FBI Flash Alert: Telegram Hijacked for State-Sponsored Malware C2

On March 21, 2026, the FBI's Cyber Division issued a critical Flash Alert regarding a sophisticated campaign by actors linked to the **Iranian Ministry of Intelligence and Security (MOIS)**. The campaign is unique not just for its targets—primarily journalists and political dissidents—but for its deep exploitation of **Telegram's** platform infrastructure as a primary **Command-and-Control (C2)** channel. By hiding within the noise of legitimate encrypted traffic, the actors have successfully bypassed traditional perimeter defenses for months.

Technical Analysis: The Telegram Bot API as a Weapon

The MOIS actors are utilizing a multi-stage infection chain that begins with highly targeted social engineering. Once a victim is lured into a conversation on a trusted platform, they are sent a malicious document or link that deploys a lightweight loader. This loader is configured to communicate with a private Telegram channel via the **Telegram Bot API**. By using legitimate platform traffic for C2, the actors effectively hide their activity from standard network monitoring tools that treat Telegram as "trusted" encrypted traffic.

The malware, codenamed **"Persian-Eye,"** is capable of full data exfiltration, including the capture of screenshots, keystrokes, and session cookies. Most alarmingly, it features a module designed to bypass standard SMS-based 2FA by intercepting incoming messages directly from the device's memory buffer before they are even displayed to the user. This "zero-click" extraction of one-time codes renders traditional mobile security policies ineffective.

Infrastructure: Avoiding Terrestrial Detection via Cloud-Hopping

To further obfuscate their origin, the MOIS actors are leveraging a network of compromised **IoT devices** and "bulletproof" hosting providers across the Middle East and Eastern Europe. The FBI reports that the C2 traffic is routed through a series of **Transient Proxies** that change every 15 minutes. These proxies are often hosted on short-lived VPS instances across multiple cloud providers (AWS, Azure, GCP), a technique known as "Cloud-Hopping."

Organizations are instead urged to focus on behavioral analysis of outgoing encrypted traffic to the Telegram API endpoints. Specifically, the FBI identifies high-frequency `POST` requests to `api.telegram.org/bot/sendMessage` containing large base64-encoded strings as a primary indicator of data exfiltration. The actors also use Telegram's **MTProto proxy** settings to mask the true destination of the exfiltrated data.

Mitigation: Phishing-Resistant MFA is Mandatory

The FBI's recommendation is clear: organizations must move beyond SMS and app-based TOTP (Time-based One-Time Password) systems. **Phishing-resistant MFA**, such as FIDO2-compliant hardware keys (e.g., YubiKey), is the only definitive defense against the MOIS's current toolkit. Hardware-backed security keys provide a physical barrier that cannot be intercepted via software-based memory scrapers.

Additionally, security teams should implement **Strict AppArmor/SELinux profiles** to prevent unauthorized processes from accessing the system's memory-mapped communication buffers. Host-based Intrusion Detection Systems (HIDS) should be configured to flag any process that attempts to hook into the `telemetry` or `messaging` services of the operating system.

Indicators of Compromise (IoCs)

The FBI Flash Alert lists several file hashes and network signatures that SOC teams should hunt for within their logs. These include specific **YARA rules** for identifying the "Persian-Eye" loader and a list of over 500 IP addresses associated with the transient proxy network. Organizations are encouraged to ingest these IoCs into their SIEM platforms immediately.

Case Study: The JackSkid Botnet Connection

The FBI's alert comes on the heels of the successful disruption of the **JackSkid botnet**, a major infrastructure provider for several state-sponsored actors. By analyzing the command logs from JackSkid's primary server in Prague, international authorities were able to identify the specific Telegram API tokens being used by the MOIS for their surveillance operations. This takedown provided the "Missing Link" that connected hundreds of disparate malware infections back to a single coordinated campaign out of Tehran.

JackSkid's role was to provide the **Target Acquisition** layer. Using high-speed scraping of professional social networks and news sites, the botnet identified individuals who were likely to possess sensitive data. Once a target was identified, the MOIS actors would take over, using the Telegram-based Persian-Eye malware to execute the final breach. The disruption of JackSkid has temporarily blinded the MOIS's acquisition engine, but the FBI warns that the actors are already attempting to rebuild using smaller, more decentralized botnets like **Aisuru** and **KimWolf**.

Conclusion: The Convergence of Social and State-Craft

The MOIS Telegram campaign is a sobering reminder that the platforms we use for daily communication are the same platforms state actors are weaponizing for surveillance. As the line between "social app" and "malware infrastructure" continues to blur, the burden of security falls increasingly on the user and the enterprise. Continuous monitoring and a zero-trust architecture are no longer optional—they are the survival requirements of the 2026 digital landscape. If your security strategy relies on the benevolence of platform providers, you are already compromised.