FBI warns of Russian, Iranian cyber activity involving messaging platforms
Summary
The FBI and CISA issued separate alerts about two nation-state campaigns that exploit messaging apps to compromise targets. Russian intelligence-aligned actors have used phishing messages designed to look like support notices to trick users of Signal and other messaging apps into clicking links or handing over verification codes and PINs, enabling linked-device additions or full account takeovers. The agencies say thousands of accounts have been affected and warned this is a user-targeting campaign rather than a flaw in the apps themselves.
Separately, the FBI detailed an Iranian MOIS-linked campaign (attributed to the group known as Handala Hack) that uses Telegram as command-and-control. Attackers distribute malware disguised as legitimate Windows programs (for example, Pictory, KeePass or Telegram) which, once executed, connect to government-controlled Telegram bots to exfiltrate files, capture screens and audio, and enable remote control. The malware often appears tailored to the victim to increase chances of infection.
Key Points
- Russian actors are phishing users of Signal and similar messaging apps with messages that mimic automated support notices to obtain verification codes or add linked devices.
- Compromised accounts can be read, used to send further phishing, or fully taken over — the campaign targets users, not a vulnerability in the apps.
- Iran-linked Handala Hack uses Telegram as infrastructure for malware C2, masking malicious traffic in trusted encrypted app channels.
- Malware was disguised as familiar apps (Pictory, KeePass, Telegram) and can capture screens/audio, exfiltrate files, compress/delete data and download additional payloads.
- Attackers commonly perform reconnaissance to tailor initial malware to victims’ patterns of life, increasing success rates.
- Security experts warn encrypted messaging platforms are being used as dual-use infrastructure, reducing detection likelihood and requiring reassessment of trust and logging policies for sanctioned apps.
Why should I read this?
Because encryption doesn’t help if attackers trick the person using the app. If you or your org uses Signal, Telegram or other messaging platforms, this explains how threat actors bypass end-to-end encryption by targeting people and using the apps themselves as cover. It’s short, practical and worth a quick skim so you can tighten controls and warn colleagues — saves you trawling multiple advisories.
Context and relevance
This advisory sits at the intersection of three growing trends: nation-state targeting of high-value individuals, increasingly sophisticated social-engineering tailored to victims, and the rise of widely trusted messaging apps being reused as covert command-and-control channels. The notices follow other high-profile incidents (including breaches, Pentagon discussions about secure device provisioning, and prior attacks on companies like Stryker) and reinforce CISA/FBI guidance to strengthen individual cyber hygiene and enterprise visibility around sanctioned apps.
Punchy take: this isn’t a broken app problem — it’s a people + infrastructure problem. Organisations should enforce stricter device controls, multifactor best practices that resist code-based phishing, logging and anomaly detection for messaging traffic, and user training emphasising never sharing verification codes or accepting unexpected file transfers.