FBI Issues Flash Warning Identifying Iranian State Actors Using Encrypted Messaging Apps To Distribute Windows Malware

The FBI identifies Iranian state-backed hackers using Telegram and Signal to push malware to Windows machines, targeting global opposition groups and journalists.

By: AXL Media

Published: Mar 31, 2026, 4:04 AM EDT

Source: Information for this report was sourced from JD Supra

State-Sponsored Cyber Activity Targets Dissidents

A recent FLASH warning from the Federal Bureau of Investigation has alerted the international community to elevated malicious activity originating from Iranian-backed cyber actors. Operating under the direction of the Ministry of Intelligence and Security, these threat actors have been identified as targeting specific individuals of interest, primarily journalists and political dissidents opposed to the current Iranian administration. The FBI suggests that the current geopolitical climate in the Middle East has served as a catalyst for this intensified digital surveillance and harassment campaign, which aims to suppress opposition groups worldwide.

Manipulation of Legitimate Messaging Infrastructure

The core of this malware campaign involves the exploitation of widely used messaging platforms, specifically Telegram and Signal. According to the FBI, hackers are not exploiting vulnerabilities in the apps themselves but are instead using them as command and control (C2) infrastructure. By setting up automated bots within these applications, the threat actors can remotely manage infected machines. This technique allows them to bypass traditional network defenses that might otherwise flag communication with known malicious domains, as the traffic appears to be standard encrypted messaging data.

Tactics of Social Engineering and Machine Infection

The infection process typically begins with social engineering, where the threat actors masquerade as commonly used Windows programs or essential system services. Once a user is deceived into executing the payload, the malware establishes a persistent connection to the Telegram C2 bot. This unauthorized access grants the hackers the ability to take real-time screen captures, exfiltrate private files, and monitor the user's digital behavior. The FBI warns that while the current focus is on dissidents, the modular nature of the malware means it could be deployed against any target deemed a priority by the Iranian state.