The FBI issued a pair of alerts on Friday, shedding light on the ongoing cyber campaigns orchestrated by Russian and Iranian actors targeting messaging platforms. The agency’s concerns center on Russia’s intelligence services, which are reportedly infiltrating commercial applications such as Signal. This breach has led to the unauthorized access of thousands of accounts belonging to current and former U.S. government officials, military personnel, political figures, and journalists.
In collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI detailed how Russian operatives are deploying phishing messages disguised as automated support notifications. These deceptive communications prompt recipients to take actions such as clicking links or providing verification codes and account PINs. The agencies warned that such actions could inadvertently grant attackers access to victims’ accounts, either by linking the attackers’ devices or through complete account takeovers. As the campaign evolves, the use of malware to further compromise victims is anticipated.
Once an account is compromised, malicious actors gain the ability to view messages, access contact lists, send messages, and even launch additional phishing attempts against other messaging accounts. Although the current advisory emphasizes Signal, the FBI cautioned that similar tactics could be employed against any messaging application. Users are urged to remain vigilant regarding unverified messages and to enhance their personal cybersecurity measures. Importantly, the advisory clarified that there is no inherent vulnerability within Signal or other messaging apps; rather, the campaign is designed to circumvent encryption by targeting users directly.
During congressional testimony last year, Director of National Intelligence Tulsi Gabbard referenced guidance from CISA, which followed a breach of U.S. telecom networks by Chinese hackers. This guidance recommended that “highly targeted individuals” utilize “end-to-end encrypted communications.” Notably, Signal is pre-installed on federal government devices, underscoring its significance in secure communications.
In a related context, President Donald Trump signed a Pentagon policy bill in December mandating that the Defense Secretary ensure senior leaders are equipped with mobile phones featuring enhanced cybersecurity protections, including data encryption. However, a report from the Pentagon’s inspector general previously indicated that Defense Secretary Pete Hegseth had violated existing protocols by using Signal to discuss sensitive military operations, potentially jeopardizing troop safety. The Atlantic later published a transcript of a Signal conversation among Cabinet officials regarding a military strike, revealing the risks associated with unsecured communications.
Handala Hack
In a separate alert, the FBI detailed the activities of Iran’s Ministry of Intelligence and Security (MOIS), which is reportedly leveraging the messaging platform Telegram as a conduit for malware aimed at Iranian dissidents, journalists, and other targets. This malware enables MOIS to steal sensitive information and monitor its victims. The threat actors have cleverly disguised the malware as commonly used software on Windows systems, allowing infected devices to connect to Telegram bots that facilitate remote access and data exfiltration.
The FBI linked these activities to a group known as Handala Hack, which recently claimed responsibility for an attack on medical device manufacturer Stryker. The agency noted that the malware often masquerades as legitimate applications, such as the AI video generator Pictory or the password manager KeePass, before establishing a connection with a government-controlled Telegram bot. This connection allows for bidirectional communication between the compromised device and Telegram’s servers.
In some instances, victims were approached through social media messaging apps, with hackers posing as technical support representatives. Once trust was established, the hackers persuaded the victims to accept file transfers containing the initial stage of the malware. Subsequent malware downloads enabled extensive capabilities, including screen and audio recording, file compression, and deletion.
Experts have observed that the use of Telegram as a key element in cyber compromises is becoming increasingly common among cybercriminals and state-sponsored actors. Ensar Seker, CISO at SOCRadar, noted that Telegram allows malicious actors to blend their traffic into trusted, encrypted platforms. This blending significantly reduces the chances of detection, as security measures are often configured to permit such traffic by default.
“The broader implication is that encrypted messaging platforms are evolving into dual-use infrastructure for both communication and covert operations,” Seker remarked. “Security teams must reevaluate their trust assumptions and implement visibility controls around sanctioned applications, including logging, anomaly detection, and stringent access policies.”
