predatory-sparrow

Predatory Sparrow

also known as: Gonjeshke Darande گنجشک درنده predecessor: INDRA Edalat Ali (assessed linked)

A pro-Israel group assessed to have state links — though Israel maintains official ambiguity — that conducts precision-timed destructive attacks on Iranian infrastructure under the guise of hacktivism. Known for restraint as a message: the group emphasizes that it deliberately limits civilian impact while demonstrating capability. In June 2025, within days of Israeli airstrikes on Iran, Predatory Sparrow attacked Bank Sepah, Iran's state-owned military bank, and destroyed $90 million in cryptocurrency at the Nobitex exchange — sending funds to inaccessible wallet addresses to burn them as a political statement rather than steal them. Its 2022 attack on an Iranian steel mill caused a large fire from spilled molten metal — one of only a handful of documented cyberattacks in history to produce physical, kinetic damage.

attributed originIsrael — state military intelligence (assessed)

official positionIsrael maintains ambiguity — no formal acknowledgment

first observed2021 (predecessor INDRA active from 2019)

primary motivationStrategic signaling — degrade Iranian military/economic capacity

primary targetsIranian critical infrastructure, financial institutions, fuel systems

defining capabilityOT/ICS sabotage causing physical kinetic damage

malware familiesMeteor wiper, Chaplin, custom batch scripts

target scopeIran exclusively (all documented attacks)

threat levelHIGH — nation-state capability, OT-destructive

Overview

Predatory Sparrow — known by its Persian name Gonjeshke Darande — publicly emerged in July 2021 and has since executed some of the most technically sophisticated and physically consequential cyberattacks ever documented against Iran. The group presents itself as a collective of Iranian anti-government hacktivists, posting in Farsi and framing attacks as acts of resistance against the Iranian regime's aggression and its financing of proxy forces. However, the technical capability, precision timing aligned with Israeli military operations, custom wiper malware sharing code with a predecessor group (INDRA) known to have targeted Iranian regional allies, and consistent targeting aligned with Israeli strategic interests have led researchers and Israeli media to widely assess the group as linked to Israeli military intelligence — a connection Israel officially neither confirms nor denies.

The group's most distinctive characteristic is its self-described doctrine of restrained destruction. In contrast to most threat actors seeking to maximize impact, Predatory Sparrow explicitly emphasizes that it chooses targets and timing to avoid civilian casualties and limit harm to Iranian citizens — while still demonstrating it has the capability to cause significant damage to regime-linked infrastructure. Before the December 2023 gas station attack, the group sent advance warnings to Iran's civilian emergency services, telling them to fuel up their vehicles before the attack began. Before the 2022 steel mill attack, the group accessed CCTV cameras and verified that workers had left the floor before triggering the spill of molten metal. This pattern of operational restraint — warning before striking, verifying civilian areas are clear, burning money rather than keeping it — functions as a strategic communication: the message is not just the damage done, but the capability deliberately withheld.

The technical lineage of Predatory Sparrow traces back to INDRA, a hacktivist-presenting group active in 2019 that targeted companies in Syria with connections to the Iranian Revolutionary Guard Corps. Check Point Research connected Predatory Sparrow's wiper malware to INDRA's toolset, suggesting operational continuity or shared development between the two groups. SentinelOne similarly tracked the group under multiple "false front" aliases including Gonjeshke Darande, Predatory Sparrow, INDRA, and the potentially linked Edalat Ali.

The June 2025 campaign — executed within days of Israeli airstrikes against Iran's nuclear facilities and military sites — marked a significant escalation from infrastructure disruption to direct financial destruction. The Bank Sepah attack destroyed banking data and caused nationwide ATM and service outages. The Nobitex attack went further: $90 million in cryptocurrency was transferred to hacker-controlled wallets named to denounce the IRGC, then effectively burned by sending the funds to wallet addresses from which the keys were discarded. Blockchain analysts at TRM Labs and Chainalysis confirmed the funds were rendered permanently inaccessible. Predatory Sparrow then released Nobitex's full source code, internal infrastructure documentation, and R&D materials publicly — adding intellectual property exposure to the financial destruction.

