FBI Warns of Russian and Iranian Cyber Campaigns Exploiting Messaging Platforms Like Signal and Telegram

U.S. federal authorities are raising alarms about a surge in state-linked cyber activity targeting widely used messaging platforms, signaling a shift in how nation-state actors bypass encryption by exploiting users instead of software vulnerabilities.

In two coordinated advisories, the FBI detailed separate campaigns tied to Russian intelligence services and Iran’s Ministry of Intelligence and Security. Both operations rely heavily on social engineering and the abuse of trusted messaging ecosystems such as Signal and Telegram to gain access to sensitive communications and devices.

Russian Campaign Targets Signal Accounts Through Social Engineering

According to the FBI and the Cybersecurity and Infrastructure Security Agency, Russian intelligence actors are actively targeting individuals across government, military, political, and media sectors by impersonating legitimate service notifications within messaging platforms.

The campaign has already led to unauthorized access to thousands of accounts, officials said, as attackers trick victims into sharing verification codes or linking compromised devices.

“If the user performs any of the requested actions, they unwittingly provide the actors with unauthorized access to their account either by adding the attacker's device as a linked device or through a full account takeover. As the campaign evolves, actors may use additional techniques, such as malware to infect the victim,” the agencies said.

Once inside an account, attackers gain visibility into private messages and contact networks, allowing them to expand operations through follow-on phishing and impersonation attacks.

Officials emphasized that the threat does not stem from flaws in Signal or other encrypted messaging apps. Instead, it reflects a broader strategy of targeting human behavior to circumvent end-to-end encryption protections.

This aligns with earlier U.S. government guidance encouraging high-risk individuals to adopt encrypted communications. Signal has been widely deployed across federal environments, even as internal reports have raised concerns about how such tools are used in sensitive operational contexts.

Iranian Operation Uses Telegram as Malware Command Infrastructure

In a separate alert, the FBI outlined how Iranian cyber actors are leveraging Telegram as a command-and-control channel to manage malware infections targeting dissidents, journalists, and other high-value individuals.

The operation involves disguising malicious files as legitimate software, including AI video tools, password managers, and even Telegram itself. Victims are often approached through social media under the guise of technical support and persuaded to download infected files.

Once installed, the malware establishes communication with Telegram-based infrastructure, enabling attackers to remotely access compromised systems and extract data.

Capabilities include screen and audio recording, file exfiltration, and system manipulation. Investigators noted that the malware appears tailored to individual targets, suggesting prior reconnaissance to increase the likelihood of successful compromise.

The FBI linked the activity to a group known as Handala Hack, which has previously claimed responsibility for cyberattacks against corporate targets.

Messaging Platforms Become Dual-Use Infrastructure

Security experts say these campaigns highlight a growing trend in which attackers blend malicious activity into legitimate platforms that organizations inherently trust.

Ensar Seker, CISO at SOCRadar, said the tactic reflects a broader evolution in cyber operations.

"The use of Telegram as command-and-control infrastructure is not surprising, it reflects a broader shift where threat actors deliberately blend malicious traffic into trusted, encrypted platforms. By leveraging a widely used application like Telegram, groups such as Handala significantly reduce the likelihood of detection, because security controls are often tuned to allow this traffic by default.

What makes this particularly concerning is the targeting profile. These operations are not opportunistic; they are highly intentional, focusing on journalists, dissidents, and opposition voices. This aligns with state-sponsored objectives, where cyber operations are used as an extension of intelligence gathering and influence campaigns rather than purely financial gain.

From a defensive standpoint, this highlights a critical gap: many organizations still rely too heavily on traditional indicators like IP blocking or domain reputation. When attackers operate inside legitimate platforms, defenders must shift toward behavioral detection, monitoring anomalies in application usage, data flows, and endpoint activity rather than trusting the platform itself.

The bigger implication is that encrypted messaging platforms are becoming dual-use infrastructure for both communication and covert operations. Security teams need to reassess their trust assumptions and implement visibility controls around sanctioned apps, including logging, anomaly detection, and strict access policies.

Ultimately, this is not about Telegram specifically, it’s about the normalization of “living off trusted services.” Organizations that fail to adapt to this model will continue to miss early-stage intrusions, especially those tied to advanced persistent threat actors with geopolitical motivations."

A Shift in Cybersecurity Strategy

The FBI’s warnings underscore a critical shift in modern cyber threats. Rather than breaking encryption, attackers are increasingly exploiting user trust and platform ubiquity to achieve the same outcome.

For enterprises and government agencies, the implications are clear. Traditional defenses built around blocking known threats are no longer sufficient when adversaries operate within trusted applications.

Security teams are now being pushed to adopt behavioral analytics, tighter access controls, and deeper monitoring of sanctioned platforms to detect subtle signs of compromise before attackers can expand their foothold.