C2 over Telegram
-
Handala claims leak of US Marines data in WhatsApp threat campaign
US Marines in the Persian Gulf received WhatsApp threats from the Iran-linked Handala hacking group, which claimed to leak personal data on 2,379 service members and said it knew their family details and routines.
-
Obsidian plugin abuse delivers new Windows backdoor in targeted campaign
Attackers abused Obsidian community plugins to deploy a new Windows backdoor in a targeted campaign against finance and cryptocurrency users. The intrusion was blocked, but the method showed how trusted app features can be used for code execution.
-
108 malicious Chrome extensions linked to shared server, data theft
Researchers found 108 malicious Chrome extensions tied to one backend server, with the add-ons used to steal account data, exfiltrate Telegram sessions and inject ads or scripts into visited pages.
-
APT37 Uses Facebook, Telegram in RokRAT Phishing Campaign
North Korea-linked APT37 used Facebook and Telegram to deliver RokRAT in a multi-stage campaign that relied on fake personas, a trojanized PDF viewer and compromised infrastructure, according to a technical analysis by Genians Security Center.
-
Masjesu botnet emerges as DDoS-for-hire service targeting IoT devices
Researchers say the Masjesu botnet has been sold as a DDoS-for-hire service since 2023, targeting IoT devices across multiple architectures while using stealth tactics, self-propagation and hard-coded control channels.
-
Russia moves to block WhatsApp after national DNS exclusions limit access
Russian authorities moved to block WhatsApp by excluding its domains from the national DNS, leaving the service reachable only via VPNs or external DNS. The move follows earlier throttling and registration restrictions.
-
Iran-linked RedKitten campaign uses AI-generated macros to deploy SloppyMIO backdoor
A HarfangLab technical analysis links a January 2026 campaign to an Iran-aligned actor using macro-laced Excel files to deploy the SloppyMIO backdoor that retrieves configuration via GitHub and exfiltrates via Telegram.
-
Handala targeted Telegram accounts of two Israeli officials
In December 2025 Handala posted about 1,900 Telegram chat entries tied to two Israeli officials. Most entries were empty contact cards and only about 40 contained messages, indicating account access rather than full phone compromise.
-
Iran-linked APT Infy resurfaces with updated Foudre and Tonnerre malware
SafeBreach and other researchers reported renewed activity by the Iranian APT known as Infy (Prince of Persia), documenting updated Foudre and Tonnerre malware, use of a domain generation algorithm for C2 resilience, and a Telegram-based channel in recent campaigns affecting targets in the Middle East, India, Canada and Europe.
-
VolkLocker ransomware contains hard-coded master keys, SentinelOne analysis finds
A SentinelOne analysis says VolkLocker, a RaaS from the CyberVolk collective, contains hard-coded master keys and writes a plaintext backup key to the temporary folder, enabling file recovery without payment while still displaying typical ransomware behaviors.
