The FBI issued two separate cybersecurity advisories on March 20, attributing active campaigns by Iranian and Russian government-linked actors to the exploitation of commercial encrypted messaging platforms against journalists, dissidents, and current and former U.S. government personnel.

In flash advisory FLASH-20260320-001, the FBI attributed a Telegram-based malware operation to Iran’s Ministry of Intelligence and Security (MOIS), identifying the platform as live command-and-control (C2) infrastructure. The campaign, which the FBI said dates to at least 2023, targets Iranian dissidents, journalists opposed to the Iranian government, and other opposition groups worldwide.

Attackers first pose as known contacts or tech support to deliver malicious files disguised as common applications, including the AI video tool Pictory, the password manager KeePass, and Telegram itself. Once installed, the malware connects the infected device to a government-controlled Telegram bot at api.telegram.org, enabling remote screen and audio recording, file exfiltration, and cache captures.

The FBI assessed the disguise was customized per target, “which indicates the Iranian cyber actors likely performed target reconnaissance prior to engaging with the victim.”

The same day, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint public service announcement attributing a separate phishing campaign to Russian intelligence services.

The @FBI has identified cyber actors associated with Russian Intelligence Services targeting users of commercial messaging applications, including Signal.

The campaign targets individuals of high intelligence value, including current and former U.S. government officials,…

— FBI Director Kash Patel (@FBIDirectorKash) March 20, 2026

That operation has produced unauthorized access to thousands of accounts belonging to U.S. government officials, military personnel, political figures, and journalists across Signal, WhatsApp, and other commercial messaging applications. Attackers send messages crafted to resemble automated security notices, tricking users into linking attacker-controlled devices to their accounts.

The FBI and CISA stated the campaign exploits user behavior, not any vulnerability in the applications’ encryption.

Ensar Seker, chief information security officer at SOCRadar, a threat intelligence firm, said the Iran-linked operation reflects an accelerating pattern. “By leveraging a widely used application like Telegram, groups such as Handala significantly reduce the likelihood of detection, because security controls are often tuned to allow this traffic by default,” Seker said.

The FBI linked the Iran campaign to Handala Hack, the same MOIS-controlled group that claimed responsibility for a March cyberattack against medical technology company Stryker that wiped data from tens of thousands of employee devices.

The Justice Department announced last week that the court-authorized seizure of four domains tied to MOIS-controlled groups, two associated with Handala and two with a separate group called Homeland Justice.

In an 8-K filing with the U.S. Securities and Exchange Commission, Stryker said it was still recovering from the attack.

Telegram spokesperson Remi Vaughn said in an emailed statement that “moderators routinely remove any accounts found to be involved with malware.”

The advisories come as commercial messaging applications face broader scrutiny over government use. The Pentagon inspector general found in December 2025 that Defense Secretary Pete Hegseth used Signal to discuss a pending U.S. military strike on Houthi targets in Yemen, a finding the inspector general said violated department information-handling rules.