A new cybersecurity advisory issued by the Federal Bureau of Investigation through its Internet Crime Complaint Center has revealed a highly targeted cyber campaign in which threat actors are using Telegram as command-and-control (C2) infrastructure to deploy malware and conduct surveillance operations.
The advisory highlights a technically sophisticated attack chain, primarily attributed to Iranian-linked cyber actors targeting specific individuals and groups globally.
Telegram weaponised as command-and-control infrastructure
According to the advisory, attackers are leveraging Telegram channels and accounts as C2 servers, allowing them to:
- Remotely control infected systems
- Issue commands to compromised devices
- Exfiltrate sensitive data
This approach enables attackers to blend malicious traffic with legitimate encrypted communication, making detection significantly more difficult for traditional security systems.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
Sophisticated social engineering entry point
The campaign begins with targeted social engineering, where attackers build trust with victims before delivering malicious payloads.
Key techniques include:
- Impersonating trusted contacts or professionals
- Sending spear-phishing messages tailored to the victim
- Delivering malicious files disguised as legitimate documents
In observed cases, victims were sent malicious Excel files, which appeared harmless but executed hidden code once opened, initiating the infection chain.
Malware capabilities and system compromise
Once executed, the malware establishes a connection with Telegram-based C2 infrastructure, enabling attackers to:
- Gain persistent access to the victim’s system
- Execute remote commands
- Steal credentials and sensitive files
- Monitor user activity
This level of access allows attackers to conduct long-term espionage, data theft, and reputational attacks, especially against high-value targets.
Highly targeted victim profile
The advisory indicates that the campaign is not indiscriminate, but rather focuses on specific categories of individuals, including:
- Dissidents and activists
- Journalists and researchers
- Policy experts and politically exposed individuals
Such targeting suggests the operation is aligned with strategic intelligence-gathering and influence objectives, rather than purely financial cybercrime.
Key technical risks identified
The advisory highlights several critical risks associated with this campaign:
- Use of legitimate platforms (Telegram) for malicious operations
- Advanced social engineering combined with malware delivery
- Ability to evade detection through encrypted communication channels
- Persistent access enabling long-term compromise
These factors make the campaign particularly dangerous for both individuals and organisations.
Click here to access the FLASH Notification
Mitigation and defensive measures
The FBI and IC3 have urged organisations and individuals to adopt strong cybersecurity practices, including:
- Avoid opening unsolicited attachments or links
- Verify identities of unknown or suspicious contacts
- Use multi-factor authentication (MFA)
- Keep systems updated with latest security patches
- Monitor unusual account activity and network traffic
The advisory also emphasises the importance of user awareness, as social engineering remains the primary entry vector.
Global implications of the campaign
The use of mainstream platforms like Telegram as attack infrastructure reflects a broader shift in cyber operations, where attackers increasingly rely on trusted digital ecosystems to mask malicious activity.
Experts warn that such tactics:
- Reduce the effectiveness of traditional detection systems
- Complicate attribution and response
- Increase the success rate of targeted attacks
The advisory underscores that state-linked cyber operations are evolving toward stealth, precision, and persistence, posing a growing challenge to global cybersecurity frameworks.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
