Overview of the current cyber attacks in the Iran-Israel conflict
The geopolitical confrontation between Iran and Israel has a long history. In recent years, as the competition between the two countries in the military, nuclear energy and diplomatic fields has been escalating. On June 13, 2025, the IDF launched a large-scale military operation against Iran. Marked by Israeli air strikes on Iran’s nuclear facilities and military sites and Iran firing missile salvos, the pro-Israel hacker group “Predatory Sparrow” launched a cyber attack on Iran’s Sepah Bank. The conflict between Iran and Israel has rapidly expanded to cyberspace, and a covert cyber war is quietly opening.
According to NSFOCUS Fuying Lab, since 2025, hacker groups have launched cyber attacks against Iran and Israel continuously. On June 10, 2025, three days before the IDF launched a large-scale strike on dozens of nuclear facilities, military bases and key infrastructure in Iran and targeted several senior commanders, there was a peak in cyber attacks against Iran. These cyberattacks against Iran covered multiple key areas such as financial services, media production sectors, and the Internet and telecommunications sectors. The timing indicates a strong sense of reconnaissance and pre-attack before large-scale operations.
The pro-Iranian hacker group’s attacks on Israel peaked on June 16, the day after the Israeli military’s “massive strike” against multiple Iranian weapons production sites, including surface-to-surface missile production sites, detection radar bases and surface-to-air missile launchers in Tehran. The targets of attack were mainly concentrated in the Israeli government and public sector, national defense, aerospace, education and other industries. In terms of the distribution of attack time, the surge in cyber attacks by pro-Iranian hacker groups on Israel followed the IDF’s large-scale military operations against Iran. This series of attacks strongly implicates Iran’s “cyber counterattack” against Israel.
Hacktivism surges in Iran-Israel conflict
According to NSFOCUS Fuying Lab, hacker groups targeting Israel and Iran have been active since 2025. Up to now, there are about 170 hacker groups attacking Israel, with about 1,345 cyber attacks on Israel, including about 447 cyber attacks launched against Israel after the conflict broke out. The number of hacker groups attacking Iran reached about 55, and the number of cyber attacks on Iran reached about 155, of which about 20 were launched against Iran after the conflict broke out. Some of the hacker groups we have monitored since the outbreak of the Iran-Israel conflict are shown in the figure below:
Since the outbreak of the Iran-Israel conflict, 37% of all hacker group cyberattack activities monitored by NSFOCUS have targeted Israel, ranking the first among global hacker group cyberattack targets. The specific distribution of global hacker group attack targets in the conflict is shown in the figure below:
From the data on hacker groups’ cyber attack activities, it can be seen that since the outbreak of the Iran-Israel conflict, the number of cyber attacks against Iran has been declining, while the number of cyber attacks against Israel has surged. In particular, hacker groups frequently issue cyber attack statements against Israel. The attack activities reached a peak on June 16, when there were 63 cyber attack activities against Israel, as shown in the figure below:
Since the beginning of the Iran-Israel conflict, among the hacker groups we have monitored, those that are more active in cyber attacks against Israel are “Mr Hamza”, “TEAM FEARLESS” and “Arabian Ghosts”. The distribution of cyber attacks against Israel by organizations is shown in the figure below:
Since the outbreak of the Iran-Israel conflict, the top 5 industries attacked in Israel are: government and public sector, defense and aerospace, Internet and information technology services, network and telecommunications sectors, and educational institutions.
Since the outbreak of the Iran-Israel conflict, among the hacker groups we have monitored, those that are more active in cyber attacks against Iran are “Islamic Hacker Army”, “Unknowns cyber team” and “Gonjeshke Darande (Predatory Sparrow)”. The distribution of cyber attacks against Iran by organizations is shown in the figure below:
Since the outbreak of the Iran-Israel conflict, the top 5 industries attacked in Iran are: government and public sector, financial services sector, media production, religious institutions, network and telecommunications.
Representative hacker groups in the Iran-Israel conflict
The representative pro-Israel hacker group “Predatory Sparrow”
Predatory Sparrow or Gonjeshke Darande, which is considered the successor to the INDRA group because of the similar malware code it uses.
The group uses unique cyber attack methods to attack Iran’s critical infrastructure, thereby achieving the goal of undermining Iran’s social stability and economic development. ” Predatory Sparrow ” has not only caused huge losses to Iran in historical cyber attacks, but also attracted widespread attention from the international community. For example, the group has caused damage to important infrastructure such as Iran’s railway system, steel plants and gas stations. This is one of the rare cases of physical damage achieved through cyber attacks after the “Stuxnet” incident and has attracted much attention.
After invading the target network, Predatory Sparrow will perform a series of malicious operations according to certain tactics. Including target screening, malicious file downloading, tool extraction, network disconnection, anti-virus detection, data erasure, trace removal and main payload delivery.
- During target screening and malicious file downloading, the group will download malicious files from remote hosts to the local computer. In this process, they will screen targets based on host names and perform corresponding malicious operations against different targets. This shows that the attacker has prior knowledge and research on the victim’s network environment.
- In the anti-virus detection phase, it will first disconnect infected devices from the network to prevent the spread of viruses. Then they check if Kaspersky Antivirus is installed on the device. If the software is found to be installed on a device, the attacker will immediately exit and avoid detection. Finally, the attacker will add all files and folders related to the attack activity to the exclusion list of Windows Defender to evade detection by antivirus software.
