Indra | Threat Actor Profile

The predecessor persona to Predatory Sparrow — an anti-Iranian regime hacktivist group that built the operational playbook of wiper malware against Iranian and IRGC-affiliated targets, beginning with Syrian airline and company targets in 2019–2020 before pivoting to Iran itself. The July 2021 Iranian railway attack displayed train delay messages directing furious passengers to call the Iranian Supreme Leader's personal office number — a hallmark of the group's approach of combining operational disruption with political humiliation. Check Point Research attributed the railway attack to Indra through tool overlap with the earlier Syria campaigns; the group did not publicly claim the Iran attacks, preserving deniability while the infrastructure and malware connected it unambiguously. As Predatory Sparrow, the same operational capability has since expanded to Iranian steel mills, gas station networks, and state broadcaster IRIB.

attributed state linkIsrael (widely assessed — no public confirmation)

check point attributionIndra — likely not a nation-state actor (2021)

first documented activitySeptember 2019 — Alfadelex Trading, Syria

primary motivationAnti-Iranian regime; anti-IRGC / Quds Force

wiper variants developed3 — Meteor, Stardust, Comet (Indra era)

railway attack (Jul 2021)Iran national rail + Ministry of Roads — Meteor wiper

public attribution behaviorClaimed Syria attacks; did NOT claim Iran attacks (deniability)

successor identityPredatory Sparrow / Gonjeshke Darande (2021+)

sanctioned targets hitKaterji Group and Arfada Petroleum — both on US sanctions list

Overview

Indra operated publicly as an anti-Iranian regime hacktivist group from at least September 2019, maintaining social media accounts on Twitter, Facebook, Telegram, and YouTube where it took explicit responsibility for attacks on Syrian companies it characterized as cooperating with the Iranian regime, specifically with the Quds Force and Hezbollah. The group's stated objective — "aiming to bring a stop to the horrors of QF and its murderous proxies in the region" — positioned it as targeting the IRGC's financial and logistical networks operating through Syrian business entities rather than Iranian state infrastructure directly.

Check Point Research's August 2021 report established the technical connection between Indra's acknowledged Syria campaigns and the July 2021 Iranian railway attack. The railway attack introduced a new, more capable wiper called Meteor — the culmination of two years of wiper development through Stardust and Comet. Check Point noted that Indra chose not to publicly claim the Iran attacks, in contrast to its open acknowledgment of the Syria operations, and assessed that this anonymity preservation was a deliberate operational security choice. The Internet, Check Point observed, does not forget: the tool overlaps between the claimed Syria attacks and the unclaimed Iran attack made attribution possible regardless of the public stance.

The attribution question is the most contested element of the Indra / Predatory Sparrow story. Check Point assessed in 2021 that it was unlikely Indra was operated by a nation-state, based on the quality of tools and modus operandi. However, the successor identity Predatory Sparrow — whose attacks on Iranian steel mills in June 2022 triggered a fire with potential for physical casualties — displays technical sophistication and strategic restraint (the BBC reported the group appeared to wait until the factory floor was empty before executing the attack) that goes significantly beyond typical hacktivist capability. Two anonymous US defense officials told the New York Times that the October 2021 Iranian fuel system attack was the work of Israel. Israeli Defense Minister Benny Gantz ordered a security investigation into media leaks confirming state affiliation. The group continues to deny state sponsorship through its Telegram channel while its operations escalate in scale and impact with each successive campaign.

Three Wiper Families — Indra Era

Indra developed and deployed three distinct wiper variants across its 2019–2021 operations. The three variants demonstrate progressive technical development, with Meteor being the most capable and complex.

Wiper Variant 1

Comet

Used in: Alfadelex Trading (Sep 2019)

The earliest documented wiper in the Indra arsenal, deployed against Alfadelex Trading in September 2019. Comet's code contains multiple occurrences of the string "INDRA" — used as the username for a newly created Administrator account during the wipe process, providing one of the direct artifact-level links between the tool and the group identity. The wallpaper set on victim machines displayed messaging blaming Katerji Group for "supporting terrorists" and "trading souls." Comet samples uploaded to VirusTotal from Syrian submitters were the initial thread that allowed Check Point to connect the Syria and Iran operations.

Wiper Variant 2

Stardust

Used in: Katerji Group / Arfada Petroleum (Feb–Apr 2020)

Deployed against the Katerji Group and its related company Arfada Petroleum — both of which appear on the US government sanctions list. Stardust uses a configuration-driven approach: the paths_to_wipe field in the configuration contains a list of target usernames, including domain administrators of the compromised companies, enabling targeted rather than indiscriminate wiping. Stardust sends Base64-encoded log files to attacker-controlled servers via HTTP POST to the data.html resource. The "INDRA" string in Stardust serves as an inert artifact (not used in execution) compared to Comet, suggesting iterative code cleanup across versions.

