Iranian Handala Hacktivist Group Leveraging Telegram for Malware C2 Targeting Journalists, Dissidents and High‑Value Individuals
What Happened – The FBI disclosed that the Iran‑linked Handala hacktivist team is using Telegram as a command‑and‑control (C2) channel for Windows‑based malware. The malware is delivered via social‑engineering lures and is designed to capture screenshots, steal files, and in some cases, issue remote wipe commands through compromised Microsoft Intune accounts (as seen in the Stryker incident).
Why It Matters for TPRM –
- Telegram‑based C2 is difficult to detect with traditional network proxies, increasing the risk of silent data exfiltration.
- The threat actors target journalists, NGOs, and government‑affiliated individuals, exposing third‑party vendors that support these entities to reputational and intelligence‑leak risks.
- Use of legitimate cloud services (Telegram, Microsoft Intune) blurs the line between benign and malicious traffic, demanding tighter third‑party monitoring.
Who Is Affected – Media & journalism firms, human‑rights NGOs, government agencies, healthcare providers (e.g., Stryker), and any organization that relies on Microsoft Intune or similar endpoint‑management solutions.
Recommended Actions –
- Block or closely monitor Telegram traffic from corporate endpoints and enforce strict egress filtering.
- Deploy endpoint detection and response (EDR) rules that flag suspicious PowerShell or credential‑dumping activity linked to known Handala IOCs.
- Verify that privileged accounts (especially Global Administrators in Azure AD/Intune) have MFA and least‑privilege access.
- Review contracts with third‑party communications and endpoint‑management providers for security‑by‑design clauses.
Technical Notes – Attack vector: phishing/social engineering → Windows malware → Telegram C2. The group has also leveraged compromised Azure AD/Intune credentials to issue remote wipe commands, demonstrating a hybrid credential‑compromise and malware strategy. Source: BleepingComputer