List of names used by industry:

• Predatory Sparrow (Gonjeshkeh Darande)
• “Charming Kitten’s rogue cousin”

Date founded:

July 2021 (though some attacks as early as 2019 have been attributed to them)

Affiliation:

• Claim to be a group of Iranian anti-regime hacktivists.
• Widely attributed to be operated or sponsored by the Israeli government/military.

Social media handles/websites:

• Telegram – @PredatorySparrowIL
• X – Previously had a Twitter/X account but no longer identifiable.

Previous operations:

• 2019-2020 – The gorup have been attributed to some early attacks targeting Syrian entities including Alfadelex Trading and Cham Wings Airlines.
• July 2021 – Cyberattack targeting Iranian transit systems (which disrupted Iranian train services) using the “Meteor” 3 stage wipe malware. Rail monitors displaying train schedules said all trains were delayed or cancelled. The displays also included the phone number of the Supreme Leader’s office, as if to suggest to call Khamenei for updates. They also targeted the website of Iran’s Ministry of Road and Transport. The group stated that the hack was intended to “express our disgust at the abuses and cruelty inflicted by the government on the Iranian nation.”
• October 2021 -Cyberattack on the Iranian national fuel payment systems that disabled nearly 4000 of the country’s petrol stations’ ability to process payments. They also defaced digital billboards to display messages critical of the Iranian Supreme Leader. The group warned Iran’s emergency services in advance of their activity as the attack resulted in widespread chaos. Disruption lasted for days as the queues for fuel increased.
• 27 June 2022 – Compromised the industrial control systems at an Iranian steel mill (Khouzestan Steel Company). The group used their access to the Human-Machine Interface (HMI) to bypass a “degassing” step in the steel refining process that removes gases trapped in the molten steel, this caused a large vat of molten steel to overflow resulting in a fire at the facility. There was damage to the steel mill but no one was hurt. Videos and CCTV of this was posted on X from witnesses and from the hackers. Multiple reports that the group worked hard to ensure the factory floor was empty before launching the attack. A week later, the group posted tens of thousands of stolen emails from the mill and 2 other factories. The emails exposed highlighted links to the Iranian military. All 3 facilities have faced Western sanctions.
• 2023 – A variety of “unattributed anomalies” were detected across several defense-related networks. Many of these match the group’s previous early indicators of compromise (IOC’s).
• 18 December 2023 – Another attack on the Iranian fuel systems using similar TTP’s to the incident in Autum 2021. The group claimed the attack was in response to “the aggression of the Islamic Republic and its proxies in the region.” Iran’s Oil Minister confirmed that roughly 70% of the petrol stations in the country were affected. The attack appeared to be retaliatory in response to CyberAveng3r’s attack on water utilities in the US which included anti-Israeli messaging.
• Early 2025 – The group leaked a variety of internal databases and confidential documents from sensitive government ministries and data centres within Iran’s law enforcement including Rahvar Police operational records and citizen surveillance data.
• 17 June 2025 – Shortly after Israeli airstrikes, the group targeted Iran’s-state-owned Bank Sepah and disrupted banking services. The claimed to have destroyed data belonging to the bank and accused the bank of funding Iran’s military. This attack led to banking and ATM services going offline.
• 18 June 2025 – The group claimed responsibility for an attack on the Iranian cryptocurrency exchange Nobitex. They stole $90 million in crypto assests and then destroyed the funds by sending them to inaccessible cryptocurrency addresses. The Nobitex exchange source code was also leaked. The group claimed that Nobitex had helped the Iranian government to evade sanctions and finance terrorist operations.

Tactics/techniques/tradecraft/procedures (TTP’s):

• Physical damage to infrastructure through compromise of Industrial Control Systems and SCADA systems
• Defacement of media (including websites and digital billboards)
• Data compromise (theft/destruction)
• Operational equipment paralysis
• Provocative public messaging
• Cryptocurrency theft

Technical details:

• Custom “Meteor” wiper malware that uses encrypted config files and multi stage batch script execution.
• Use of hostname verification against specific servers to ensure correct targeting (alludes to significant levels of reconnaissance conducted prior to attacks).
• Leverages Windows Task Scheduler to deploy the wiper payload.
• Defensive evasion techniques including clearing Windows Event Logs through wevtutil commands targeting the Security, System and Application logs.
• XOR-based encryption for its config files (msconf.conf) and log files.
• Leverages the bcd.bat script to manipulate boot configuration data and removes volume shadow copies to ensure the complete system destruction.
• Focus on causing irreversible damage rather than data exfiltration.
• When targeting Nobitex the group egenrate vanity addresses through brute force methods (essentially the creation of large numbers of cryptographic key pairs until one contains desired text).
• It is computationally infeasible to ever be able to access the wallets where the cryptocurrency was directed.

People of interest that have been doxxed online or sanctioned:

• No leaked individuals

Sources:

@PredatorySparrowIL

bbc.com/news/technology-62072480

bbc.com/news/word-middle-east-59062907