Wiper Variant 3

Meteor

Used in: Iranian Railways / Ministry of Roads (Jul 2021)

The most sophisticated Indra-era wiper, deployed in the Iranian railway attack. Meteor includes target filtering based on specific values related to the Iranian Passenger Information System (PIS) — confirming the Iran attack was pre-planned and targeted rather than opportunistic. The execution chain: setup.bat → update.bat → (via hardcoded password "hackemall") → cache.bat, msrun.bat, bcd.bat. cache.bat disables all network adapters. msrun.bat creates a scheduled task named "mstask" to run the wiper at 23:55:00. The wiper was renamed msapp.exe, designed to render infected machines unusable by locking them and wiping contents. Shadow copies removed via vssadmin.exe and wmic commands. A "Chaplin.exe" variant appeared in the 2022 steel mill attacks.

Target Logic

Indra's target selection followed a consistent progression: IRGC-affiliated financial and logistical entities in Syria first, then Iran's national infrastructure directly. The Syria targets were characterized as enablers of Iranian influence operations in the region.

Alfadelex Trading (Sep 2019): A currency exchange and money transfer services company located in Syria, characterized by Indra as facilitating financial flows for IRGC-aligned operations. The attack was publicly claimed on social media with proof-of-compromise imagery.
Cham Wings Airlines (Jan 2020): A Syrian private airline. The group claimed access to internal systems and characterized the airline as providing transportation services to IRGC-affiliated personnel. Indra claimed this hack revealed movements of IRGC General Qassim Soleimani under an alias — a claim that would have implied contribution to Soleimani's identification before his killing in a US drone strike on January 3, 2020. Scholars and analysts cast significant doubt on the validity of this specific claim, and it was not independently verified.
Katerji Group and Arfada Petroleum (Feb–Apr 2020): Both companies are located in Syria and both appear on the US government's sanctions list. These were the highest-value targets of the Indra Syria phase, with the Katerji Group being one of the most prominent Syrian businessmen linked to regime-adjacent economic networks. The attacks used Stardust with domain-administrator-level targeting.
Banias Oil Refinery, Syria (Nov 2020 — threat, uncertain execution): Indra threatened to attack the Syrian Banias Oil Refinery. Whether the attack was carried out is not established in public reporting.
Iranian Railway and Ministry of Roads and Urban Development (Jul 2021): The operational escalation from Syria-based IRGC proxies to Iranian national infrastructure. Train delay display boards across Iran showed fake delay messages directing passengers to call "64411" — the direct-line number to the Supreme Leader's office. The Ministry of Roads website was simultaneously taken down. Indra did not publicly claim this attack, preserving the Predatory Sparrow successor identity's first public emergence.

Tactics, Techniques & Procedures

TTPs as documented by Check Point Research (August 2021) and subsequent Predatory Sparrow analysis. The Indra-era TTPs established the foundational operational model that Predatory Sparrow continued and expanded.

