placed in one of the above “executable” portions.\r\nInitial Access\r\nThreat actors relied upon social engineering to deliver malware and infect victim devices. The Iranian cyber\r\nactors engaged with a targeted victim via social messaging applications and masqueraded as a known\r\nindividual or technical support from the social messaging platform. The Iranian cyber actors then\r\nconvinced the victim to accept a file transfer consisting of the masquerading stage 1 malware. When the\r\nvictim opened the file, the malware infected the victim’s device and launched the persistent implant stage\r\n2 malware. Based on multiple observations, stage 1 of the malware appeared to be tailored to the victim’s\r\npattern of life to increase likelihood of victim downloading the malware, which indicates the Iranian cyber\r\nactors likely performed target reconnaissance prior to engaging with the victim.\n\nTLP:CLEAR\r\n \r\nTLP:CLEAR\r\nExecution\r\nMalware analysis flagged the execution of numerous malware samples as part of the malware campaign.\r\nOnce the initial access was established to the victim system the malware downloaded follow-on malware.\r\nThe stage 1 or masquerading malware included the following:\r\n• Telegram_authenticator.exe\r\n• WhatssApp.exe\r\n• KeePass.exe\r\n• Pictory_premium_ver9.0.4.exe\r\nPersistence\r\nMalware performed defensive evasion, which excluded directories and allowed PowerShell to execute\r\nmalware without warning. Furthermore, a reference to malware was added to the Windows registry to\r\nautorun stage 2 malware. Stage 2 malware samples served as persistent implants.\r\nCollection and Exfiltration\r\nThe malware campaign used multiple malware samples to exfiltrate data. These included the following\r\nsamples:\r\n• MicDriver.exe/MicDriver.dll\r\n• Winappx.exe\r\n• MsCache.exe\r\n• RuntimeSSH.exe\r\n• smqdservice.exe\r\nFunctionality of the above-mentioned malware samples included: Screen recordings and audio, cache\r\ncaptures, perform file compression with a password, perform file deletion, and stage compressed files to\r\nbe sent to api.telelgram[.]org.\r\n \r\nIndicators\r\nMalware Variations\r\nFile Name MD5 Hash\r\nKeePass.exe 7402F2F9263782A4C469570035843510\r\nMicDriver.dll F8B5554808428291ACC65D1FD2EFE01C\r\nMicDriver.exe D70EBF20E3D697897BAD5BEBF72EA271\r\nMsCache.exe 3E7A2FCEF1D038D05B20148C573A6499\r\nPictory_premium_ver9.0.4.exe 1E6B601F733BC40EAA58916986BFC5B9\n\nTLP:CLEAR\r\n \r\nTLP:CLEAR\r\nFile Name MD5 Hash\r\nrantom.txt A3394EF7FFA7E88B2E7EFAEE4617FE04\r\nrantom.txt 2965817D063F1E8F9889F9126443D631\r\nRuntimeSSH.exe EBDD9595B79B39F53909D862499DBC94\r\nRuntimeSSH.exe E51FF37FB431767DCDEC0B5E6D2A786A\r\nsmqdservice.exe 7E23FFADB664B0E53D821478A249D84C\r\nTelegram_Authenticator.exe B9086413E7B6A0C6A11C25D14C22615F\r\nwinappx.exe 481C5B5E69A08C3DF206C59FD8DDC0DC\r\n \r\n \r\nRecommended Mitigations:\r\nThe FBI recommends caution with regards to receiving emails or other online communications from\r\nunknown individuals, or communications of an unfamiliar nature from known individuals.\r\n1. Ensure your devices are updated with latest operating system and install software updates\r\nregularly.\r\n2. Only download software from trusted sources, such as official app stores or vendor websites.\r\n3. Enable antivirus or anti-malware software on your device and run antivirus software regularly.\r\n4. Use strong, unique passwords and enable multi-factor authentication.\r\n5. Report suspicious emails or messages to the email client. If you suspect a crime, please report to\r\nyour local FBI field office.\n\nTLP:CLEAR\r\nTLP:CLEAR\r\n \r\n \r\nReporting Notice\r\nIf you identify suspicious activity within your enterprise or have information related to the contents of this\r\ndocument, please contact your local FBI Cyber Squad immediately at www.fbi.gov/contact-us/field-offices. The FBI also encourages you to report suspicious or criminal activity to the FBI Internet Crime\r\nComplaint Center at www.ic3.gov. When available, each report should include the date, time, location,\r\ntype of activity, number of people, and type of equipment used for the activity, the name of the submitting\r\ncompany or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s\r\nNational Press Office at npo@fbi.gov or (202) 324-3691.\r\nIndividual indicators included in this document should always be evaluated in light of your complete\r\ninformation security situation. Some indicators, particularly those of a nondeterministic or ephemeral\r\nnature (such as filenames or IP addresses), may not be indicative of a compromise.