IRGC Hacker Groups Attacking Targeted Financial, Government, and Media Organizations

During the 12-day conflict between Israel and Iran in June 2025, a sophisticated network of Iranian-linked cyber threat actors launched coordinated digital operations against critical infrastructure sectors worldwide.

The campaign demonstrated unprecedented coordination between military operations and state-sponsored cyberattacks, targeting financial institutions, government agencies, and media organizations across multiple countries.

The cyber offensive involved a complex ecosystem of hackers ranging from state-sponsored groups with direct ties to Iran’s Islamic Revolutionary Guard Corps (IRGC) to ideologically-aligned hacktivist collectives operating with varying degrees of autonomy.

These threat actors employed diverse attack vectors including malware-laden phishing campaigns, distributed denial-of-service (DDoS) attacks, SQL injection exploits, and sophisticated social engineering techniques designed to steal sensitive data and disrupt critical operations.

SecurityScorecard researchers identified over 178 active hacker groups participating in the campaign, analyzing more than 250,000 messages from Iranian proxies and hacktivist channels.

The analysis revealed that several key groups, including Imperial Kitten (also known as Tortoiseshell, Cuboid Sandstorm, and Yellow Liderc), rapidly adapted their tactics to align with Iran’s military objectives, suggesting pre-planned coordination between cyber and kinetic operations.

Advanced Phishing Infrastructure and Tactical Evolution

The most concerning aspect of this campaign was the speed at which established threat actors modified their operational procedures to exploit the conflict.

Imperial Kitten, a well-documented Iranian state-linked group notorious for its social engineering capabilities, deployed conflict-themed phishing lures within hours of the military escalation beginning.

The group’s phishing infrastructure incorporated current events and emotional manipulation tactics, using subject lines referencing ongoing airstrikes and humanitarian crises to increase victim engagement rates.

The phishing emails contained malicious attachments designed to establish persistent access to target networks, with payloads specifically crafted to evade detection during the heightened alert periods typical of wartime cybersecurity postures.

This tactical evolution demonstrates how state-sponsored actors can rapidly pivot their technical capabilities to support broader strategic objectives, creating significant challenges for traditional threat detection methodologies.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial