“Predatory Sparrow” first emerged as a self-proclaimed hacktivist group in 2021 with pro-Israel intentions and operations focused on disruptive activity targeting Iranian entities and interests, although there a potential signs of even earlier operations against Syria. Of note, whereas most hacktivist entities or personas exhibit far more “bluster” than actual impact, Predatory Sparrow is responsible for notable incidents in Iran through 2025. Combined with veiled statements, curious responses, and leaks from US and Israeli sources, the group’s status as a truly independent group of cyber activists is very much in question—although no different than some other notable and successful “hacktivist” personas such as CyberAv3ngers and Cyber Army of Russia Reborn (CARR).
Predatory Sparrow is associated with several disruptive or destructive attacks against civilian infrastructure including railways, broadcasting, fuel, and banking elements that also feature links to the Iranian regime. These events featured the use of tools, such as Meteor (aka MeteorExpress) and EvilPlayout (which aside from wiper components featured scripts to inject into and manipulate television broadcast streams), indicating a certain degree of technical sophistication and decent resourcing, fueling speculation as to the group’s true origin.
But Predatory Sparrow truly distinguished itself as unique (and uniquely worrying) in a 2022 incident at a steel production plant in Khuzestan, Iran (along with claimed intrusions at two other sites). Based on various Predatory Sparrow statements, claimed CCTV footage from the impacted facility (of which a still shot is shown below), and conflicting statements in Iranian media, the group appears to have caused a catastrophic failure in steel production at the Khuzestan plant, leading to physical damage to the facility.
If true, this represents one of the few cases where cyber operations resulted in actual physical impacts to the targeted environment. Yet details on the event are exceptionally scarce beyond Predatory Sparrow claims and conflicting reports in Iranian media. Check Point researchers posted a thread on X identifying a malware family associated with the incident, named Chaplin, with technical overlaps to other malware previously used in Predatory Sparrow attacks. Check Point’s analysis thus establishes an independent, technical link to the group. However, the precise operational technology (OT) commands, tools, or similar resulting in the claimed physical damage has never been documented or detailed, leaving significant gaps in understanding relative to other industrial cyber incidents.
Nonetheless, we are left with a multi-year pattern of activity targeting Iranian (and potentially Syrian) infrastructure with significant degrees of disruptive success and various non-trivial capabilities. While important questions remain on the Khuzistan incident, the mere possibility that this was in fact due to Predatory Sparrow cyber operations (which do appear to have been successful in at least targeting IT assets in these environments given subsequent data exfiltration and leaking) makes this group worth monitoring.
Which is why the absence of activity associated with this effective, and historically reasonably active, group since the joint US-Israel war on Iran starting in February 2026 is somewhat confusing. The group does appear to have been active around the 2025 Twelve Day War given disruptive attacks on IRGC-linked Bank Sepah and the Nobitex cryptocurrency exchange. However, even these events emerged after a prolonged pause in group operations, with approximately a year and a half between Predatory Sparrow’s second round of fuel distribution attacks (December 2023) and the Bank Sepah incident (June 2025).
Reviewing the overall pace of operations between Predatory Sparrow and Iran-linked or -sympathetic “hacktivist” groups is interesting, as the latter appear to be quite consistent (and increasing since the October 2023 terror attacks on Israel, refer to the below timeline of events) with the former featuring more intermittent operations leading to the current gap. Overall, Iran-linked entities are significantly more active throughout, but the gap between Iran-associated and Predatory Sparrow (or similar Israel-sympathetic) operations appears to widen significantly past October 2023 absent the financial sector incidents in 2025.
The question posed by this would be, why? Given the assessment (or maybe worse yet, assumption) that Predatory Sparrow is linked to Israeli interests and functions as a deniable disruption and messaging tool against the Iranian regime, the post-October 2023 timeline would appear to be an ideal window in which to execute operations such as the Khuzestan incident, or at least additional items such as attacks of media, fuel distribution, and eventually the financial sector. While some such events did take place (notably the extension to the financial sector in 2025), overall the group appears to be less active if not outright dormant and “out in the cold.”