mitre id	technique	description
T1485	Data Destruction — Wiper Deployment	All three Indra wiper variants (Comet, Stardust, Meteor) are designed to destroy data without direct means of recovery, locking users out of machines, changing passwords, and replacing wallpapers with custom attacker messages. Meteor schedules execution via a named scheduled task (mstask) at 23:55:00, enabling coordinated simultaneous detonation across compromised hosts. The wiper-first approach prioritizes destructive impact and political embarrassment over data theft or lateral persistence.
T1490	Shadow Copy Deletion	Meteor uses both vssadmin.exe and wmic to remove all Windows volume shadow copies before executing the wipe, eliminating system restore points and complicating recovery. This dual-method shadow copy deletion — using two separate Windows utilities to ensure shadow copies are fully removed — is a documented Meteor execution step and follows from Predatory Sparrow's established pattern of maximizing recovery complexity.
T1059.003 / T1059.005	Windows Batch File and VBS Dropper Execution	The Syria campaigns used VBS dropper (resolve.vbs) as the initial execution stage, extracting a password-protected RAR to a staging directory. The Iran railway attack used a chain of Windows batch files (setup.bat → update.bat → cache.bat, msrun.bat, bcd.bat). The hardcoded extraction password "hackemall" in the Iran attack batch scripts was embedded in update.bat for unpacking the subsequent stage. Batch file names were chosen to mimic legitimate Windows components (msrun.bat, mstask, msapp.exe).
T1562.001	Antivirus Disablement	Multiple stages of the Indra attack chain attempt to disable endpoint security. The Syria Stardust attacks include specific commands for disabling the Kaspersky antivirus product — with the names of the targeted companies (Katerji Group and Arfada) embedded as parameters in the VBS commands used to disable Kaspersky. This targeted AV disablement for the specific product running on the victim network indicates prior reconnaissance of the target environment before wiper deployment.
T1592 / T1589	Target Filtering — Passenger Information System	The Meteor wiper in the Iran railway attack includes filtering based on specific values related to the Iranian Passenger Information System (PIS). This filtering ensures the wiper executes only on systems associated with the railway passenger management infrastructure, rather than indiscriminately on all reachable systems. This selective targeting demonstrates prior reconnaissance and network familiarity with the Iranian railway's IT architecture — consistent with the Iranian media reports that the attack took place at least one month before it was detected, suggesting long-duration pre-positioned access.
T1070.001 / T1027	Log Deletion and Configuration Encryption	Predatory Sparrow's documented operational pattern (extending the Indra playbook) includes deletion of Windows event logs and encryption of configuration files to remove forensic evidence after wiper execution. The Stardust variant sent Base64-encoded log files to attacker-controlled servers during operation. Configuration files in the Predatory Sparrow era are encrypted (T1027.013), complicating analysis of attack parameters and target scoping.
T1553.002	Signed Binary / Administrator Account Creation	Comet uses the string "INDRA" as the username of a newly created Administrator account during the wipe process, providing elevated privileges for the destruction phase. This administrative account creation pattern — using a group-identity string as the account name — is a distinctive Indra artifact that enabled Check Point to trace tool provenance across multiple victim samples. Later operations by Predatory Sparrow involved more careful operational security with less distinctive naming patterns.

Key Operations

Syrian Company Phase — IRGC Proxy Targeting Sep 2019–Nov 2020

Four confirmed attacks against Syrian companies characterized as cooperating with the IRGC and its proxies: Alfadelex Trading (Sep 2019, currency exchange), Cham Wings Airlines (Jan 2020), Afrada Petroleum (Feb 2020), and Katerji Group (Apr 2020). Katerji Group and Arfada Petroleum both appear on the US government sanctions list. Indra publicly claimed all four operations on its social media accounts with proof-of-compromise imagery — including webcam photographs of victims watching the wiper wallpaper display on their screens, and screenshots of the attack defacement pages. All Syria-phase attacks used Comet or Stardust wiper variants. A threat against the Banias Oil Refinery was posted in November 2020 with uncertain execution.

Iranian Railway and Ministry of Roads — National Infrastructure Strike Jul 9–10, 2021

On July 9, 2021, hackers disrupted Iran's national railway system, displaying fake delay and cancellation messages across station display boards directing frustrated passengers to call "64411" — the direct phone number of Supreme Leader Khamenei's office. The attack disabled train services and on July 10, the website of Iran's Ministry of Roads and Urban Development was taken down. Iranian cybersecurity company Amnpardaz published a brief technical analysis of the malware under the name Trojan.Win32.BreakWin. Check Point Research's subsequent analysis matched the attack tools to previous Indra Syria operations through shared tool code, upload origins, and infrastructure overlap, connecting the unattributed Iran attack to the publicly claiming Syria attacks. Indra did not claim the Iran attack. Iranian media reported the attack may have taken place at least one month before being detected — indicating pre-positioned access of significant duration. The attack is the first documented large-scale use of wiper malware against Iranian critical infrastructure by this actor cluster.

Predatory Sparrow — Iranian Fuel System Disruption Oct 2021

All gas station electronic payment systems in Iran were paralyzed for two days, preventing customers from using government-issued subsidized fuel cards. When cards were swiped, the Supreme Leader's office phone number appeared on payment screens — repeating the railway attack's political humiliation tactic. Predatory Sparrow claimed responsibility. Two anonymous US defense officials told the New York Times the attack was the work of Israel. Iranian officials attributed it to Israel and the US. The fuel system attack is distinct from the Indra-era operations in being explicitly claimed by Predatory Sparrow rather than left unclaimed.

Predatory Sparrow — Khuzestan Steel Company and Steel Mill Fire Jun 2022

Predatory Sparrow compromised industrial control systems at Iranian steel manufacturing facilities, triggering a large vat of molten steel to spill and causing a fire with significant physical damage. The BBC reported evidence suggesting the group waited until the factory floor was empty before triggering the ICS manipulation — an exercise of restraint that distinguished this from a purely destructive operation. Wired noted that several workers narrowly avoided being struck by molten metal. The attack included tens of thousands of exfiltrated emails from the steel companies intended to document their links to the Iranian military. A file named "Chaplin.exe" in this attack was identified as a variant of the Meteor wiper used in the railway attack. The steel mill attack represents the most significant physical-world consequence of the Indra / Predatory Sparrow operational series.

