The Federal Bureau of Investigation has issued a stark warning that Iranian state‑linked hackers are exploiting the popular messaging platform Telegram to deliver malware in targeted cyber campaigns against dissidents, journalists, activists and opposition groups, highlighting an increasingly sophisticated threat landscape where nation‑state actors are using everyday tools to carry out covert operations. According to an advisory shared by the FBI, these cyber threats have been tied to individuals working on behalf of the Islamic Republic of Iran who are using Telegram both to distribute malicious software and to communicate with compromised systems, potentially giving Tehran unprecedented access to private communications, documents and sensitive data belonging to targeted individuals and organisations.
Telegram, a widely used encrypted messaging service with hundreds of millions of users worldwide, has become attractive to threat actors precisely because its end‑to‑end encryption and distributed architecture can mask malicious behaviour and make detection more difficult. While Telegram is used legitimately by activists and everyday users seeking privacy, the FBI’s alert underscores how dual‑use technologies can be repurposed by sophisticated operators to conceal command and control channels and malware payloads. The bureau noted that the malicious actors are sending links, files and enticing content over Telegram to lure targets into installing harmful software that can monitor activity, exfiltrate files, and provide remote access to attackers.
The FBI report indicates that these Iranian hackers are focusing on individuals who are critical of the Iranian government, including journalists reporting on political repression, diaspora activists, human rights defenders and members of opposition groups. By using Telegram as an initial contact vector — often posing as collaborators, sources, or sympathetic contacts — the hackers attempt to build trust before delivering malware attachments disguised as documents, multimedia files or legitimate tools. Once executed, the malware can embed itself deeply in a victim’s device, harvest files, record keystrokes and communicate back to command servers controlled through Telegram channels or bots.
While the full technical details of the malware families used in these operations were not disclosed in the FBI’s public summary, experts familiar with Iranian cyber‑espionage campaigns say that Tehran has a history of blending open platforms with custom malware to achieve plausible deniability. Previous incident investigations by cybersecurity firms and government agencies have documented how Iranian threat groups have used social engineering, spearphishing, malicious macros embedded in documents, and command infrastructure hidden within legitimate services. Telegram’s global reach and strong encryption have made it attractive for concealment, especially against defenders who may be less likely to scrutinise traffic that appears to be encrypted messaging.
The FBI warning stresses that victims may have little indication of compromise until significant damage is done. Because Telegram traffic may look like normal encrypted messaging, traditional perimeter defences and network monitoring tools may not raise alarms when malicious communications are exchanged. Once malware is planted, it can slowly siphon data or maintain persistence, making remediation difficult without forensic analysis.
In addition to urging caution among specific targeted communities, the FBI’s advisory also includes broader guidance for organisations and individuals concerned about cyber threats. This includes updating software and systems regularly, enabling multi‑factor authentication on accounts, using reputable antivirus and endpoint detection tools, exercising extreme caution when opening files or clicking links from unsolicited sources, and reporting suspicious communications to cybersecurity authorities. For high‑risk individuals, additional protections such as device isolation, secure operating environments, and regular security audits may be recommended.
Telegram itself has responded to past warnings about misuse by emphasising its commitment to privacy and noting that encrypted services are often misunderstood by defenders and adversaries alike. The company has implemented reporting tools and bot‑blocking features to help users mitigate spam and suspicious content, but experts note that these measures are only a partial defence when threat actors are deliberate and target specific individuals with tailored social engineering tactics.
The use of encrypted mainstream platforms by state‑linked threat actors reflects a broader trend in cyber conflict. Governments — including those in China, Russia, Iran and North Korea — are increasingly blending traditional espionage with digital tools to expand their reach well beyond national borders. These operations often target geopolitical rivals, diaspora communities, dissidents, and strategic industries, seeking intelligence or attempting to disrupt activities critical of their regimes.
Iran has been active in cyberspace for years, developing cyber capabilities that support both defensive and offensive operations. In past incidents, Iranian hackers have been linked to attacks on critical infrastructure, academic institutions, foreign embassies and private sector organisations. The integration of malware distribution into accessible platforms like Telegram represents an evolution in tactics, enabling operators to conceal their activity within the noise of legitimate traffic.
For activists and journalists who already face personal risk due to their work, the FBI’s warning serves as a reminder that digital security is just as vital as physical security. Cyber threat groups do not respect national boundaries, and the ease of deploying malware via encrypted messaging makes unauthorised access a tangible risk for vulnerable individuals and organisations. Advocacy groups and digital rights organisations that specialise in security for at‑risk communities often recommend adopting secure communication practices, avoiding untrusted links, regularly backing up data and seeking expert help when a device or account shows unusual behaviour.
Beyond technical recommendations, the advisory highlights the geopolitical dimension of cyber operations. As international tensions remain high, particularly in the Middle East and between Western nations and Tehran, cyber tools offer governments a covert means of influence, intelligence gathering, and pressure without triggering overt military confrontation. This digital battleground adds a layer of complexity for defenders who must balance civil liberties, encryption rights and the need to identify and stop hostile activities.
The FBI’s alert underscores the importance of public‑private cooperation in tackling cyber threats. Law enforcement, technology providers, and cybersecurity researchers must share information and improve detection methods to protect users from increasingly sophisticated attacks that exploit legitimate platforms. For now, individuals and organisations should take seriously the warning about Iranian hackers using Telegram as a malware conduit, adopting recommended security practices and remaining vigilant in an environment where digital threats intersect with global politics and human rights concerns.
Somali parliament approves cybersecurity law amid rising digital threats