Target Profile

All documented Predatory Sparrow attacks have targeted Iranian entities. Target selection consistently aligns with Iranian military-economic infrastructure — entities that either directly support the IRGC or that are strategically significant enough to generate public disruption when attacked.

Iranian Railway and Transport Ministry (2021): The national railway system's information systems were compromised, displaying "cyberattack" on station boards and directing passengers to call Ayatollah Khamenei's office. Ministry of Roads systems were simultaneously attacked with wiper malware. The targeting of public transport infrastructure was designed to generate maximum public visibility and citizen inconvenience attributed to regime-connected systems.
Iranian Fuel Distribution Infrastructure (2021, 2023): The smart card payment system for state-subsidized fuel was disabled in October 2021, leaving drivers unable to access discounted fuel. Digital billboards were hijacked to display anti-regime messages. The attack was repeated in December 2023, disabling approximately 70 percent of Iran's gas stations — timing aligned with Houthi and regional proxy aggression. Iran's Oil Minister publicly confirmed the scale of disruption.
IRGC-Linked Steel Manufacturers (2022): Three Iranian steel companies with documented IRGC affiliation were targeted. The most consequential attack affected Khuzestan Steel Company, one of Iran's largest steel producers, where the group accessed industrial control systems and triggered a molten steel spill that caused a fire and required emergency response. The group released CCTV footage from inside the facility as proof of access and released documents allegedly showing IRGC ownership of the targeted facilities.
Iranian State Television (2022): A 10-second interruption to IRIB's broadcast inserted opposition messaging calling for the assassination of Khamenei, timed to the celebration of the 1979 revolution.
Bank Sepah (2025): Iran's state-owned military bank, sanctioned by the US in 2007 for financing Iran's missile program. Banking data was destroyed, causing nationwide ATM outages and service disruptions. The attack was explicitly framed as targeting the bank's role in financing IRGC operations.
Nobitex Cryptocurrency Exchange (2025): Iran's largest cryptocurrency exchange, alleged to facilitate Iranian government sanctions evasion and IRGC financing. $90 million in cryptocurrency was burned by transferring to inaccessible wallet addresses, source code and infrastructure documentation were publicly released, and internal R&D materials were exposed.

Tactics, Techniques & Procedures

Predatory Sparrow's TTP set reflects capabilities well beyond those of typical hacktivist operations — the group possesses the skills, tools, and operational planning required to access and manipulate industrial control systems, deploy custom wiper malware, and execute coordinated multi-system attacks timed to kinetic military operations. The self-described hacktivist framing is assessed by researchers as a "veneer" rather than an accurate characterization of the group's true nature and resources.