Indicators of Compromise

detection context

Indra / Predatory Sparrow targets are geographically concentrated — Iranian government and critical infrastructure, and IRGC-affiliated entities in Syria and the broader region. For Western organizations, the primary relevance is understanding the wiper deployment methodology that this group pioneered and that has since been adapted by other state and state-adjacent actors. The wiper chaining pattern (VBS/batch dropper → AV disable → scheduled task → wiper) and the shadow copy deletion approach (dual vssadmin + wmic) are documented in the Check Point Research report and apply to detection logic regardless of specific hash values.

indicators of compromise — technical identifiers

comet payload hash d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e — Alfadelex campaign (Check Point)

stardust payload hash 6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4 — Katerji campaign (Check Point)

stardust payload hash 9b0f724459637cec5e9576c8332bca16abda6ac3fbbde6f7956bc3a97a423473 — Afrada campaign (Check Point)

stardust c2 exfil HTTP POST to /data.html — Base64-encoded log files; two attacker IP addresses in configs (Check Point report)

meteor wiper filename msapp.exe — Meteor wiper executable (Iran railway); also "Chaplin.exe" (2022 steel mill variant)

scheduled task name mstask — created by msrun.bat; configures wiper to execute at 23:55:00

hardcoded password "hackemall" — embedded in update.bat for unpacking second-stage scripts in Iran railway attack

admin account artifact "INDRA" — used as username of newly created Administrator account in Comet variant

vbs dropper resolve.vbs — initial VBS dropper used in Syria campaigns; extracts password-protected RAR to C:\Program Files\Windows NT\Accessories\

batch execution chain setup.bat → update.bat → cache.bat + msrun.bat + bcd.bat — Iran railway execution chain; network disablement via cache.bat

shadow copy deletion vssadmin.exe [delete shadows] AND wmic shadowcopy delete — dual-method shadow copy removal (Meteor)

full ioc reference Check Point Research — "Indra: Hackers Behind Recent Attacks on Iran" (Aug 2021) contains complete sample hashes, C2 IPs, and YARA-compatible indicators

Attribution Note — Indra vs Predatory Sparrow

The Indra / Predatory Sparrow relationship is one of the most analytically interesting persona transitions in the modern hacktivist landscape. The operational pattern is: Indra conducts Syria attacks and claims them publicly, builds wiper toolset across 2019–2020, then executes the railway attack in July 2021 without claiming it. Predatory Sparrow emerges as the claiming identity for subsequent Iran operations. Check Point Research confirmed the technical linkage through tool overlap. The group operates under its Persian name Gonjeshke Darande (Predatory Sparrow) on social media, maintaining the hacktivist presentation while the technical sophistication, target selection, and operational restraint (waiting for factory floor evacuation before triggering ICS sabotage) point toward significant state capability.

analyst note

Indra / Predatory Sparrow demonstrates the "faketivist" phenomenon at its most consequential: an operation that presents as a hacktivist collective but operates with state-grade capability, strategic restraint, and sustained access to critical infrastructure targets. The Check Point 2021 assessment that Indra was likely not a nation-state actor has not aged well against the trajectory of subsequent operations — the June 2022 molten steel spill at Iranian facilities, the precision ICS manipulation that allowed workers to evacuate before triggering physical damage, and the December 2023 gas station network disruption affecting 70% of Iran's fuel pumps all point toward capabilities and resources substantially beyond independent hacktivist groups. Two anonymous US defense officials attributed the 2021 fuel system attack to Israel; Israeli Defense Minister Benny Gantz ordered a formal investigation into the media leaks that surfaced this attribution. The group denies state sponsorship and the Israeli government has not confirmed it. What is analytically unambiguous is the operational impact: this actor cluster, whatever its actual sponsorship, pioneered the application of wiper malware to Iranian critical infrastructure and built a persistent degradation campaign against Iranian physical systems — railway, fuel, steel, broadcasting — that represents one of the most sustained documented cyber-physical interference campaigns against any country's infrastructure. The Indra name itself is not widely used for the group's current operations, but the toolset, methodology, and political logic established in the 2019–2021 Indra period remain the foundational architecture of everything Predatory Sparrow has done since.

Sources & Further Reading

— end of profile