Predatory Sparrow has emerged as one of the most destructive cyber-sabotage groups targeting critical infrastructure across the Middle East, with operations focused primarily on Iranian and Syrian assets.
The hacktivist group, believed to be affiliated with Israeli interests, has orchestrated a series of devastating cyberattacks spanning from 2019 to 2025, targeting railways, steel plants, financial institutions, and fuel distribution networks.
Their campaigns are characterized by deliberate data destruction, operational paralysis, and provocative public messaging designed to maximize psychological impact alongside physical disruption.
The group’s operational timeline reveals an escalating pattern of sophistication and destruction. Early attacks in 2019-2020 targeted Syrian entities including Alfadelex Trading and Cham Wings Airlines, establishing their capabilities in network infiltration.
However, their most significant operation came in July 2021 when they deployed the “Meteor” wiper malware against Iran’s national railway system, causing widespread service disruptions and displaying taunting messages on station boards.
This attack demonstrated their ability to compromise critical national infrastructure with precision timing.
More recently, Predatory Sparrow has expanded their targeting to include financial infrastructure with devastating effect.
Following Israeli airstrikes on Iran in June 2025, the group launched coordinated attacks against Bank Sepah and the Nobitex cryptocurrency exchange.
In the Nobitex breach, they claimed to have rendered $90 million in cryptocurrency permanently unrecoverable by transferring assets to inaccessible addresses, while simultaneously leaking the exchange’s complete source code and infrastructure documentation.
Picussecurity analysts identified the group’s sophisticated multi-stage attack methodology during investigations into the Iranian railway incident.
Their analysis revealed that Predatory Sparrow employs a complex chain of batch scripts and encrypted payloads to establish persistence, disable defenses, and deploy destructive wipers.
The group demonstrates advanced environmental awareness by conducting reconnaissance to identify specific target systems before payload execution.
Technical Execution and Wiper Deployment Mechanisms
The technical architecture of Predatory Sparrow’s attacks centers on their custom Meteor wiper malware, which utilizes encrypted configuration files and multi-stage batch script execution.
The attack chain begins with a setup.bat script that performs hostname verification against specific Passenger Information System servers (PIS-APP, PIS-MOB, WSUSPROXY, PIS-DB), ensuring malicious payloads avoid execution on display systems while guaranteeing the attacker’s messaging appears on public-facing boards.
The msrun.bat script serves as the deployment mechanism for the wiper payload, creating a scheduled task configured to execute at 23:55:00 through Windows Task Scheduler.
Prior to wiper execution, the cache.bat script systematically disables all network adapters using PowerShell commands:-
powershell -Command "Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }" > NULDefense evasion techniques include clearing Windows Event Logs through wevtutil commands targeting Security, System, and Application logs, effectively erasing forensic evidence:
wevtutil cl system
wevtutil cl application
wevtutil cl securityThe Meteor wiper employs XOR-based encryption for its configuration file (msconf.conf) and log files. Researchers developed Python decryption utilities revealing the malware’s internal operations:
from malduck import xor, u32
def decode_buffer(buf, key):
results = ""
for k,v in enumerate(buf):
results += chr(((k % 256) + key[k % len(key)] ^ v) & 0xff)
return resultsTo ensure complete system destruction, the bcd.bat script manipulates boot configuration data and removes volume shadow copies, preventing recovery:
vssadmin.exe delete shadows /all /quiet
wmic.exe shadowcopy deleteThis comprehensive approach to data destruction and system sabotage demonstrates Predatory Sparrow’s focus on causing irreversible damage rather than data exfiltration, aligning with their stated mission of retaliatory cyber warfare against Iranian interests.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
