Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

Discovering Predatory Sparrow: Identity, Goals, and Digital Arsenal of the Mysterious Threat Actor

Redazione RHC : 1 July 2025 15:48

On June 17, 2025, a cyber attack paralyzed Bank Sepah, one of Iran’s major financial institutions.

The attack was claimed by the Predatory Sparrow group, already known for its destructive operations against Iranian critical infrastructure. In this document there is an in-depth analysis of the Threat Actor Predatory Sparrow, its technical capabilities and declared objectives, with particular attention to the geopolitical context and the use of proprietary malware.

Authors:

  • Cyber Defense Center Maticmind
  • Cyber Competence Center Maticmind
  • Andrea Mariucci | Head of Cyber Defense Center @Maticmind
  • Riccardo Michetti | Cyber Threat Intelligence Manager @Maticmind
  • Federico Savastano | Cyber Threat Intelligence Analyst @Maticmind
  • Ada Spinelli | Cyber Threat Intelligence Analyst @Maticmind

THREAT ACTOR: PREDATORY SPARROW CARD

Main Name: Predatory Sparrow
Alternative Names: – Gonjeshke Darande (گنجشک درنده – Farsi translation) – Indra (partial overlap, similarities in malware code used)
Classification: Pro-Israeli hacktivist group
First Sighting: 2021
Current Status: Active (last documented activity: June 2025)

IDENTITY AND AFFILIATIONS

Predatory Sparrow presents itself as a self-proclaimed hacktivist group, but its technical sophistication and operational capabilities suggest likely government or military involvement. According to a WIRED article, US defense sources told the New York Times that the group was linked to Israel.

The group, founded in 2021, went into a state of dormancy between 2022 and October 2023, returning to operation when hostilities began in the Gaza Strip.

Diamond Model

AdversaryPredatory Sparrow/Gonjeshke Darande
VictimEntities affiliated with the Iranian Ayatollah regime
InfrastructureN/A
CapabilitiesAdvanced wipers and malware capable of compromising industrial systems, physical destruction of industrial equipment, mass data deletion, disruption of infrastructure and telecommunications operations

Motivations and Objectives

  • Objective Primary: Conduct destructive attacks against Iran, with the aim of inflicting damage comparable to that of conventional attacks, with effects in the psychological sphere, to weaken the population’s confidence in the Ayatollah regime and its stability, within a framework of PSYOPS operations, disinformation campaigns and sabotage actions, while causing significant economic consequences to Iranian companies connected with the government or the army.
  • Geopolitical Motivation: It is part of the confrontation between Israel, Iran and the latter’s proxies, with the aim of responding to attacks conducted by the Islamic Republic directly or through proxies.
  • Strategic value: affirm the actor’s offensive capacity to hit critical industrial and digital assets in Iranian territory. Iranian, with the aim of exerting pressure and targeted destabilization.
  • Claim and propaganda tactics
    • Uses X channels and Telegram to claim attacks
    • Publishes videos as evidence of successful attacks, such as the video of the destructive attack on the Iranian steel plant
    • Includes provocative messages with references to the Iranian Supreme Leader
    • Introduces itself sometimes as an Iranian hacktivist group to confuse attribution
    • The group apparently conducts attacks with the stated goal of not endangering innocent lives (as reported on the TA Telegram channel and reported by the BBC)

TECHNICAL CAPABILITIES

The group demonstrates advanced technical capabilities that suggest access to significant resources, in-depth knowledge of Iranian industrial systems, as well as the ability to develop malware tailored to specific targets specific. Furthermore, it highlights relevant skills in SCADA and ICS (Industrial Control Systems), used in the control of critical infrastructures. Compared to most hacktivists who intervene on geopolitical or current affairs issues, Predatory Sparrow stands out for its significantly superior technical know-how, which is typical of actors connected to state apparatuses.

 Sectors of Specialization

Industrial Control Systems (ICS/SCADA)

  • Ability to manipulate industrial equipment
  • Access control systems of steel mills and petrol pumps
  • Interference with railway systems

Payment Systems

  • Compromise of point-of-sale networks
  • Attacks on fuel subsidy card systems
  • Compromise of Crypto Exchange
  • Compromise of financial institutions

Critical Infrastructure

  • National railway systems
  • Fuel distribution networks
  • Steel plants

TOOLSETS AND MALWARE 

Based on currently available information, the group is believed to be in possession of variants of the “Meteor” wiper, first appeared in 2021 and was used by a threat actor named “Indra” against Syrian infrastructure. This could indicate a partial overlap between the two threat actors.

The “Meteor” strain includes several versions, known as “Stardust” and “Comet”, both with wiper functionality. “Chaplin” instead turns out to be the malware used in the attack on the Iranian steel mills, not equipped with data deletion capabilities but with the ability to compromise and control industrial systems.

