Looking back at 2025 requires understanding it in three phases: the pre-conflict buildup, the Twelve-Day War itself, and the post-ceasefire period in which Iran retooled and expanded its operations across a much broader geographic and sectoral scope. Each phase revealed something distinct about how Iran uses cyber as an instrument of statecraft rather than a supplementary tool.
Early 2025: Buildup and Pre-Positioning
The geopolitical runway to June 2025 was months in the making. Nuclear negotiations between the Trump administration and Iran had been running since early in the year, with the White House setting a deadline that expired the day before Israel launched Operation Rising Lion. During the months of diplomatic engagement, Iranian APT groups were not idle.
OilRig (APT34) was documented conducting systematic pre-operational staging during this period — registering domains impersonating Iraqi academic institutions and fabricated UK technology companies, with SSH key reuse across hosted servers and standardized infrastructure designed to support future credential harvesting. This kind of patient, months-long infrastructure preparation before any malware deployment is characteristic of MOIS-directed operations. MuddyWater similarly demonstrated sustained targeting of Israeli organizations, with ESET documenting a campaign between September 2024 and March 2025 in which the group — likely acting as an initial access broker — deployed remote desktop tools and a custom Mimikatz loader against manufacturing-sector organizations in Israel, with harvested credentials subsequently used by Lyceum (a subgroup of OilRig) for deeper network access.
CyberAv3ngers, the IRGC-affiliated group that had already drawn a CISA advisory and U.S. Department of State Rewards for Justice offer for its targeting of water utilities and industrial control systems, continued operating against OT infrastructure in the United States and Israel. The IOControl malware family targeting industrial controllers in water treatment and fuel management systems remained an active campaign thread throughout early 2025, underscoring that Iranian ICS targeting had persisted well beyond the incidents that triggered the initial government warnings.
Concurrent with diplomatic negotiations in spring 2025, the IAEA issued a report on May 31 stating Iran had sufficient enriched uranium for nine nuclear weapons. When negotiations collapsed and Israel launched strikes on June 13, the cyber campaign that followed had clearly been in preparation long before the kinetic trigger. Iran's APT groups do not wait for diplomatic failures to begin pre-positioning — they build access on timelines that parallel any diplomatic process, ready to activate when directed.
Cotton Sandstorm (Emennet Pasargad) also sustained a pattern of operations throughout early 2025 that blended intrusion with influence. The group gained unauthorized access to a U.S.-based IPTV streaming service and used it to broadcast AI-delivered messages about the ongoing conflict in Gaza, primarily reaching audiences in the UAE. Repeated targeting of Bahraini government entities and infrastructure continued under anti-monarchy messaging, framing operations as protest against Bahrain's normalization of relations with Israel rather than as state-directed attacks. This deliberate persona management — presenting state operations as grassroots activism — became a dominant theme throughout 2025.
The Twelve-Day War: June 13–24, 2025
Operation Rising Lion began in the early hours of June 13, 2025, when Israeli forces conducted strikes on Iranian nuclear facilities, military infrastructure, and senior regime leadership, killing IRGC Chief Hossein Salami and other top commanders. What followed over twelve days was not just a conventional exchange of missiles and drone strikes — it was the most documented integration of cyber and kinetic operations in any conflict outside Ukraine.
The Israeli Cyber Campaign
From the Israeli side, cyber operations were woven into the kinetic campaign from the first hours. According to reporting that emerged in the months after the ceasefire, cyber operations disrupted mobile communications near the Supreme Leader's compound so his protection detail could not receive warnings about incoming strikes — an intelligence-enabled capability representing years of persistent access development inside Iranian infrastructure. Mossad cyber operations paralyzed Shahid Rajaee port in Bandar Abbas, disrupting logistics and supply chains at a strategically significant chokepoint.
Predatory Sparrow — a hacker group with documented links to Israeli intelligence — conducted two significant operations during the conflict. The first wiped data from Bank Sepah, one of Iran's largest state-owned banks. The second stole approximately $90 million from the Iranian cryptocurrency exchange Nobitex, with the funds burned rather than retained — a deliberate message about the capacity for economic disruption rather than profit. A widely used religious calendar application, BadeSaba, with over five million downloads, was compromised by Israeli intelligence during the strikes. The app, which tracked prayer times and requested location access, was assessed to have been compromised primarily for its intelligence value — providing user location data at scale.
