editorially independent. We may make money when you click on links
to our partners.
Learn More
The rise of cyber-enabled conflict has introduced sophisticated non-state and state-sponsored groups capable of crippling national systems.
Among these, Predatory Sparrow — also known as Gonjeshke Darande or Indra — has emerged as a major actor in the ongoing cyber shadow war between Israel and Iran.
Analysts widely assess that the group aligns with Israeli interests, executing offensive cyber operations to disrupt Iran’s critical infrastructure, government networks, and financial systems.
Their campaigns illustrate the convergence of political signaling and technological disruption in modern warfare.
History of the threat actor group
Predatory Sparrow first appeared in 2019 with attacks on Syrian-based companies such as Alfadelex Trading, Afrada, and the Katerji Group.
These early strikes demonstrated a regional reach extending beyond Iran and targeted logistical and economic entities connected to Iranian influence networks.
By 2021, the group gained international notoriety after breaching Iran’s national railway system.
The “Meteor” wiper malware disabled rail operations, displayed taunting messages across station boards, and revealed the group’s penchant for psychological as well as operational impact.
Subsequent campaigns intensified both in sophistication and consequence. In June 2022, Predatory Sparrow executed a cyberattack on an Iranian steel manufacturing plant, reportedly causing fires and physical destruction.
In December 2023, it disrupted fuel distribution nationwide by disabling most of Iran’s gas stations—a clear escalation in scope and a statement on the vulnerability of critical infrastructure.
Most recently, in 2025, the group struck Iran’s financial core, targeting Bank Sepah and the Nobitex cryptocurrency exchange.
The attacks erased data, stole or “burned” approximately $90 million in cryptocurrency, and released Nobitex’s source code and research documentation.
Each incident aligns with Israel–Iran regional tensions, suggesting that the operations are retaliatory and politically timed responses to Iranian military or cyber actions.
Tactics, techniques, and procedures (TTPs)
Predatory Sparrow’s operations exhibit a complete kill chain from reconnaissance to impact.
During reconnaissance, the group’s malware performs targeted host discovery, executing only on selected systems to ensure the intended disruption is visible (MITRE ATT&CK T1592).
For execution, they employ scheduled tasks (T1053.005) and batch scripting (T1059) to deploy multi-stage payloads, often unpacked using hard-coded credentials.
Their Syrian operations began with Visual Basic Script (VBS) droppers (T1059.005) that disabled antivirus programs before detonating wiper payloads.
In defense evasion, Predatory Sparrow encrypts configuration files (T1027.013), deletes Windows event logs (T1070.001), and manipulates antivirus exclusion lists (T1562).
These techniques complicate forensic analysis and enable sustained presence before data destruction.
For command and control, the group communicates via standard web protocols (T1071.001), transmitting execution progress to remote servers through structured GET requests — blending malicious traffic into legitimate network noise.
The impact phase demonstrates the group’s hallmark destructiveness. Using custom wipers like Meteor (T1485), they permanently erase data and disable system recovery by removing boot entries and deleting shadow copies (T1490).
Layered defense
Predatory Sparrow’s campaigns highlight a crucial shift in cyber warfare: the transition from espionage to kinetic-level disruption.
By blending technical precision with political messaging, the group weaponizes information technology to project power without direct military engagement.
Their repeated use of destructive malware underscores the importance of resilience planning and layered defense for national infrastructure.
Organizations can strengthen their resilience against threat actors like Predatory Sparrow by implementing layered security controls that address prevention, detection, and response.
- Network segmentation and zero trust: Isolate OT from IT networks, apply zero-trust principles, and restrict lateral movement to reduce attack surfaces.
- Access and authentication controls: Enforce least privilege, require MFA for admins, and monitor privileged activity for anomalies.
- Detection and response capabilities: Use EDR and IDS/IPS tools to detect behavioral anomalies, malicious scripts, and C2 traffic.
- Patch, backup, and recovery management: Keep systems updated, maintain immutable offsite backups, and regularly test restoration procedures.
- Centralized logging and monitoring: Send logs to a secure SIEM, enable automated anomaly detection, and protect forensic data integrity.
- Simulations and security training: Run breach and attack simulation (BAS) tools and tabletop exercises to test defenses, and train staff to recognize social engineering and phishing.
Together, these measures create a comprehensive defense framework that minimizes vulnerabilities, enhances detection, and builds cyber resilience.
Predatory Sparrow exemplifies the modern evolution of state-linked cyber warfare, blending advanced malware engineering, precise timing, and psychological manipulation to erode an adversary’s confidence and capabilities.
The group’s campaigns against Iran’s transportation, industrial, and financial sectors demonstrate not only technical sophistication but also a keen awareness of the geopolitical stakes at play.
As cyber conflict becomes an integral extension of traditional warfare, governments and organizations must prepare for adversaries whose objectives go beyond infiltration — seeking instead to erase, disrupt, and demoralize.