Meteor Express (2021)

Meteor Express is a three-stage wiper malware, developed through a combination of open source components and legacy software. The code is highly modular and designed for destructive operations targeting strategic infrastructure.

Main Features

  1. Overwriting and deleting system files.
  2. Blocking user access and terminating processes.
  3. Deleting the Master Boot Record (MBR).
  4. Disabling network interfaces.
  5. Change passwords for all users
  6. Log off active sessions
  7. Disabling recovery mode

Kill Chain

  • Reconnaissance: Presumed initial phase of information collection through previous accesses to the network target.
  • Weaponization: Use of dropper components and batch scripts to release payloads.
  • Delivery: Infection through physical/logical access to machines or RDP vulnerabilities.
  • Installation: Writing tools and batch scripts executed in sequence to disk.
  • Command and Control: Not present as it is non-persistent malware and without active C2.
  • Actions on Objectives: Data destruction, account blocking, operating system sabotage.

Related MITER ATT&CK techniques

  • T1490 – Inhibit System Recovery
  • T1485 – Data Destruction
  • T1562.001 – Impair Defenses: Disable or Modify Tools
  • T1489 – Service Stop
  • T1491.001 – Defacement: Internal Defacement
  • T.1531 – Account Access Removal
  • Operational context
    Attack launched in July 2021 against the Iranian railway network. The apparent goal was to destabilize public infrastructure and cause large-scale operational chaos.
  • Attribution
    Malware attributed to the Indra group.
  • Impact assessment
  • Technical: Total paralysis of the railway computer system, with prolonged disruptions and operational blocks.
  • Psychological: Attempt to disorient Iranian public opinion through symbolic sabotage.
  • Operational objective: PSYOPS operation aimed at delegitimizing the Iranian government and demonstrating the vulnerability of strategic public infrastructures.
  • Indicators of Compromise (IoCs)
  • Staging directory: %temp%Meteor

Comet (2021)

wiper malware similar to Meteor but without provocative payloads. Three-stage architecture, with mixed code between open and legacy components.

Main features

  • File deletion.
  • Lock out user and system.
  • Disable logging tools.

Kill Chain

  • Delivery: Local or remote scripts.
  • Execution: Blocking and displaying contents.
  • Impact: Disruption of normal user operation.

Related MITER ATT&CK techniques

  • T1490 – Inhibit System Recovery
  • T1485 – Data Destruction
  • T1562.001 – Impair Defenses: Disable or Modify Tools
  • T1489 – Service Stop
  • T1491.001 – Defacement: Internal Defacement
  • T.1531 – Account Access Removal
  • Operational context
  • Use in silent attacks against critical infrastructure.
  • Attribution
  • Malware attributed to the Indra group.
  • Impact assessment
  • Technical: High.
  • Psychological: Consistent, as it creates disruption and undermines trust in state infrastructures
  • Operational Objective: Silent and persistent sabotage.

Stardust (2020)

Wiper destructive weapon used in targeted attacks against Syrian targets. Similar to Comet, but specifically oriented towards the systematic destruction of sensitive data.

Main features

  • Overwriting sensitive files.
  • System crash.
  • Boot crash.

Kill Chain

  • – Delivery: Via access to vulnerable systems.
  • – Execution: Execution of the wiper on endpoint.
  • – Impact: Elimination of sensitive data and operational blocking.

Related MITER ATT&CK techniques

  • T1485 – Data Destruction
  • T1490 – System Recovery Inhibition
  • T1499 – DoS
  • Operational context
  • Attacks against strategic Syrian companies, without elements of responsibility.
  • Attribution
  • Malware attributed to the Indra group.
  • Impact assessment
  • Technical: Critical, complete destruction of data.
  • Psychological: Content, as the narrative component is missing.
  • Operational objective: Economic and operational damage.

Chaplin (2022)

Evolution of the Meteor malware, classifiable as disruptive malware. It lacks the wipe component, but introduces visually provocative actions.

Main features

  1. Disconnect from the network.
  2. Forced user logout.
  3. Lock the screen.
  4. Display provocative messages.

Kill Chain

  • Delivery: Local or remote scripts.
  • Execution: Blocking and displaying content.
  • Impact: Disruption of normal user operation. Commands sent to industrial systems that cause them to malfunction

Related MITER ATT&CK techniques

  • T1531 – Account Access Removal
  • T1499 – Endpoint Denial of Service
  • T1551 – Input Capture (screen lock)
  • Operational context
    • Probably used in demonstration or low-impact destructive attacks.
  • Attribution
    • Not known, but probably connected to the same Meteor actors.
  • Impact evaluation
  • Technical: Limited but visible.
  • Psychological: High, due to direct messages (e.g. invitation to call the office of the Iranian Supreme Leader).
  • Operational objective: Psychological warfare, demonstration of capabilities.

