FBI Warns of Iran’s Handala Hack Group Using Fake Apps to Spy on Windows Users

Summary

The FBI has issued a FLASH alert about Handala Hack Group, an Iran MOIS-linked threat actor distributing trojanized versions of popular applications (WhatsApp, Telegram, KeePass) to target Windows users since late 2023. The group uses social engineering to deliver malware like MicDriver for audio/screen recording and Winappx/MsCache for data exfiltration, primarily targeting journalists and activists. The group is also linked to the Stryker Corporation breach and operates under the alias Homeland Justice.

Full text

Security Scams and FraudFBI Warns of Iran’s Handala Hack Group Using Fake Apps to Spy on Windows Users The FBI has issued a warning about Iran-linked Handala Hack Group, targeting Windows users through fake versions of WhatsApp and Telegram. byDeeba AhmedMarch 24, 20262 minute read If you use apps like WhatsApp, Telegram, or password managers on your computer, a new warning from the FBI is something you’ll want to pay close attention to. The agency has alerted in its FLASH report that a group of hackers working for the Iranian government has been caught using fake versions of these popular programs to spy on people and steal their private data. Since late 2023, these attackers, reportedly linked to Iran’s Ministry of Intelligence and Security (MOIS), have been going after journalists, activists, and anyone they see as a threat. It’s no mystery that these hackers don’t just want your passwords; they are looking to record your private conversations and leak your personal files to cause as much trouble as possible. The Disguise The way they get into your computer is actually quite simple. Instead of using a complicated technical backdoor, they just talk to you. Typically, they pose as technical support or even a friend on social media, and after gaining your trust, they’ll send over a file that looks like a helpful update or a new tool. These files are named to look exactly like the real thing, such as WhatsApp.exe, Telegram_authenticator.exe, or KeePass.exe, but you are actually installing a spying tool. The FBI notes that some of these programs, like one called MicDriver, are even capable of recording your audio and screen during Zoom calls without you ever noticing a thing. After infiltration, the hackers use a second stage of malware, like Winappx.exe or MsCache.exe, to quietly bundle up your files and send them back to their own servers. Observed Behavioral (Via FBI) Connections to Major Company Hacks This isn’t just a small-scale operation. The FBI has linked this activity to a group known as Handala Hack, also linking it to another entity called Homeland Justice. This name might sound familiar because, as Hackread.com reported in March 2026, the group claimed a massive attack on a global medical company called Stryker. While the company worked hard to fix the disruption, the hackers claimed they had wiped out over 200,000 systems and stolen a massive amount of data. “The FBI assesses some of the information Handala Hack claimed to have acquired and posted online was obtained using malware as part of the group’s ongoing campaign to target dissidents. Handala Hack is known for phishing, data theft, extortion, and destructive attacks involving custom wiper malware. Additionally, the FBI assesses Handala Hack is linked to the online entity “Homeland Justice,” also operated by Iran MOIS cyber actors,” the FBI’s alert (PDF) reads. To keep yourself from falling into this trap, the FBI suggests a few basic habits to adopt. First, never download a program that someone sends you in a chat; always go directly to the official website or app store. Second, make sure your Windows updates are turned on, as these include fixes that block hackers from getting in. Finally, turning on multi-factor authentication adds an extra layer of security that makes it much harder for hackers to get into your accounts. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCyber CrimeCybersecurityFBIFraudHandalaHandala Hack GroupIranMalwareScamWindows Leave a Reply Cancel reply View Comments (0) Related Posts Read More Malware Security New MacSync Stealer Disguised as Trusted Mac App Hunts Saved Passwords Jamf security experts have found a new version of MacSync Stealer. Disguised as a zk-call app, it uses official notarization to bypass security and steal your saved passwords. byDeeba Ahmed Hacking News Security T-Mobile confirms another data breach exposing user call records, phone numbers T-Mobile revealed attackers accessed its Customer proprietary network information (CPNI), putting the private data of hundreds of thousands of customers at risk. byDeeba Ahmed Malware Security Evrial Info-Stealing Trojan Modifies Addresses to Steal Cryptocurrency It is just another with just another Cryptocurrency malware targeting unsuspecting users – This time, it modifies addresses to… byWaqas Security Malware Spam Campaigns Using Trickbot Banking Trojan Against Cryptocurrencies Spam Campaigns Using Trickbot Banking Trojan on the Rise Targeting Cryptocurrencies and Non-traditional currencies. A campaign involving Trickbot… byUzair Amir

Indicators of Compromise

• malware — MicDriver
• malware — Winappx.exe
• malware — MsCache.exe
• malware — Handala Hack
• malware — Homeland Justice