The Iran Telegram malware campaign has once again put the spotlight on how state-backed cyber actors are adapting their tactics by blending into widely used digital platforms. In a recent alert, the Federal Bureau of Investigation (FBI) revealed that cyber actors linked to Iran’s Ministry of Intelligence and Security (MOIS) are using Telegram as a command-and-control (C2) infrastructure to deploy malware. The campaign specifically targets Iranian dissidents, journalists, and individuals or groups perceived as opposing the Iranian government. According to the FBI, these operations have led to intelligence collection, data leaks, and reputational damage, indicating that the intent goes beyond simple access and leans toward sustained monitoring and impact.

Iran Telegram Malware Reflects Targeted Surveillance Strategy

The Iran Telegram malware activity dates back to at least Fall 2023, with multiple malware variants identified targeting Windows systems. The victim profile is not random. It is clearly defined, focused on individuals whose views or affiliations are seen as a threat by the Iranian government. However, the FBI also notes that the malware can be used against any individual of interest, suggesting the capability is broader than the currently observed targets. What stands out is the level of preparation. The malware is not just deployed, it is tailored. Attackers appear to study their targets in advance, customizing lures to increase the chances of success. This points to a deliberate and intelligence-driven approach rather than opportunistic attacks.

How the Iran Telegram Malware Operates

The FBI outlines a structured, multi-stage malware framework that combines deception with persistence.

Social Engineering Drives Initial Access

Attackers reach out through messaging platforms, impersonating trusted contacts or even technical support. Victims are persuaded to download files disguised as legitimate applications. These files often appear as commonly used software, including messaging tools or utilities, making them harder to question.

Multi-Stage Malware Deployment

• Stage 1: Masquerades as legitimate applications such as Telegram-related tools, KeePass, or other software
• Stage 2: Installs a persistent implant after user interaction

Once executed, the second stage connects the infected device to a Telegram bot, establishing a C2 channel via Telegram’s infrastructure.

Persistent Access and Control

At this stage, attackers gain remote access to the compromised system. The use of Telegram allows bidirectional communication, enabling continuous control without raising immediate suspicion.

Data Collection and Exfiltration via Telegram

The primary objective of the Iran Telegram malware campaign is data collection. The malware is capable of:

• Recording screen activity and audio
• Capturing cached data and files
• Compressing and staging data for exfiltration
• Deleting files after extraction

Some variants were even designed to record screen and audio during active Zoom sessions, highlighting a focus on capturing sensitive, real-time information. All collected data is routed through Telegram infrastructure, reinforcing its role as a central component of the attack chain.

Links to Handala Hack and Proxy Operations

The FBI also connects this campaign to the online entity “Handala Hack,” which claimed responsibility for a 2025 hack-and-leak operation targeting individuals critical of Iran. The agency assesses that some of the leaked data was obtained using malware associated with this campaign. Handala Hack is known for phishing, data theft, extortion, and destructive cyber activities, including the use of wiper malware. Additionally, the group is linked to “Homeland Justice,” another entity assessed to be operated by MOIS cyber actors. This reflects a broader pattern where technical intrusions are followed by public data exposure. The goal is not just access, but also reputational and political damage through controlled information release.

Execution Techniques and Persistence Mechanisms

The malware used in the Iran Telegram malware campaign employs several techniques to maintain access and avoid detection:

• Use of PowerShell execution without warnings
• Registry modifications to ensure persistence
• Deployment of multiple malware files for different functions

Observed file names include variants mimicking legitimate tools, such as Telegram_authenticator.exe and WhatssApp.exe, further reinforcing the deception strategy. [caption id="attachment_110479" align="aligncenter" width="826"] Image Source: FBI[/caption] Once inside a system, additional malware components are downloaded to expand capabilities and maintain long-term access.

Why This Campaign Stands Out

What makes the Iran Telegram malware campaign particularly concerning is its simplicity combined with precision.

• It relies heavily on human interaction rather than technical exploits
• It uses trusted platforms instead of suspicious infrastructure
• It focuses on specific individuals rather than mass attacks

This combination makes detection harder and increases the likelihood of success.

Mitigation- Simple Steps, Critical Impact

Despite the sophistication of the campaign, the FBI’s recommendations remain grounded in basic cybersecurity practices:

• Be cautious of unexpected messages, even from known contacts
• Avoid downloading files from unverified sources
• Keep systems updated with the latest software patches
• Use strong passwords and enable multi-factor authentication
• Regularly run antivirus or anti-malware tools

The advisory makes one thing clear: even advanced campaigns often succeed because of small lapses in user awareness.