Major Attack Timeline

Gas Station Attack

Date: October 2021
Target: Over 4,000 gas stations in Iran (fuel distribution system)
Attack Method: Point-of-Sale Systems Compromised
Impact:

  • Disabling of card payment system subsidized
  • Temporary paralysis of nationwide fuel distribution


MITRE ATT&CK TTPs:

  • T1190 (Exploit Public-Facing Application)
  • T1486 (Data Encrypted for Impact)

Malware/Toolset: Unknown
Attribution: Predatory Sparrow
Strategic Impact: Disruption of essential services to increase internal pressure

Iranian Steel Mills Attack

Date: June 2022
Target: Three major Iranian steel mills (Khouzestan, Mobarakeh, HOSCO)

Attack method: Chaplin malware + manipulation of industrial control systems (ICS)
Impact:

  • Molten steel spill (over 1,300°C)
  • Fire in the plant
  • Interruption of production operations

MITRE ATT&CK TTPs:

  • T0859 (Manipulation of Control)
  • T0882 (Loss of Safety)
  • T0814 (Alarm Suppression)

Malware/Toolset: Chaplin
Attribution: Predatory Sparrow
Strategic Impact: Critical Industrial Capabilities Damaged and Offensive Capabilities Demonstrated Against ICS

Figure 1 – Surveillance Camera

Reactivation – Conflict Gaza-Israel

Date: October 2023
Context: Israeli-Palestinian conflict
Message: “Think this is scary? We’re back.”
Target: New attacks on gas stations in Iran
Attack method: Continuation of disruption strategy towards civilian infrastructure
Impact: Not specified in detail but consistent with previous attacks
MITRE ATT&CK TTPs: Presumably similar to October 2021 event
Attribution: Predatory Sparrow
Strategic Impact: Political signal and cyber retaliation in geopolitical terms

Bank Sepah Attack

Date: June 17, 2025 

Target: Bank Sepah – one of the oldest public financial institutions in Iran
Attack method: Destructive cyber attacks with probable use of wipers (e.g. Comet/Stardust)
Impact:

  • Interruption of banking operations
  • Impossibility for citizens to withdraw money from ATMs
  • Disclosure of public CVEs by the actor (e.g. cve_poc_codes_export_works.csv)

MITRE ATT&CK TTPs:

  • T1485 (Data Destruction)
  • T1499 (Endpoint Denial of Service)
  • T1588.006 (Vulnerability) Disclosure)

Malware/Toolset: Alleged wiper variant similar to Meteor / Comet / Stardust
Attribution: Predatory Sparrow (evidence on Telegram + X)
Strategic Impact: Destabilization of the national banking system and loss of confidence in the Iranian government’s ability to protect financial data

At the moment, no details are known about the techniques, tactics and procedures (TTP) used by the threat actor, although the deletion of data and the consequent paralysis of operations suggests that a version of the group’s “proprietary” wipers, such as Meteor, Stardust or Comet, was used. On 16/06, on its Telegram channel the group had released a list of cves that were still working, entitled “cve_poc_codes_export_works”.

Figure 2 – CVE spread on the Telegram channel of TA

According to sources on X, Iranian citizens were unable to withdraw cash from ATMs in the country.

Figure 3 – Bank teller machine out of service

This factor, combined with fears of theft of sensitive data from the affected banks, contributes to the worsening of the scenario and underlines the cyberwar capabilities possessed by the Threat Actor. 

Figure 4 – Bank Sepah Documentation

Unlike many hacktivists, in fact, Predatory Sparrow does not It is limited to a Denial of Service (DoS), but has shown advanced technological capabilities and determination to cause damage on a large scale. 

At the moment there is no further information on the status of the services provided by the affected banks, but if these disruptions were to continue, this would represent considerable damage to Iran’s ability to respond to cyber threats and could contribute to generating discontent and tensions among the affected population. 

Nobitex Attack

Date: June 18, 2025 

Target: Nobitex – Iranian crypto exchange site
Attack method: At the moment there is no information regarding the attack methodology used
Impact:

  • Destruction of crypto assets for a total of 90 million dollars
  • Nobitex[.].ir site still offline 24 hours after the attack

MITRE ATT&CK TTPs:

  • T1485 (Data Destruction)
  • T1499 (Endpoint Denial of Service)
  • T1588.006 (Vulnerability Disclosure)

Malware/Toolset: Alleged wiper variant similar to Meteor / Comet / Stardust
Attribution: Predatory Sparrow
Strategic Impact: Destabilized Iran’s cryptocurrency exchange system. Severed a funding line that allowed Iran to partially circumvent Western sanctions.  Psychological effects such as spreading panic and uncertainty about the resilience of Iranian assets in cyberspace. 

