QuantNest Radar
QuantNest
Radar
Campaign

FBI Warns: Iranian State Hackers Leveraging Telegram in Targeted Malware Campaign

Quantnest Radar team | Mar 24, 2026 | 3 min read
FBI Warns: Iranian State Hackers Leveraging Telegram in Targeted Malware Campaign

Overview

The Federal Bureau of Investigation (FBI) has issued an alert warning that hackers operating on behalf of the Iranian government are incorporating Telegram into sophisticated malware campaigns. These operations are specifically designed to target dissidents, opposition groups, and journalists who are critical of the Iranian regime.

Key Findings

  • Iranian state-affiliated threat actors are leveraging the Telegram messaging platform as an operational tool within their malware attack chains.
  • Primary targets include individuals and organizations that oppose or report critically on the Iranian government, including dissidents living abroad, opposition groups, and members of the press.
  • The campaign involves the use of malware to exfiltrate sensitive data from compromised systems and devices.
  • The use of a widely trusted and encrypted platform like Telegram is likely intended to evade detection and blend malicious communications into legitimate traffic.

Threat Context

Iran has a well-documented history of conducting cyber operations against political opponents, journalists, and human rights activists, both domestically and internationally. The use of consumer platforms such as Telegram for command-and-control or data exfiltration reflects an evolving tactic to exploit trusted infrastructure and reduce the operational footprint of malicious activity.

This type of campaign poses significant risks to at-risk individuals who may not be equipped with enterprise-grade security tools, making awareness and basic operational security hygiene critical lines of defense.

Recommendations

  • High-risk individuals — including journalists, activists, and dissidents — should exercise heightened caution with unsolicited messages on Telegram and other messaging platforms.
  • Organizations supporting at-risk communities should implement endpoint detection and response (EDR) solutions and conduct regular security awareness training.
  • Review and restrict unnecessary application permissions, particularly for messaging apps with access to files and contacts.
  • Monitor for indicators of compromise (IOCs) associated with Iranian threat actor groups such as APT35 (Charming Kitten) and related clusters.

Source

This report is based on coverage by TechCrunch — FBI says Iranian hackers are using Telegram to steal data in malware attacks.