Iran's Cyber Response
Iran's response in cyberspace unfolded across multiple layers simultaneously, and the scale was significant even if the operational impact was largely contained. Within 48 hours of the initial strikes, cyberattacks targeting Israel surged by an estimated 700 percent. The Israeli National Cyber Directorate's director Yossi Karadi later disclosed at the December 2025 Cyber Week conference that Iran had launched 1,200 separate information campaigns during the war — text messages and social media operations each targeting thousands of Israelis simultaneously. The campaign's stated objective was to reach every individual Israeli citizen, and according to Karadi, it came close.
Iranian state-linked actors hacked parking and road cameras across Israel to track the movements of VIPs, building targeting packages for potential assassination or disruption operations. Sensitive data was published in coordinated leak operations designed to deepen fear and amplify uncertainty. Iran's Channel 3 national television satellite stream was hijacked by Israeli cyber operations — the second such incident in recent months — while Iranian actors simultaneously attempted to compromise Israeli television and media infrastructure.
During the conflict, Israel's head of national cyber disclosed that Iran had used a Chilean ransomware group as a front for an operation against Israeli targets. What initially appeared to be a financially motivated ransomware attack — with a ransom demand that subsequently vanished — was revealed to be a state-directed destructive operation using a criminal front as a deniable cover. This is a recurring pattern in Iranian cyber operations: state objectives are frequently pursued through criminal or hacktivist personas, complicating attribution, response, and legal treatment of ransom demands.
The Hacktivist Mobilization
SecurityScorecard's STRIKE team analyzed over 250,000 Telegram messages from 178 Iranian proxy and hacktivist groups throughout the war, finding coordination patterns inconsistent with organic activism. The timing and targeting of attacks, the exchange of vulnerability information and attack scripts between groups, and the synchronized amplification of claimed operations all pointed to orchestration rather than spontaneous mobilization. Groups including Fatimion Cyber Team, Cyber Fattah, Cyber Islamic Resistance, and SEPAHCYBERY were among the most active, collectively generating thousands of posts per day during peak operations. SEPAHCYBERY alone made roughly 9,000 posts between June 13 and 27, primarily amplifying IRGC cyber capabilities and issuing threats against Western targets.
Within hours of the strikes beginning, roughly 120 hacktivist groups were reportedly active in response — a number that would exceed 178 by the end of the twelve-day period. Operations included DDoS attacks, website defacements, data theft and leak operations, and claimed — often unverifiable — intrusions into Israeli government, healthcare, and defense systems. The Cyber Islamic Resistance claimed to have compromised Hadassah Ein Kerem Hospital; analysis of the claim suggested it could not be independently verified, illustrating the broader credibility challenge of hacktivist claims from this period. A significant portion of claimed breaches during the war consisted of recycled data, theatrical staging, or exaggerated impact — a deliberate psychological operation tactic in which the perception of damage serves strategic purposes regardless of the technical reality.
The U.S. joined the conflict on June 22, conducting strikes on three Iranian nuclear sites in an operation designated "Midnight Hammer." Iran retaliated by firing missiles at a U.S. military base in Qatar. A ceasefire was brokered on June 24 under U.S. pressure. Within a month, the U.S. Treasury Department sanctioned six IRGC Cyber-Electronic Command officials for directing the cyber operations that had accompanied the conflict — formally confirming that groups presenting themselves as independent hacktivists had in fact been acting under state direction throughout.
Post-Ceasefire: July–December 2025
The ceasefire ended the kinetic phase but not the cyber campaign. If anything, the post-ceasefire period demonstrated that Iran's APT groups use periods of nominal calm to retool, expand targeting scope, and build access for the next escalation cycle.
MuddyWater introduced a new generation of tooling during this period. The BugSleep backdoor (also tracked as MuddyRot), documented from at least May 2024 but observed in campaigns through the post-war period, represented a shift toward more capable implants. In separate activity, the group deployed a new Android and desktop implant called DCHSpy during the June 2025 conflict itself — confirming that active malware development was running in parallel with kinetic operations rather than waiting for peacetime. By October 2025, Seedworm had deployed a custom backdoor known as Phoenix in a spear-phishing campaign using a compromised mailbox to target international organizations.
Handala expanded its geographic targeting significantly in the second half of 2025. In December, the group claimed to have compromised the mobile devices of former Israeli Prime Minister Naftali Bennett and Netanyahu's Chief of Staff Tzachi Braverman — leaking contact information for prominent Israeli officials, journalists, and business people, alongside photographs and videos. Analysis by researchers disputed the extent of device access, suggesting the compromise may have been limited to Telegram accounts rather than full device penetration, consistent with the pattern of Iranian actors overstating operational impact for psychological effect.
Agrius — an IRGC-linked destructive operations group — was documented scanning Israeli camera infrastructure in the months following the ceasefire, likely conducting battle damage assessment and building targeting intelligence for future operations. The group's characteristic approach — wiper and fake-ransomware operations masking destructive intent — remained the playbook, with post-conflict scanning suggesting preparation rather than wind-down.
