Predatory Sparrow, a cyber-sabotage group widely believed to be affiliated with Israel, continues to escalate its highly disruptive operations targeting Iran’s critical infrastructure, financial systems, and governmental institutions.
The group’s sophisticated campaigns, marked by deliberate data destruction and provocative public messaging, demonstrate advanced capabilities to inflict substantial operational damage across diverse sectors of Iran’s national infrastructure.
Escalating Financial and Infrastructure Attacks
The threat actor has established a pattern of high-impact attacks since emerging in 2019, progressively expanding its operational reach and technical sophistication. Most recently, in June 2025, Predatory Sparrow claimed responsibility for erasing Bank Sepah’s data and disrupting its services.
The following day, the group escalated operations by attacking the Nobitex cryptocurrency exchange, executing a particularly destructive financial assault that resulted in the theft and permanent destruction of $90 million in cryptocurrency assets by transferring them to inaccessible wallet addresses.
The attackers additionally published Nobitex’s complete source code, infrastructure documentation, and internal privacy research and development materials, exposing critical operational vulnerabilities and sensitive intellectual property.
Multi-Stage Malware and Technical Sophistication
Predatory Sparrow’s operational methodology reveals considerable technical depth in malware deployment and execution. The group deploys multi-stage malware chains utilizing native Windows batch scripting and Visual Basic droppers to maintain stealth and persistence across compromised systems.
In attacks against Iranian Railways, the group employed the “Meteor” wiper malware, a sophisticated data destruction tool that encrypts its configuration files using XOR-based encryption to evade detection.
The malware executes through scheduled tasks configured to activate at precise timestamps, enabling coordinated, large-scale infrastructure paralysis.
The group’s reconnaissance capabilities include host discovery scripts that selectively target specific system types while deliberately avoiding Passenger Information System machines, ensuring that attack messages display prominently on public-facing platforms.
Defense Evasion and Forensic Destruction
Predatory Sparrow demonstrates advanced defensive evasion techniques designed to obscure attack attribution and prevent remediation.
The group proactively identifies and disables Kaspersky antivirus software before executing payloads, while adding attack-related files to Windows Defender exclusion lists.
Post-exploitation activities include systematically deleting event logs via Windows Event Viewer utilities and sabotaging the boot configuration using BCDEdit commands, effectively erasing forensic evidence of the intrusion.
The group also removes volume shadow copies through vssadmin and WMIC commands, preventing system recovery and ensuring permanent data destruction.
These escalating operations underscore Predatory Sparrow’s evolution into a sophisticated cyber-sabotage apparatus capable of inflicting sustained damage across multiple critical infrastructure sectors simultaneously.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
