Iran‑linked MOIS Actors Leverage Telegram C2 to Deploy Malware Against Dissidents and Journalists
What Happened — Iranian Ministry of Intelligence and Security (MOIS) cyber units are using Telegram bots as a command‑and‑control (C2) channel for multi‑stage malware campaigns. The payloads masquerade as legitimate applications (e.g., Telegram, KeePass, WhatsApp) and, once executed on Windows systems, install a persistent implant that communicates with the Telegram‑based C2 to enable remote access, screen capture and data exfiltration.
Why It Matters for TPRM —
- State‑sponsored actors target individuals and organizations worldwide, increasing the risk of supply‑chain compromise for vendors handling activist or media data.
- Use of a mainstream platform (Telegram) for C2 evades many traditional network‑based detections, challenging existing third‑party security controls.
- The campaign blends espionage with disinformation, meaning a breach could lead to reputational damage for partners and downstream customers.
Who Is Affected — Media outlets, NGOs, human‑rights organizations, journalism platforms, and any third‑party service that processes communications for dissidents or political activists.
Recommended Actions —
- Review contracts with vendors that provide communication, collaboration, or endpoint services to high‑risk user groups.
- Verify that partners enforce strict application whitelisting, sandboxing of executables, and network filtering for known Telegram API endpoints.
- Incorporate threat‑intel feeds on Iranian APT activity into continuous monitoring and incident‑response playbooks.
Technical Notes — The attack chain relies on social‑engineering (phishing) to deliver a masquerading installer, followed by a persistent implant that uses Telegram’s Bot API for bidirectional C2. No specific CVE is cited; the technique exploits trust in popular consumer apps rather than a software vulnerability. Data types exfiltrated include screenshots, file listings, and credential caches. Source: Security Affairs