Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Handala multi-stage malware with Telegram C2 and exfiltration

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The Handala malware package uses a multi-stage payload to give operators remote access to infected Windows devices, increasing the risk of stealthy data theft. The second stage connects to Telegram C2 bots, allowing the tooling to exfiltrate files and screen captures from victim devices. The activity also relies on social engineering and disguises itself as familiar software or services to improve execution. The result is a capable collection tool for targeted espionage-style operations.

Related Happenings

Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations

Campaign
First: 25.05.2026 12:32 Last: 25.05.2026 12:32 Sources 1

About this happening: The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....

Open Happening

KNPA deepfake detection tool deployment for election investigations

Security Tool/Service
First: 18.05.2026 04:00 Last: 18.05.2026 04:00 Sources 1

About this happening: South Korea's **National Police Agency (KNPA)** deployed a **deepfake detection tool** in **2024**, strengthening investigative support for **election deepfakes**. The capability...

Open Happening

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

Iranian MOIS Telegram malware campaign targeting opposition groups

Campaign
First: 23.03.2026 11:45 Last: 23.03.2026 11:45 Sources 1

How related: An Iranian government hacking collective has been targeting dissidents, journalists and opposition groups in a campaign dating back to autumn 2023, the FBI has revealed.

About this happening: The **FBI** warned that **Iranian MOIS-linked hackers** are using **Telegram C2** and **social engineering** to deliver **Windows malware** against journalists, dissidents, and ot...

Open Happening

UNC1069 GhostCall cryptocurrency social-engineering campaign

Campaign
First: 11.02.2026 08:50 Last: 11.02.2026 08:50 Sources 1

About this happening: **UNC1069** is **actively targeting the cryptocurrency sector** with a **social-engineering campaign** designed to steal credentials and data for **financial theft**. The operatio...

Open Happening

Timeline

  1. 24.03.2026 11:30 2 articles · 2mo ago

    Handala malware uses multi-stage payload and Telegram C2 on Windows

    Technical Analysis Update

    Handala uses a multi-stage payload on Windows devices, disguising the first stage as common software or services and using social engineering and file transfers to get execution. The second stage connects infected machines to Telegram command-and-control bots for remote access and exfiltration of screen captures or files, while additional samples show PowerShell execution, directory exclusions, screen and audio recordings, cache capture, file compression, and file deletion.

    Show sources
    Open in new tab