mitre id	technique	description
T1485	Data Destruction — Wiper Malware	The Meteor wiper malware was the primary payload in the 2021 railway attack and subsequent operations. Designed to render infected systems completely inoperable by deleting or overwriting data and erasing forensic evidence of the intrusion. Encrypted configuration files and logs complicate incident response and analysis. The wiper implements multiple mechanisms to prevent recovery, including deletion of volume shadow copies via vssadmin.exe and wmic, and sabotage of boot configuration data.
T1562.001	Disable Security Tools	Predatory Sparrow batch scripts systematically disable Windows Defender by adding malicious files to its exclusion lists, and attempt to uninstall third-party antivirus products including Kaspersky. Windows event logs are cleared using native utilities to erase evidence of the attack chain before and after payload deployment.
T0826 / T0831	Loss of Availability / Loss of Control — OT/ICS Manipulation	The 2022 Khuzestan Steel attack accessed industrial control systems via the IT network, reaching the human-machine interface (HMI) software controlling steel production equipment. Commands were issued to tilt a ladle of molten steel, causing a spill and fire. This represents one of the very few documented cyberattacks to produce kinetic, physical damage through manipulation of OT systems rather than data destruction or disruption alone.
T1531	Account Access Removal	The Chaplin malware deployed in the 2022 steel mill attack logs off users and deletes their login information to prevent intervention during the attack, while providing the attackers with continued access to the targeted system. This approach gives operators uncontested control of compromised systems during the critical execution phase without requiring file deletion (unlike Meteor).
T1078	Valid Accounts — Stolen Credentials	The 2025 Nobitex attack was assessed to have used stolen employee credentials to authenticate to Nobitex's internal systems. Once authenticated, the attackers obtained source code, redirected cryptocurrency to inaccessible vanity addresses, and exfiltrated internal documentation before publicly releasing it.
T1491	Defacement — Internal and External	Digital billboards were hijacked during the 2021 fuel attack to display anti-regime messages and the "64411" phone number directing Iranians to call Khamenei's office. Iranian state television was briefly compromised in January 2022 to broadcast opposition messaging. Station information boards displayed "cyberattack" text during the 2021 railway disruption.
T1657	Financial Theft — Crypto Asset Destruction	In the June 2025 Nobitex attack, approximately $90 million in cryptocurrency was transferred to vanity wallet addresses controlled by the attackers but constructed so that the private keys were not retained — effectively burning the funds. This technique transforms what would conventionally be financial theft into a demonstrative destruction act, maximizing reputational and political impact over any financial benefit to the attacker.
T1567	Exfiltration — Public Leaks	Predatory Sparrow routinely exfiltrates and publicly releases data from attacked organizations as a secondary pressure mechanism. The 2022 steel mill attack yielded corporate documents allegedly demonstrating IRGC ownership. The 2025 Nobitex attack released source code, infrastructure documentation, and R&D materials publicly. CCTV footage from inside attacked facilities has been released to prove operational access.

one of history's few cyberattacks with kinetic damage

The June 2022 Khuzestan Steel attack is among only a handful of documented cyberattacks that produced physical, kinetic damage through OT system manipulation. The group released HMI screenshot proof of access and CCTV footage showing the molten steel spill and resulting fire. While the group emphasized that it had verified the area was clear before triggering the spill, Wired's investigation noted that two workers narrowly avoided the spill. The attack demonstrated a rare capability gap: the ability to traverse IT-OT boundaries and issue commands that produce real-world physical consequences.

Known Campaigns

Predatory Sparrow's documented operations are precisely timed to Israeli-Iranian geopolitical tension points, with each attack framed as a response to specific Iranian state actions or regional proxy operations.

Iran Railways and Ministry of Roads — Meteor Wiper July 2021

Iran's national railway system was compromised using the Meteor wiper malware, disrupting train services and displaying "cyberattack" text on station information boards across Iran. Passengers were directed to call Khamenei's office at the number 64411 — a deliberate symbolic mockery of the regime. Simultaneously, computers at the Ministry of Roads and Urban Development were hit with the same wiper tool. Check Point Research later identified the wiper code as related to tooling used by INDRA, establishing the operational lineage between the groups.

Fuel Smart Card System — Gas Station Network Disruption October 2021

Iran's nationwide fuel subsidy smart card system was disabled, leaving ordinary Iranians unable to access state-subsidized fuel at gas stations across the country. Digital billboards were simultaneously hijacked to display anti-regime messages and the "64411" number. The attack created long queues and public disruption. Two US defense officials, quoted anonymously by the New York Times, attributed the attack to Israel. Iran's government blamed the MEK — an Iranian opposition group — which denied involvement.

IRIB State Television — Broadcast Interruption January 2022

A 10-second interruption to Iranian state television inserted opposition messaging calling for the assassination of Supreme Leader Khamenei, timed to the multi-day celebration of the 1979 revolution. Check Point Research's investigation found previously unidentified wiper malware associated with the intrusion, suggesting deeper compromise than initially acknowledged by Iranian officials. The attack affected multiple television channels and two radio stations.

