In the course of the 12-day battle between Israel and Iran in June 2025, a complicated community of Iranian-linked cyber risk actors launched coordinated digital operations in opposition to crucial infrastructure sectors worldwide.
The marketing campaign demonstrated unprecedented coordination between army operations and state-sponsored cyberattacks, focusing on monetary establishments, authorities companies, and media organizations throughout a number of international locations.
The cyber offensive concerned a fancy ecosystem of hackers starting from state-sponsored teams with direct ties to Iran’s Islamic Revolutionary Guard Corps (IRGC) to ideologically-aligned hacktivist collectives working with various levels of autonomy.
These risk actors employed numerous assault vectors together with malware-laden phishing campaigns, distributed denial-of-service (DDoS) assaults, SQL injection exploits, and complex social engineering methods designed to steal delicate information and disrupt crucial operations.
SecurityScorecard researchers recognized over 178 lively hacker teams collaborating within the marketing campaign, analyzing greater than 250,000 messages from Iranian proxies and hacktivist channels.
The evaluation revealed that a number of key teams, together with Imperial Kitten (often known as Tortoiseshell, Cuboid Sandstorm, and Yellow Liderc), quickly tailored their ways to align with Iran’s army goals, suggesting pre-planned coordination between cyber and kinetic operations.
Superior Phishing Infrastructure and Tactical Evolution
Essentially the most regarding side of this marketing campaign was the pace at which established risk actors modified their operational procedures to use the battle.
Imperial Kitten, a well-documented Iranian state-linked group infamous for its social engineering capabilities, deployed conflict-themed phishing lures inside hours of the army escalation starting.
The group’s phishing infrastructure integrated present occasions and emotional manipulation ways, utilizing topic strains referencing ongoing airstrikes and humanitarian crises to extend sufferer engagement charges.
The phishing emails contained malicious attachments designed to ascertain persistent entry to focus on networks, with payloads particularly crafted to evade detection in the course of the heightened alert durations typical of wartime cybersecurity postures.
This tactical evolution demonstrates how state-sponsored actors can quickly pivot their technical capabilities to assist broader strategic goals, creating important challenges for conventional risk detection methodologies.
Equip your SOC with full entry to the most recent risk information from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