Part of this may be due to lack of researcher visibility into incidents in Iran. Even events such as the infamous Stuxnet incident did not come to light until a somewhat serendipitous discovery by an obscure Belorussian anti-virus company, VirusBlokAda. Given the lack of a robust independent media or commercial information security reporting industry within Iran, most reports, such as those from Check Point and SentinelOne cited in this analysis, often take place through third-party telemetry, with analysis then backfilling around noted disruptions. As a result, it may be the case that Predatory Sparrow has been quite active in the past year, but information on such operations has been tightly controlled or is simply unavailable to regular reporting entities at this time.
Another possibility emerges from the nature of the Iranian internet itself, particularly with respect to its accessibility and the ability of the Iranian regime to cut it off at will. A weeks-long blackout in 2025 extended into a much longer shutdown in 2026 following domestic unrest then US-Israeli bombing activity, showing the willingness and ability of Iranian authorities to control network access to the country. While this situation may be changing as of this writing, closing off external internet access to an entire country is not only an element of extreme population control, but also an effective (if very extreme) action in attack surface management. Essentially, Predatory Sparrow (and others) simply cannot compromise or disrupt what cannot be externally accessed.
Internet shutdowns are mostly bidirectional in nature, as a result potentially limiting Iranian cyber operations as well. However, various entities such as long-standing groups like Handala and emerging entities like Ababil of Minab are able to continue operations through a combination of limited connectivity and use of other resources. But options may be more limited from an external-to-internal perspective with respect to Iran itself.
Lastly, the motivations of a Predatory Sparrow may be satisfied through the physical campaign which has already severely damaged Iran’s military and civilian infrastructure. Why bother disrupting something via cyber effects when such disruption (or destruction) is taking place via direct, kinetic means? While the financial sector attacks in Iran took place in conjunction (if not necessarily coordination) with the Twelve Day War in 2025, no such follow-on events have appeared since. While limited attack surface, documented above, may be mitigating against such activities, it may be the case that Predatory Sparrow is simply no longer useful for projecting Israeli power and disruptive capability. Furthermore, such actions could be assessed as unnecessarily provocative during a tense ceasefire and negotiation period for both Iran and Israel’s ally, the United States.
These last items appear to highlight the nature of Predatory Sparrow itself. While hinted at throughout the group’s operations, recent operations—particularly pauses—seem aligned quite well with the pace and nature of kinetic operations and subsequent negotiations with Iran, and the potential desires of the senior partner in the Israeli-American relationship. Thus although not confirmed, close alignment with wartime operations would appear to remove any remaining fig leaf that the entity referred to as “Predatory Sparrow” is somehow independent from Israeli government interests. At minimum, the group appears quite aligned with the ebb and flow of operations against Iran (and potentially elsewhere) to the benefit of Israeli strategic interests. At maximum, the group is directly controlled as a cutout for Israeli disruptive cyber operations, similar to CyberAv3ngers, Handala, or CARR, but operating at significantly higher level of operational impact and sophistication.
Thus we may have seen the end of Predatory Sparrow in public reporting. The group, or more specifically its usefulness, may well have expired in utility due to the rapid and concerning shifts in the long-running Israel-Iran conflict from shadow to open war. Alternatively, as so often with such affairs, we may be too close to the events at hand to properly assess them. With the benefit of hindsight (and, with luck, the opening of archives at some point in the future), we may learn that Predatory Sparrow represented one of a number of coordinated disruptive, deniable activities targeting the Iranian regime throughout this period. Either way, the group appears to be on the “out” at present, but study of its history and operations will likely prove quite valuable for future discussions of “deniable” cyber conflict.
As statements swirl regarding a potential peace agreement negotiated between the US and Iran (and seemingly over the heads of Israeli parties), Predatory Sparrow may be worth keeping a close eye on. As kinetic operations wind down and as it appears Iran may wring significant concessions out of events, Israel may come to desire its reasonably deniable disruptive cudgel as a deterrent or punitive mechanism against Iranian interests in the near future.
0 Comments