A Clear Signal for Cyber Defenders

The Iran Telegram malware campaign is a reminder that cyber threats are no longer confined to obscure or easily identifiable channels. By embedding malicious activity within widely used platforms like Telegram, attackers are reducing friction and increasing stealth. For defenders, this raises an important challenge, security strategies must account not just for malicious code, but for how and where that code is delivered. In this case, the platform is familiar. The method is simple. And that is exactly what makes it effective.

A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency.

Based in Kalamazoo, Michigan, Stryker [NYSE:SYK] is a medical and surgical equipment maker that reported $25 billion in global sales last year. In a lengthy statement posted to Telegram, a hacktivist group known as Handala (a.k.a. Handala Hack Team) claimed that Stryker’s offices in 79 countries have been forced to shut down after the group erased data from more than 200,000 systems, servers and mobile devices.

“All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption,” a portion of the Handala statement reads.

The group said the wiper attack was in retaliation for a Feb. 28 missile strike that hit an Iranian school and killed at least 175 people, most of them children. The New York Times reports today that an ongoing military investigation has determined the United States is responsible for the deadly Tomahawk missile strike.

Handala was one of several hacker groups recently profiled by Palo Alto Networks, which links it to Iran’s Ministry of Intelligence and Security (MOIS). Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor.

Stryker’s website says the company has 56,000 employees in 61 countries. A phone call placed Wednesday morning to the media line at Stryker’s Michigan headquarters sent this author to a voicemail message that stated, “We are currently experiencing a building emergency. Please try your call again later.”

A report Wednesday morning from the Irish Examiner said Stryker staff are now communicating via WhatsApp for any updates on when they can return to work. The story quoted an unnamed employee saying anything connected to the network is down, and that “anyone with Microsoft Outlook on their personal phones had their devices wiped.”

“Multiple sources have said that systems in the Cork headquarters have been ‘shut down’ and that Stryker devices held by employees have been wiped out,” the Examiner reported. “The login pages coming up on these devices have been defaced with the Handala logo.”

Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices.

Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently.

Palo Alto says Handala’s hack-and-leak activity is primarily focused on Israel, with occasional targeting outside that scope when it serves a specific agenda. The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploration company.

“Recent observed activities are opportunistic and ‘quick and dirty,’ with a noticeable focus on supply-chain footholds (e.g., IT/service providers) to reach downstream victims, followed by ‘proof’ posts to amplify credibility and intimidate targets,” Palo Alto researchers wrote.

The Handala manifesto posted to Telegram referred to Stryker as a “Zionist-rooted corporation,” which may be a reference to the company’s 2019 acquisition of the Israeli company OrthoSpace.

Stryker is a major supplier of medical devices, and the ongoing attack is already affecting healthcare providers. One healthcare professional at a major university medical system in the United States told KrebsOnSecurity they are currently unable to order surgical supplies that they normally source through Stryker.

“This is a real-world supply chain attack,” the expert said, who asked to remain anonymous because they were not authorized to speak to the press. “Pretty much every hospital in the U.S. that performs surgeries uses their supplies.”

John Riggi, national advisor for the American Hospital Association (AHA), said the AHA is not aware of any supply-chain disruptions as of yet.

“We are aware of reports of the cyber attack against Stryker and are actively exchanging information with the hospital field and the federal government to understand the nature of the threat and assess any impact to hospital operations,” Riggi said in an email. “As of this time, we are not aware of any direct impacts or disruptions to U.S. hospitals as a result of this attack. That may change as hospitals evaluate services, technology and supply chain related to Stryker and if the duration of the attack extends.”

According to a March 11 memo from the state of Maryland’s Institute for Emergency Medical Services Systems, Stryker indicated that some of their computer systems have been impacted by a “global network disruption.” The memo indicates that in response to the attack, a number of hospitals have opted to disconnect from Stryker’s various online services, including LifeNet, which allows paramedics to transmit EKGs to emergency physicians so that heart attack patients can expedite their treatment when they arrive at the hospital.

“As a precaution, some hospitals have temporarily suspended their connection to Stryker systems, including LIFENET, while others have maintained the connection,” wrote Timothy Chizmar, the state’s EMS medical director. “The Maryland Medical Protocols for EMS requires ECG transmission for patients with acute coronary syndrome (or STEMI). However, if you are unable to transmit a 12 Lead ECG to a receiving hospital, you should initiate radio consultation and describe the findings on the ECG.”

This is a developing story. Updates will be noted with a timestamp.

Update, 2:54 p.m. ET: Added comment from Riggi and perspectives on this attack’s potential to turn into a supply-chain problem for the healthcare system.

Update, Mar. 12, 7:59 a.m. ET: Added information about the outage affecting Stryker’s online services.