At Israel's Cyber Week conference in December 2025, CISA's executive assistant director for cybersecurity named Iran among the most serious current cyber threats to the United States — second only to China. The assessment reflected both the demonstrated scale of Iranian operations during the June conflict and the ongoing APT activity that had expanded well beyond the immediate conflict zone.
A CSIS analysis of over 250,000 Telegram messages from the conflict period, published in the second half of 2025, identified Iran's hacktivist mobilization model more precisely: the patterns in attack timing, target selection, and cross-group exchange of vulnerabilities were consistent with institutional coordination rather than organic ideology. This confirmed a long-suspected but previously harder-to-document reality — that Iran's "hacktivist" tier is not a collection of volunteers acting in support of state interests but a managed pseudo-proxy force under varying degrees of direct state control. When Iran wants deniability and widespread influence operations, it uses hacktivist personas. When it needs precise, sophisticated targeting, it deploys the APT tier. The same infrastructure and information can and does move between layers.
The geographic expansion of targeting in the post-ceasefire period also became clearer. Iranian APT groups — particularly OilRig and MuddyWater — sustained espionage operations against Gulf energy infrastructure throughout the year. Operations against Jordanian government and infrastructure were documented. A diplomatic dispute between Iran and Australia in August 2025 led to Western intelligence warnings about the risk of Iranian hybrid operations, including cyber, against Australian targets — reflecting an expanding operational envelope that went well beyond the immediate conflict adversaries. By July 2025, thirteen Western allies including the UK, Germany, and France formally condemned the rise in Iranian intelligence operations against individuals in Europe and North America.
What 2025 Revealed About Iran's Cyber Doctrine
The Middle East Institute's post-conflict analysis identified a strategic shift in how Iran conceptualizes cyber power that 2025 made concrete. Rather than using cyber operations episodically or as a supplement to kinetic activity, Iran increasingly treats cyber as a continuous instrument of statecraft — a capability operating at all times across multiple objectives: espionage and access, disruption and cost imposition, and perception management and influence.
The emphasis in 2025 moved notably from pure infrastructure disruption toward what the Middle East Institute described as "perception management" — operations designed to impose psychological costs, shape the information environment, and project resolve. The 1,200 separate information campaigns targeting Israeli civilians during the twelve days of the war were not primarily designed to disable infrastructure. They were designed to create fear, amplify uncertainty, and undermine social cohesion. This approach — cyber-enabled political warfare — is analytically closer to Russia's information operations doctrine than to the pure destructive operations that characterized Iranian campaigns like Shamoon in 2012.
Iran's use of criminal fronts and hacktivist proxies as deniable vectors became better documented in 2025 than in any prior year. The ransomware-group-as-front incident disclosed by Israel's cyber chief was not an isolated anomaly — it was a confirmation of a pattern that researchers had long suspected but had difficulty proving in specific cases. The Treasury Department's post-ceasefire sanctioning of IRGC-CEC officials for directing hacktivist operations provided further institutional confirmation. The practical implication for defenders is significant: an attack presenting as financially motivated ransomware or an ideologically motivated defacement campaign may in fact be state-directed, and the response calculus — including ransom payment decisions — needs to account for the sanctions risk that state sponsorship creates.
Cyber operations are no longer secondary but fundamental to geopolitical disputes. State-sponsored actors and aligned proxies exploit cyberspace for diverse strategic goals, including intelligence gathering, propaganda, and direct attacks on critical infrastructure and public entities. — SecurityScorecard STRIKE Team, August 2025
The integration of AI tooling into Iranian operations also advanced visibly in 2025. AI-assisted phishing campaigns appeared across multiple groups — APT42's RedKitten operation and MuddyWater's Operation Olalampo both showed indicators of AI-assisted malware development or campaign generation. AI-delivered video messages broadcast through the hijacked U.S. IPTV service by Cotton Sandstorm represented a public-facing deployment of AI influence content at scale. These developments were noted by multiple government advisories during the year as a material change in attack velocity and credibility — not a future concern but a current reality.
What 2025 Means for Defenders
The escalation pattern of 2025 — leading directly into the even more intense conflict environment of early 2026 — has several concrete implications for organizations outside the direct conflict zone who are nonetheless within the Iranian APT targeting envelope.
The first is that pre-conflict access development is the norm, not the exception. The infrastructure OilRig was registering in early 2025, the footholds MuddyWater was establishing in Israeli organizations, the CyberAv3ngers campaigns against water utilities running for years before any kinetic trigger — all of these represent access building that pre-dates and outlasts specific conflict periods. Organizations cannot wait for a geopolitical trigger to begin hunting for Iranian APT indicators. The access may already exist and have existed for months.
