Iran-backed Handala uses Telegram for C2 to push malware, FBI says

The FBI on March 20 warned that the Iran-backed Handala threat group used Telegram as a command-and-control (C2) infrastructure to push malware that targets Iranian dissidents, journalists, and other opposition groups worldwide.

Security pros said while it may appear that these attacks have no bearing on day-to-day security operations, experts warn that enterprises must stay aware of commercial tools like Telegram that are used to launch malware attacks.

“This FBI advisory highlights a growing reality in modern cyber operations: threat actors are increasingly abusing trusted, widely used platforms like Telegram to blend malicious activity into normal traffic,” said Heath Renfrow, co-founder and CISO at Fenix24. “The risk isn’t the platform itself, it’s the combination of social engineering, impersonation, and malware delivery that lets attackers establish persistence and quietly exfiltrate data.”

Renfro said for everyday security teams, it’s a clear takeaway: We have to assume that legitimate services are weaponized. That means focusing less on blocking specific tools and more on controlling execution, monitoring abnormal outbound communications, and reducing attacker dwell time.

Related reading:

“Strong identity controls, application allow-listing, and visibility into endpoint behavior are no longer optional — they’re foundational,” said Renfrow. “While this campaign targets journalists and dissidents, the tradecraft is highly transferable. Once proven, these techniques can be rapidly adapted to target enterprises, partners, and individuals with access to sensitive systems. Organizations should treat this as an early signal, not an isolated case.”

Kevin Surace, chair at TokenCore, added that security teams should read this as a reminder that nation-state attacks are no longer limited to spies, diplomats, or major newsrooms. Surace said if an organization shapes public opinion, supports dissidents, works in defense, healthcare, critical infrastructure, or simply holds sensitive data that could embarrass or pressure a target, they may now fall inside the blast radius.

“The bigger lesson is that Iran-linked operators are pairing very human deception with lightweight malware delivery, which means many ordinary enterprise users can suddenly become strategic targets,” said Surace.

Surace said Telegram has become attractive because it lets attackers hide malicious traffic inside a mainstream, globally-used service instead of standing up obvious attacker-owned infrastructure that defenders can more easily block or seize. In this campaign, the FBI said the malware used a Telegram bot for bidirectional communication with infected devices through api.telegram.org, which Surace said gives threat actors a cheap, familiar, and resilient control channel.

“That’s different from traditional malware infrastructure, where defenders can often spot strange domains or IPs more quickly,” said Surace. “Here, the attacker blends into normal encrypted app traffic and outsources part of their infrastructure problem to a legitimate platform.”  

Megan Biederman, security analyst at Blackpoint Cyber, said defenders should focus on the technique at play here: the use of chat apps such as Telegram to act as C2 infrastructure are not new or niche techniques, nor are they specific to Handala, but they are effective at bypassing basic security measures.

Biederman said defenders should take note of the attempts to exploit trusted relationships to bypass detection. Beaconing to Telegram infrastructure makes their malicious use harder to detect because of their possible benign use.

“Application whitelisting is a great place to start,” said Biederman. “This ensures the only applications that can run in an environment are known and vetted.  Implementing methods of detecting and/or blocking anomalous network activity, such as an IDS or IPS, would also help detect attacks that may have slipped by traditional security solutions.”