Hacktivist Group Claimed Attacks Across 20+ Critical Sectors Following Iran–Israel Conflict

The escalating tensions between Iran and Israel have triggered an unprecedented surge in hacktivist cyber operations, with over 80 distinct groups launching coordinated attacks across 18 critical infrastructure sectors.

Following Israeli airstrikes on Iranian military and nuclear facilities in June 2025, pro-Iranian and pro-Palestinian hacktivist collectives mobilized almost immediately, targeting Israeli government systems, energy infrastructure, financial institutions, and defense contractors in what security researchers describe as one of the most extensive cyber campaigns in recent history.

The hacktivist offensive encompasses a diverse range of attack vectors, from sophisticated distributed denial-of-service operations to industrial control system infiltrations and data exfiltration campaigns.

Notable groups including GhostSec, Mr Hamza, Dark Storm Team, and Arabian Ghosts have claimed responsibility for breaching everything from water treatment facilities and satellite communications to judicial systems and emergency alert networks.

The scope of these operations extends beyond traditional web defacements, with attackers demonstrating capabilities to compromise industrial control systems, deploy custom ransomware, and conduct psychological warfare through targeted doxxing campaigns.

Outpost24 analysts identified several concerning trends in the attack patterns, noting the coordination between previously independent hacktivist entities and the emergence of sophisticated malware families specifically designed for this campaign.

The researchers observed that many groups have formed strategic alliances, sharing resources, intelligence, and attack tools to maximize their operational impact against Israeli infrastructure.

The technical sophistication of these operations varies significantly across different groups, with some deploying advanced persistent threats while others rely on readily available tools.

However, the collective impact has been substantial, affecting critical systems across government institutions, energy infrastructure, financial services, military contractors, media networks, academic institutions, transportation services, water infrastructure, satellite communications, and social media platforms.

Advanced Malware Arsenal and Industrial Control System Targeting

Among the most concerning developments in this cyber campaign is the deployment of specialized malware designed to target industrial control systems and operational technology environments.

GhostSec, one of the most technically capable groups involved, has claimed successful compromise of over 100 Modbus programmable logic controller devices, 40 Aegis 2 water control systems, and 8 Unitronics devices across Israeli critical infrastructure.

The group has also demonstrated the ability to infiltrate 10 VSAT satellite communication devices, indicating a sophisticated understanding of both IT and OT network architectures.

The malware arsenal deployed in these attacks includes custom-developed tools such as the GhostLocker ransomware, GhostStealer data exfiltration framework, and the IOControl embedded Linux backdoor with integrated wiper capabilities.

The IOControl malware represents a particularly advanced threat, featuring AI-assisted vulnerability research capabilities and specialized modules for ICS/SCADA exploit development.

Additionally, groups have deployed various wiper malware variants including Hatef for Windows systems, Hamsa for Linux environments, and the Meteor, Stardust, and Comet families previously associated with attacks on Iranian infrastructure.

The coordination of these attacks through distributed denial-of-service tools like Abyssal DDoS V3 and the Arthur C2 botnet infrastructure demonstrates a level of operational sophistication that blurs the traditional boundaries between hacktivist activities and state-sponsored cyber warfare, raising significant concerns about attribution and potential escalation in the ongoing cyber conflict.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now