Khuzestan Steel Company — Molten Steel Spill and Fire June 27, 2022

Predatory Sparrow attacked three Iranian steel companies with IRGC affiliations. The most consequential attack targeted Khuzestan Steel Company, one of Iran's largest steel producers. The attackers accessed industrial control systems via IT-OT network traversal, reached the HMI software controlling production equipment, and issued commands that caused a large vat of molten steel to be tilted and spilled — triggering a fire that required firefighter response and suspended production. The group released an HMI screenshot proving system access and CCTV footage from inside the facility, where two workers narrowly avoided the spill. Corporate documents allegedly demonstrating IRGC ownership were exfiltrated and released. The attack used Chaplin malware alongside the Meteor-lineage toolset, with Chaplin locking users out of systems while providing attackers continued access without requiring file deletion.

Gas Station Network — Second Nationwide Fuel Disruption December 18, 2023

Predatory Sparrow executed a second attack on Iran's fuel station network, disabling approximately 70 percent of gas stations nationwide — a larger-scale disruption than the 2021 attack. Before executing the operation, the group sent advance warnings to Iran's civilian emergency services, telling them to fuel up their vehicles beforehand. The group stated the attack was "in response to the aggression of the Islamic Republic and its proxies in the region" — a reference to Houthi and other proxy operations escalating in the region following the October 7 attacks. Iran's Oil Minister publicly confirmed the scale of the disruption and attributed the attack to a foreign actor, with Iran's civil defense agency investigating.

Bank Sepah and Nobitex — Financial System Attack June 17–18, 2025

Within days of the IDF launching large-scale airstrikes against Iran's nuclear facilities and military sites on June 13, 2025, Predatory Sparrow executed a two-day financial attack sequence. On June 17, Bank Sepah — Iran's state-owned bank sanctioned by the US in 2007 for financing Iran's missile program — had its banking data destroyed, causing nationwide ATM outages and service disruptions. The group claimed Sepah was used to fund IRGC operations and terrorist proxies. On June 18, the group attacked Nobitex, Iran's largest cryptocurrency exchange, claimed to help the Iranian government evade sanctions. Approximately $90 million across multiple cryptocurrencies was transferred to hacker-controlled wallets with IRGC-denouncing names, then effectively burned by discarding the private keys — rendering the funds permanently inaccessible. Blockchain firms TRM Labs and Chainalysis confirmed the scale and deliberate destruction. The group also publicly released Nobitex's complete source code, infrastructure documentation, and internal R&D materials, calling it "burning sanctions evasion infrastructure."

Tools & Malware

Predatory Sparrow's toolset reflects custom development capability consistent with state-level resources. The tools are purpose-built for Iranian targets and have not been observed deployed against other nations.

Meteor Wiper (msapp.exe): The primary destructive payload. A customizable wiper malware designed to render infected systems completely inoperable by deleting data, corrupting file systems, and removing forensic evidence. Deployed in the 2021 railway attack and subsequent operations. Features encrypted configuration files and logs to complicate incident response. Check Point identified Meteor as sharing code lineage with INDRA's earlier toolset, establishing the connection between the two groups. Implements VSS deletion via both vssadmin.exe and wmic commands, and sabotages boot configuration data to prevent infected systems from recovering.
Chaplin: A second-stage malware identified in the 2022 steel mill attack. Unlike Meteor, Chaplin does not delete files — instead, it logs off users, deletes login credentials to prevent them from retaking control, and provides the attackers with persistent authenticated access to the compromised system. Chaplin is likely used when attackers need to maintain interactive control of systems (such as ICS/HMI interfaces) rather than simply destroying them.
Custom Batch Scripts: Three-line batch scripts are used to disable security controls, add malicious files to Windows Defender exclusion lists, uninstall third-party antivirus (notably Kaspersky), and clear Windows event logs. Check Point researchers noted these scripts were "clumsy and sometimes buggy" — a contrast with the sophistication of the underlying malware, suggesting possible division of labor between different skill levels within the group or between collaborating entities.
HMI Access Tooling: The 2022 steel mill attack required the group to access and operate industrial human-machine interface software — specifically the control interface for steel production equipment at Khuzestan Steel. The exact mechanism of IT-to-OT network traversal has not been fully publicly documented, but the group demonstrated knowledge of the specific HMI software the steelworks used and the ability to issue destructive commands through it.