- In terms of data erasure, it has carefully designed at least three different versions of erasers, namely Meteor, Stardust and Comet. These erasers delete files by traversing the path, while also ensuring that shadow copies are deleted and computers are removed from the domain to increase the difficulty of remote repair.
- In the process of removing traces, it uses a unique method. They compromise the event log startup function of the victim’s host by pointing the boot loader to a non-existent hard disk partition. Then, they used local commands to clear security, system and application event logs to cover up the traces.
Pro-Iranian representative hacker group “Mr Hamza”
Mr Hamza is a hacker group that has been active since May 2024. The group claims to defend the interests of the Kingdom of Morocco and Islamic countries and is suspected to have originated in Morocco.
Mr Hamza uses DDoS attacks, website intrusions and information leaks as its main attack methods to launch cyber attacks against government agencies, financial institutions and media platforms in Israel, France, Algeria, Spain, the United States and other countries. The group posted attack statements on Telegram, emphasizing political and ideological motivations, claiming support for Morocco and Islamic countries and opposing the policies of specific countries, often written in English and Arabic. Its actions involve disrupting government websites, banking systems and news platforms, and expanding its influence by constantly recruiting new members. Since the outbreak of the Iran-Israel conflict, Mr Hamza has not only launched cyber attacks against Israel, but also extended some of its targets to countries such as the United States, Britain, Germany and France, as shown in the figure below:
Mr Hamza mainly carries out DDoS attacks through cooperation with Rebirth Botnet, Cypherr Botnet, Crtz Botnet, EliteBotnet, Maple Botnet, Kaiten Botnet, Element Botnet, Blank Botnet, Blaze Botnet, etc. The specific cooperation Botnet information is shown in the following table:
Representative cyberattacks in the Iran-Israel conflict
Representative pro-Israel cyberattacks
Israel has always been one of the countries with strong cyber attack capabilities. It has launched many famous cyber attacks against Iran in history. One famous example is the development of the Stuxnet virus that destroyed Iran’s uranium centrifuges in 2010. In this Iran-Israel conflict, although the scale and number of attacks by pro-Israel hacker groups are relatively small, the cyber attacks on Iran by hacker groups in the pro-Israel camp have significant effects and a wide range of influence. The cyber attacks were small scaled but well-organized. For example, around June 17, 2025, the pro-Israel hacker group “Predatory Sparrow” launched a cyber attack on Iran’s Sepah Bank. The group claimed to have “destroyed all the bank’s data,” resulting in the closure of multiple branches and customers being unable to access their accounts.
Just one day after the bank was hacked, “Predatory Sparrow” launched an attack on Nobitex, Iran’s largest cryptocurrency exchange, stealing and destroying more than $90 million in cryptocurrency assets while exposing the source code that the exchange had protected for many years. The attack is an escalation of the long-standing cyber war between Israel and Iran, against the backdrop of Israeli air strikes on Iranian nuclear facilities and missile bases and Iran’s missile counterattacks against Israel. The Central Bank of Iran subsequently strengthened security measures for domestic cryptocurrency platforms.
Representative pro-Iran cyberattacks
In this Iran-Israel conflict, the hacker groups supporting Iran are relatively large and their cyber attacks on Israel are relatively active. However, compared with the effectiveness of cyber attacks on Iran by representative Israeli hacker groups, the pro-Iranian hacker groups have had little impact on Israel’s cyber attacks so far. The cyber attacks were large in scale and weak in effect. Their representative cyber attacks are mainly DDoS attacks by active hacker groups such as “Mr Hamza”, “TEAM FEARLESS” and “Arabian Ghosts”.
It is reported that Iran will only use its destructive cyber weapons if the conflict does not escalate further. However, given that Iran’s military counterattack capabilities have been weakened by the Israeli attack, which has resulted in the deaths of several senior commanders and damage to bases. Therefore, the possibility of Iran’s retaliation in the field of cyber attacks is greater than ever before, and it is very likely to be used as an alternative to asymmetric warfare.
NSFOCUS Insight
In the ongoing international turmoil such as the Russia-Ukraine conflict, India-Pakistan conflict and Iran-Israel conflict, geopolitics is profoundly reshaping the global cybersecurity landscape. Hacker groups have gradually evolved into “non-traditional agents” between countries. The increasingly fierce cyber conflict between Israel and Iran shows that cyberspace has become a new frontier for national confrontation.
Although these hacker groups appear to have vague identities and decentralized operations, their attack behaviors are often highly consistent with the national conflict background and geopolitical stance, showing consistent goals and synchronized rhythms. Their fuzzy attribution and clear motivation put higher demands on the traditional defense system.
This reminds us that responding to cyber threats cannot only focus on national APT groups, but also requires a high level of attention to “civilian” hacker forces with political intentions. Especially at sensitive times such as elections, diplomatic negotiations, and military conflicts, key infrastructure such as energy, finance, and telecommunications have become priority attack targets, and their potential destructive power is enough to trigger a national secondary crisis. Cybersecurity strategies must move from single-point defense to strategic-level response, and establish an overall security framework of cross-departmental coordination, early warning and prediction, and joint defense, so that countries can respond flexibly in the complex and changing era of cyber warfare.