Figure 5 – Nobitex[.]ir still unreachable on 19/06, one day after the attack

Predatory Sparrow attacked the Iranian cryptocurrency exchange “Nobitex” on June 18, just one day after the attack on Sepah Bank. The stated motivation is the same: evading sanctions imposed on Iran and financing terrorism. On X, Predatory Sparrow also highlighted the connection between the regime’s activities and those of Nobitex, stating that, for the Iranian government, service at the cryptocurrency exchange is considered the same as military service. 

The Threat Actor did not steal the cryptocurrencies, but effectively burned $90 million of them, sending them to unusable addresses (“burn addresses”), from which they cannot be recovered. The technique used underlines Predatory Sparrow’s goal of causing damage without any monetization or financing purpose, as also implied by the use of wipers.

On 06/20/2025, the threat actor also made the Nobitex source code public, putting the assets still present on the site at risk and making access and exploitation easier for further malicious actors. This source code disclosure amplifies the vulnerability of the system, allowing attackers to quickly identify weaknesses and develop targeted exploits. 

Figure 6 – Post in which Predatory Sparrow makes the Nobitex source code public, https://x.com/GonjeshkeDarand/status/1935593397156270534

There are currently no further details on the techniques, tactics and procedures (TTP) used by the threat actor in this operation.

RISK ASSESSMENT

  • Threat Level: HIGH
  • Threat drivers: – Demonstrated ability to cause physical damage – Persistent access to critical infrastructure – Growing technical sophistication – Strong geopolitical motivation
  • At-risk industries: – Energy infrastructure – Transportation systems – Heavy industry – Payment systems – Banking and finance

Indicators of Attack (IoA)

  • Presence of files named “Chaplin”
  • System messages referring to issue 64411
  • Abnormal network disconnections
  • Coordinated industrial system malfunctions
  • Crypto wallet addresses containing messages directed against the Islamic Republic Guard Corps (IRGC) such as “F*ckIRGCterrorists”

COUNTERMASURES 

Based on the evidence presented in the report, some recommendations and countermeasures are formulated to minimize or contain damages coming from the actor described here or from any emulator groups.
Considering the lack of detailed information on the compromises, in the face of the failure to disclose by the affected Iranian entities, some general considerations are presented here aimed at reducing the impact of “wiper” malware such as Meteor and other tools used in cyber warfare and cyber-espionage contexts such as InfoStealer and SpyWare. Furthermore, considering the presence of a list of CVEs with the related links to the Proof of Concept published directly by the Threat Actor on its Telegram channel, where it is highlighted that these are still working exploits, it can be assumed that Predatory Sparrow also uses exposed and vulnerable applications as an initial access vector, therefore recommendations will be suggested to protect the exposed attack surface. 

In order to contain the propagation of a wiper within the network, it is advisable to adapt a rigid segmentation, which separates OT networks from IT, also through the use of Zero Trust architectures and strict access control. 

At the same time, the separate, air-gapped backup, associated with recovery and disaster recovery plans, allows the recovery of normal operations in the event of a compromise.

Patching, closing unnecessary ports exposed to the Internet and disabling unnecessary services are also useful measures to reduce the attack surface and minimize the risk arising from exposed applications.

Honeypot ICS/SCADA also allows you to detect anomalies and intrusions before malicious actors reach areas critical to industrial operations. 

Threat or vectorKey countermeasureExpected impact
Meteor malware (strain)Network isolation OT, presence of EDR, immutable backups stored offlineReduction of sabotage risk, containment of infection, recovery in case of attack
C2 communicationFirewalling and deep packet inspectionC2 communication interruption 
Social EngineeringStaff training, awareness culture and cyber hygieneReduction of risk associated with phishing 
Exploit Public-Facing ApplicationPatch management, secure configuration, least privilege policy, WAF implementation, disabling unnecessary services, Reduction of the attack surface, reduction of exploitable vulnerabilities, reduction of the risk of unauthorized access authorized. 
InfoStealer, SpyWare, cyber espionage toolsEDR, Network Segmentation, Vulnerability Patching, Access Control Policies, Data Encryption, DLP, Deception Honeypot Deployment Reducing the Risk of Sensitive Data Exfiltration

Last Updated: June 20, 2025

Primary Sources and Databases

  • Malpedia Threat Actor Database: https://malpedia.caad.fkie.fraunhofer.de/actor/predatory_sparrow

Analysis and Reporting Articles

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli