An Iranian government hacking collective has been targeting dissidents, journalists and opposition groups in a campaign dating back to autumn 2023, the FBI has revealed.

The Handala group, which claimed responsibility for a recent wiper attack on US medtech firm Stryker, is said to be linked to Tehran’s Ministry of Intelligence and Security (MOIS).

It was pegged for multiple attacks on various opposition groups in the form of intelligence collection and hack-and-leak efforts.

“The malware used as part of this cyber activity included a multi-stage payload enabling remote user access to the infected devices. Threat actors used social engineering to customize the first stage of the malware to masquerade as commonly used programs or services on Windows machines,” the FBI revealed.

“The second stage connected the infected machine to Telegram command and control bots that enabled remote user access to exfiltrate screen captures or files from the victim devices.”

Read more on Handala: Hybrid Middle East Conflict Triggers Surge in Global Cyber Activity.

In at least one case, the threat actors masqueraded as tech support from a social messaging platform and persuaded the victim to accept a file transfer containing malware.

“Based on multiple observations, stage one of the malware appeared to be tailored to the victim’s pattern of life to increase likelihood of victim downloading the malware, which indicates the Iranian cyber actors likely performed target reconnaissance prior to engaging with the victim,” the FBI report noted.

Multiple malware samples obtained by investigators reveal the malware disguised as software from Pictory, KeePass, WhatsApp and Telegram. The malware achieved defensive evasion by excluding directories and using PowerShell to execute, the report continued.

Functionality included screen and audio recordings, cache captures, file compression, and file deletion.

The second stage malware reportedly connects an infected machine to a Telegram command-and-control (C2) bot, enabling remote access and data exfiltration.

How to Stay Safe from Handala

The FBI urged individuals and organizations to resist these hacking attempts by:

• Ensuring devices are updated with latest operating system and software versions
• Only downloading software from trusted sources, such as official app stores or vendor websites
• Installing anti-malware software on devices 
• Using strong, unique passwords and enabling multi-factor authentication
• Reporting suspicious emails or messages to the email client, and reporting suspected crimes to the local FBI field office