\r\nYour organization has no obligation to provide information in response to this product. If, after reviewing\r\nthe information provided, your organization decides to provide information to the FBI, it must do so\r\nconsistent with applicable state and federal law.\r\n \r\nAdministrative Note\r\nThe information in this document is being provided by the FBI, with no guarantees or warranties, for\r\npotential use at the sole discretion of recipients to protect against cyber threats. This data is provided to\r\nhelp cybersecurity professionals and system administrators guard against the persistent malicious actions\r\nof cyber actors. The FBI does not endorse any commercial entity, product, company, or service, including\r\nany entities, products, or services linked within this document. Any reference to specific commercial\r\nentities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does\r\nnot constitute or imply endorsement, recommendation, or favoring by the FBI.\r\nThis product is marked TLP:CLEAR. The information in this product may be shared without restriction.\r\nInformation is subject to standard copyright rules.\r\n \r\n \r\n \r\nYour feedback regarding this product is critical.\r\nPlease take a moment to complete the survey at the link below. Input can be submitted\r\nanonymously and should be specific to your experience with our written products.\r\n \r\n \r\nThis survey is for feedback on contact and value only. Reporting of technical information\r\nregarding FLASH reports must be submitted through your local FBI field office.\r\n \r\nhttps://www.ic3.gov/PIFSurvey",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"pdf"
	],
	"references": [
		"https://www.ic3.gov/CSA/2026/260320.pdf"
	],
	"report_names": [
		"260320.pdf"
	],
	"threat_actors": [
		{
			"id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4",
			"created_at": "2024-10-04T02:00:04.766263Z",
			"updated_at": "2026-04-29T06:58:56.933227Z",
			"deleted_at": null,
			"main_name": "Handala",
			"aliases": [],
			"source_name": "MISPGALAXY:Handala",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "704af71f-d1ed-4252-88a9-d23a17e4b7b4",
			"created_at": "2026-04-29T02:00:04.621965Z",
			"updated_at": "2026-04-29T06:58:57.779286Z",
			"deleted_at": null,
			"main_name": "VOID MANTICORE",
			"aliases": [
				"VOID MANTICORE",
				"COBALT MYSTIQUE",
				"Handala Hack",
				"Homeland Justice",
				"Karma",
				"Karmabelow80",
				"BANISHED KITTEN",
				"Red Sandstorm"
			],
			"source_name": "MITRE:VOID MANTICORE",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "7f25e108-e694-49b6-a494-c8458b33eb3f",
			"created_at": "2024-01-09T02:00:04.199217Z",
			"updated_at": "2026-04-29T06:58:56.744414Z",
			"deleted_at": null,
			"main_name": "HomeLand Justice",
			"aliases": [],
			"source_name": "MISPGALAXY:HomeLand Justice",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf",
			"created_at": "2024-01-18T02:02:34.189827Z",
			"updated_at": "2026-04-29T06:58:57.946937Z",
			"deleted_at": null,
			"main_name": "HomeLand Justice",
			"aliases": [
				"Banished Kitten",
				"Karma",
				"Red Sandstorm",
				"Storm-0842",
				"Void Manticore"
			],
			"source_name": "ETDA:HomeLand Justice",
			"tools": [
				"BABYWIPER",
				"BiBi Wiper",
				"BiBi-Linux Wiper",
				"BiBi-Windows Wiper",
				"Cl Wiper",
				"LowEraser",
				"No-Justice Wiper",
				"Plink",
				"PuTTY Link",
				"RevSocks",
				"W2K Res Kit"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb",
			"created_at": "2025-08-07T02:03:24.769383Z",
			"updated_at": "2026-04-29T06:58:57.629299Z",
			"deleted_at": null,
			"main_name": "COBALT MYSTIQUE",
			"aliases": [
				"Banished Kitten ",
				"DEV-0842 ",
				"Druidfly ",
				"Handala Hack Team",
				"Homeland Justice",
				"Karmabelow80",
				"Red Sandstorm ",
				"Storm-0842 ",
				"Void Manticore "
			],
			"source_name": "Secureworks:COBALT MYSTIQUE",
			"tools": [
				"AllinOneNeo",
				"Bibi",
				"GramPy",
				"GramPyLoader"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1777429243,
	"ts_updated_at": 1777450909,
	"ts_creation_date": 1774021314,
	"ts_modification_date": 1774021314,
	"files": {
		"pdf": "https://archive.orkl.eu/1ece5414b21495039c276b44deb296abbfb9fd0f.pdf",
		"text": "https://archive.orkl.eu/1ece5414b21495039c276b44deb296abbfb9fd0f.txt",
		"img": "https://archive.orkl.eu/1ece5414b21495039c276b44deb296abbfb9fd0f.jpg"
	}
}