Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Iranian MOIS Telegram malware campaign targeting opposition groups

Campaign
First reported
Last updated
Happening score
H score 34
2 unique sources, 2 articles

Summary

Hide ▲

The FBI warned that Iranian MOIS-linked hackers are using Telegram C2 and social engineering to deliver Windows malware against journalists, dissidents, and other oppositional groups worldwide. The activity matters because the malware can exfiltrate screenshots and files, supporting intelligence collection and data leaks across multiple victims. The operation is linked to Handala and Homeland Justice and appears to be actively targeting politically sensitive groups.

Related Happenings

KNPA deepfake detection tool deployment for election investigations

Security Tool/Service
First: 18.05.2026 04:00 Last: 18.05.2026 04:00 Sources 1

About this happening: South Korea's **National Police Agency (KNPA)** deployed a **deepfake detection tool** in **2024**, strengthening investigative support for **election deepfakes**. The capability...

Open Happening

Mongolian governmental institution hit by network compromise

Incident
First: 23.04.2026 12:04 Last: 23.04.2026 12:04 Sources 1

About this happening: A **Mongolian governmental institution** was found to have **about 12 systems** infected by **GopherWhisper** backdoors, exposing a live government compromise and the potential fo...

Open Happening

GopherWhisper China-aligned APT campaign targeting Mongolian government institutions

Campaign
First: 23.04.2026 12:04 Last: 23.04.2026 12:04 Sources 1

About this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...

Open Happening

Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure

Campaign
First: 20.04.2026 23:02 Last: 20.04.2026 23:02 Sources 1

About this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...

Open Happening

REF6598 Obsidian social-engineering campaign targeting finance and crypto users

Campaign
First: 16.04.2026 14:02 Last: 16.04.2026 14:02 Sources 1

About this happening: The **REF6598** operation is using **LinkedIn**, **Telegram**, and **Obsidian** to deliver **PHANTOMPULSE**, creating a targeted intrusion path into **financial** and **cryptocurr...

Open Happening

Timeline

  1. 23.03.2026 11:45 1 articles · 2mo ago

    FBI seizes domains used by Handala, Homeland Justice, and Karma Below

    Legal Policy Action Update

    The FBI seized handala-redwanted[.]to, handala-hack[.]to, justicehomeland[.]org, and karmabelow80[.]org after linking the sites to Handala, Homeland Justice, and Karma Below for leaking sensitive documents and data stolen in cyberattacks targeting victims in the United States and around the world.

    Show sources
    Open in new tab
  2. 23.03.2026 11:45 2 articles · 2mo ago

    FBI warns of Telegram C2 malware against opposition groups

    Initial Disclosure

    The FBI warned network defenders that Iranian hackers linked to MOIS are using Telegram as command-and-control (C2) infrastructure for Windows malware delivered through social engineering to target journalists criticizing the Iranian government, Iranian dissidents, and other oppositional groups worldwide; the malware can exfiltrate screenshots or files and is tied to Handala and Homeland Justice.

    Show sources
    Open in new tab