Indicators of Compromise

Predatory Sparrow's operations are infrequent, precisely timed, and target-specific — rather than continuous campaigns generating stable infrastructure IOCs. Indicators are most useful for retrospective investigation of Iranian-targeted incidents.

malware behavioral indicators — meteor wiper

filenamemsapp.exe — primary Meteor wiper executable name (documented)

behaviorConsole window hidden on execution to reduce detection

behaviorVSS deletion via both vssadmin.exe delete shadows /all /quiet AND wmic shadowcopy delete

behaviorBoot configuration data sabotage to prevent system recovery

behaviorMalicious files added to Windows Defender exclusion lists via batch script

behaviorKaspersky antivirus uninstall attempted via batch script before wiper execution

behaviorWindows event log clearing via native utilities to erase attack chain evidence

chaplinUser session logoff + login credential deletion without file destruction; attacker retains access

operational signatures

timingAttacks consistently timed to Israeli military operations or high-profile Iranian geopolitical actions

commsClaims and warnings posted to Telegram and X (formerly Twitter) in Farsi and sometimes English

target scopeAll documented targets are Iranian entities with IRGC affiliations or sanctions designation

pre-attackGroup has pre-warned civilian emergency services before high-impact attacks on fuel infrastructure

evidenceCCTV footage, HMI screenshots, and internal documents released post-attack as proof of access

Mitigation & Defense

Predatory Sparrow's targeting is exclusively Iranian. Organizations outside Iran are not within the documented threat scope. The profile is most relevant for understanding state-linked OT sabotage methodology that may be adapted by other actors in other conflicts.

Isolate IT and OT networks with validated air gaps: The Khuzestan Steel attack succeeded by traversing the IT-OT boundary. Industrial control systems — particularly HMI software — should be isolated from corporate IT networks through verified network segmentation, not just logical separation. Any path from enterprise IT to OT control systems requires justification and monitoring.
Implement application allowlisting on OT systems: The Meteor wiper executed as msapp.exe on compromised systems. Application allowlisting on ICS endpoints — permitting only explicitly authorized executables — would prevent unapproved binaries including wipers from executing regardless of how they arrive on the system.
Deploy endpoint protection and EDR on Windows-based OT systems: Predatory Sparrow's batch scripts specifically target Kaspersky. Diverse endpoint protection that the attacker has not scripted removal procedures for provides an additional detection and blocking layer. Monitor for attempts to add executables to Windows Defender exclusion lists as an attack precursor indicator.
Maintain offline, verified backups of OT configurations and HMI software: Wiper malware renders systems inoperable and prevents standard recovery. For OT environments, maintaining offline copies of control system configurations, HMI software, and operational parameters enables recovery without full vendor reinstallation following a destructive attack.
Implement immutable logging with SIEM offload: Predatory Sparrow clears Windows event logs as a standard operational step. SIEM solutions that collect and store logs in real time — before they can be cleared — preserve forensic evidence needed for incident investigation even when the local logs are destroyed. Immutable logging systems that cannot be cleared by local administrator commands are the appropriate control.
Apply multi-factor authentication to all OT remote access: Access to ICS/HMI systems — whether via IT network traversal or direct remote access — should require MFA on all accounts. Stolen employee credentials (as assessed in the 2025 Nobitex attack) cannot be operationalized if a second factor is required at authentication.

analyst note — official ambiguity and international law

Predatory Sparrow's operations are assessed as state-directed but conducted under deniability — a pattern documented in the broader Israel-Iran cyber conflict and described by multiple researchers as a deliberate model for conducting offensive cyber operations below the threshold of formal acknowledgment. Academic commentary, including analysis from the CCDCOE's cyber law toolkit, has noted that Predatory Sparrow's operations against civilian fuel infrastructure and steel mills raise questions under international cyber norms, even in the context of an ongoing conflict — particularly given that some attacks affected ordinary Iranian citizens rather than exclusively regime or IRGC assets. The group's emphasis on restraint and pre-warning is assessed as partly legal-strategic: demonstrating awareness of civilian harm constraints while still executing destructive operations against regime-linked targets.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile