A sophisticated cyber-sabotage group known as Predatory Sparrow has emerged as one of the most destructive threat actors targeting Iranian critical infrastructure over the past several years.
Unlike traditional cybercriminal operations focused on financial gain, this group executes highly disruptive campaigns designed to cripple essential services, destroy sensitive data, and send provocative political messages.
Security researchers and intelligence analysts widely believe Predatory Sparrow operates with Israeli backing, positioning their activities within the broader context of an ongoing cyber shadow war between Israel and Iran that has intensified dramatically since 2019.
Predatory Sparrow has demonstrated an alarming capability to penetrate and sabotage diverse segments of Iran’s national infrastructure.
The group first gained international attention in July 2021 when it successfully compromised Iran’s national railway system, causing widespread operational paralysis and displaying the message “cyberattack” on station information boards across the country.
This attack utilized a sophisticated piece of destructive malware known as “Meteor,” a wiper specifically engineered to render infected systems completely inoperable while erasing forensic evidence of the intrusion.
The group’s operations escalated significantly in June 2022 when Predatory Sparrow claimed responsibility for a cyberattack on an Iranian steel manufacturing facility that triggered a major fire, causing substantial physical damage and production shutdowns.
This incident marked a concerning evolution in cyber warfare tactics, demonstrating how digital attacks could translate into real-world kinetic effects with potentially catastrophic consequences for industrial safety and national economic security.
In December 2023, Predatory Sparrow executed one of its most widespread disruption campaigns by targeting Iran’s nationwide gas station network.
The group claimed to have disabled the vast majority of Iran’s fuel pumps, creating chaos for ordinary citizens and demonstrating their ability to impact daily life across the entire country.
In a statement posted on social media platform X (formerly Twitter), the group characterized the operation as retaliation against actions by the Islamic Republic and its regional proxies, showcasing the overtly political messaging that accompanies their technical operations.
Predatory Sparrow Strikes
The group’s most recent and financially devastating operations occurred in June 2025, shortly after Israeli military airstrikes on Iranian targets.
Predatory Sparrow launched coordinated attacks against Iran’s financial infrastructure, first targeting the state-owned Bank Sepah with what the group described as a complete data erasure operation.
The attackers accused the bank of financing Iran’s military apparatus and claimed to have rendered its digital systems completely inoperable, disrupting banking services for potentially millions of customers.
The following day, Predatory Sparrow executed an extraordinarily destructive attack on Nobitex, Iran’s largest cryptocurrency exchange.
The group claimed to have “burned” approximately 90 million dollars in cryptocurrency assets by transferring them to inaccessible blockchain addresses, effectively making the funds permanently unrecoverable.
Adding insult to injury, the attackers publicly released Nobitex’s complete source code, detailed infrastructure documentation, and sensitive internal research and development materials.
This massive data breach not only caused immediate financial losses but also exposed critical operational vulnerabilities and intellectual property that could facilitate future attacks against the exchange or similar platforms.
Sophisticated Attack Methodology
Technical analysis of Predatory Sparrow’s operations reveals a highly sophisticated adversary employing advanced tactics, techniques, and procedures.
The group demonstrates extensive reconnaissance capabilities, often conducting thorough pre-attack surveillance to map target networks and identify critical systems.
Their Meteor wiper malware features encrypted configuration files and logs, making forensic analysis significantly more challenging for incident responders.
The attack chain typically begins with initial access through compromised VPN credentials or exploitation of public-facing applications.
Once inside target networks, Predatory Sparrow deploys batch scripts that systematically disable security controls, including adding malicious files to Windows Defender exclusion lists and attempting to uninstall third-party antivirus software like Kaspersky.
The group also employs anti-forensics techniques such as clearing Windows event logs using native utilities, effectively erasing evidence of their activities.
Their destructive payloads implement multiple mechanisms to ensure maximum damage and prevent system recovery.
This includes deleting all volume shadow copies using commands like “vssadmin.exe delete shadows /all /quiet” and sabotaging boot configuration data to prevent infected machines from restarting.
Some variants of their malware even check hostnames to avoid executing on passenger information systems, ensuring their messages display properly on public-facing boards while sparing the infrastructure needed to communicate their political statements.
The emergence of Predatory Sparrow represents a dangerous evolution in state-sponsored cyber operations, where sophisticated technical capabilities merge with explicitly destructive intent to create cascading disruptions across critical national infrastructure.
As this threat actor continues refining their techniques and expanding their target portfolio, defending against such determined adversaries requires comprehensive security validation, continuous monitoring, and the ability to simulate advanced persistent threat scenarios to identify defensive gaps before real attacks occur.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