The second is that the targeting envelope for Iranian cyber operations in 2025 expanded significantly beyond Israel and direct conflict participants. Energy infrastructure in the Gulf, government systems in Jordan, organizations in the United States, and individuals in Europe and North America were all documented targets. The July 2025 Western allied condemnation of Iranian intelligence operations against individuals in Europe and North America — including direct threats to diaspora activists — reflected a targeting scope that treats geography as a minor constraint rather than a boundary.
The third is that the hacktivist tier, while noisy and often overstated in its claimed impacts, generates genuine burden on defenders and serves as cover for more capable state operations. A DDoS campaign claiming hacktivist origins during a period of geopolitical escalation is worth investigating as a potential distraction or precursor to more targeted follow-on activity. The coordination patterns documented in 2025 mean that hacktivist and APT operations are often running in parallel against the same target sets, even if under different operational covers.
- Assume that access building has been ongoing regardless of current geopolitical status. Hunt for Iranian APT indicators as a regular security practice, not a crisis-period response. OilRig, MuddyWater, and APT42 all demonstrate months-long pre-positioning before operational use of established footholds.
- Treat ransomware incidents during periods of elevated Iranian threat with attribution skepticism. The use of criminal fronts to mask state-directed operations is documented and ongoing. Paying a ransom where state sponsorship is possible or likely creates sanctions exposure under IEEPA and equivalent legislation. Engage legal counsel and OFAC guidance before any payment decision in this context.
- Prepare for perception management operations, not just infrastructure disruption. Iranian cyber operations in 2025 increasingly prioritized psychological impact, narrative control, and civilian-facing information operations alongside infrastructure targeting. Incident communications planning should account for the possibility that data from a breach will be weaponized in influence operations regardless of whether infrastructure damage occurs.
- Monitor for AI-enhanced phishing at scale. AI-assisted campaign generation materially improves phishing velocity and credibility. Security awareness training that relies on users identifying low-quality phishing lures is insufficient against AI-enhanced targeting. Technical controls — phishing-resistant MFA, email authentication, and behavioral detection — need to carry more of the defensive load.
- Patch VPN and perimeter appliances against CISA KEV vulnerabilities without delay. This was the consistent initial access vector across Iranian APT operations throughout 2025. It remains the single highest-leverage defensive action for organizations within the targeting envelope.
Key Takeaways
- 2025 was the year Iranian cyber operations became fully integrated with kinetic conflict at scale. The Twelve-Day War produced a 700% surge in cyberattacks, 1,200 separate information campaigns targeting Israeli civilians, and documented use of hacked civilian infrastructure for targeting intelligence — demonstrating a level of cyber-kinetic integration that Iran had been building toward for years.
- Iran's hacktivist tier is not organic — it is a managed pseudo-proxy force. Post-conflict analysis of 250,000 Telegram messages confirmed coordination patterns inconsistent with independent activism, and the Treasury Department's post-ceasefire sanctions confirmed IRGC-CEC officials were directing the hacktivist operations. Attacks presenting as hacktivist campaigns must be evaluated with state-sponsorship attribution as a live possibility.
- The shift from infrastructure disruption to perception management marks a doctrinal evolution. Iran in 2025 increasingly deployed cyber operations for psychological costs, narrative control, and social pressure rather than purely for technical disruption. This reflects a maturing hybrid warfare doctrine that treats cyber as a political warfare tool alongside its traditional espionage and sabotage functions.
- Criminal fronts for state operations are a confirmed active tactic. The ransomware-group-as-cover incident disclosed by Israel's cyber directorate chief during the war is not an isolated case. It is documentation of a pattern that creates legal and compliance complexity for organizations deciding how to respond to attacks of ambiguous origin during periods of geopolitical escalation.
- The 2025 escalation was not a contained episode but the lead-up to a worse one. The post-ceasefire period saw Iranian APT groups retooling, expanding targeting scope, and building access across a broader geographic envelope. The MuddyWater pre-positioning in U.S. financial and aviation networks that began in early February 2026 — weeks before the next kinetic escalation — was built on the operational infrastructure and lessons of 2025.
2025 demonstrated that Iran's cyber program has matured from a tool of opportunistic disruption into an integrated component of national security strategy. It operates continuously, across all periods of tension, and its targets extend far beyond the immediate adversaries in any given kinetic conflict. The organizations that understood this before June 13, 2025 were better positioned than those who recognized it only after the strikes began. The same logic applies to whatever comes next.