Overview
- In a flash alert published Friday, the FBI attributed ongoing campaigns to Iran’s Ministry of Intelligence and Security that target dissidents, journalists, and opposition groups worldwide.
- Operators deliver multi‑stage Windows malware through tailored social engineering, with first‑stage lures posing as legitimate apps such as Telegram, WhatsApp, or KeePass before installing a persistent implant.
- The implant communicates with Telegram bot infrastructure to enable bidirectional control, facilitating surveillance, theft of files, screenshots, and audio, and staging exfiltration to api.telegram.org.
- One day before the alert, the FBI seized four domains—handala-redwanted.to, handala-hack.to, justicehomeland.org, and karmabelow80.org—used by Handala, Homeland Justice, and Karma Below to publish stolen data.
- The bureau urged defenders to be wary of unexpected messages, keep systems updated, use trusted sources and antivirus, enable strong passwords with multi‑factor authentication, and report suspicious activity in light of heightened regional tensions.