Full Report
The Israel-Iran conflict that began with Israeli attacks on Iranian nuclear and military targets on June 13 has sparked a wider cyber conflict in the region, including the launch of new malware campaigns. Cyble threat intelligence researchers documented cyberattacks by 74 hacktivist groups in the Middle East region between June 13 and 17. The vast majority of the hacktivist groups – more than 90% – are considered pro-Iran. Most of the cyberattacks have targeted Israeli organizations. Iran has been a target in several of the cyberattacks, and the regional cyber conflict has also spilled over into Egypt, Jordan, the UAE, Pakistan and Saudi Arabia. Cyberattacks launched by hacktivist groups in the region have included DDoS attacks, website defacements, unauthorized access, and data breaches – and the launch of ransomware/wiper and banking malware campaigns. In the midst of the increased cyber activity, Iran has apparently been restricting internet access in an attempt to limit Israeli cyber operations. Middle East Hacktivism Includes Information Operations After the outbreak of hostilities on June 13, Cyble detected a significant escalation in hacktivist activity targeting Israel and several regional states. The operations were driven by a broad coalition of ideologically motivated actors, many of whom identify with pro-Palestinian, pro-Iranian, or anti-Western narratives, Cyble said in an advisory to clients this week. Israel was the principal target, with dozens of cyberattacks affecting government, defense, media, telecom, finance, education, and emergency services. The majority of incidents involved distributed denial-of-service (DDoS) attacks, but there were also cases of unauthorized access, defacement, data breaches, and ransomware deployment. Hashtags used in the cyber campaigns have included: #SalomZionist #OpIsrael #OneUmmah #FreePalestine #SupportIran #HackForHumanity #OpJordan The full list of hacktivist groups detected by Cyble is detailed in the graphic below: [caption id="attachment_103258" align="aligncenter" width="963"] Hacktivism groups active in Israel-Iran conflict (Cyble)[/caption] In addition to publicizing their own DDoS attacks and defacement operations, hacktivist groups have been systematically using their Telegram channels to amplify the broader cyber and geopolitical narrative. This includes reposting claims of attacks by affiliated or ideologically aligned collectives, thus reinforcing “a sense of decentralized coordination,” Cyble said. The groups’ content streams frequently include pro-Iranian and pro-Palestinian narratives, often framed in “emotive and polarizing terms,” the researchers said. A notable trend is the circulation of video footage depicting missile strikes and drone operations, alongside graphic images of casualties from the Iranian side. “These materials serve both as mobilization tools and as psychological warfare, blurring the line between cyber activity and information operations,” the Cyble advisory said. “The groups appear to position themselves not only as digital combatants but also as part of a broader resistance media ecosystem.” Hacktivist Attacks: DDoS, Breaches, Malware Campaigns Among the cyberattack claims documented by Cyble were five ransomware/extortion attacks claimed by Handala Group against Israeli organizations, including media, telecom, construction, education, and chemical/energy targets. The group provided data samples in two of the five claimed attacks. Other notable hacktivist attack claims documented by Cyble in recent days included 34 DDoS attacks, five defacements, two data breaches, two cases of unauthorized access, a claim of a ransomware attack against an Israeli government target, and four incidents involving data or credential leaks. Among the hacktivist groups active in recent days and their targets were: Hacktivist group Target Anonymous Guys Israel Arabian Ghosts Jordan Handala Hack Israel Server Killers Israel RipperSec Israel Dienet Israel LulzSec Black Israel Cyber Ghost Team Israel Keymous+ Egypt GhostSec Israel Dark Storm Team Israel Yemen Cyber Army Saudi Arabia Anonymous Syria Hackers Iran Red Eagle Pakistan Mysterios Team Egypt Tunisian Maskers Egypt Unit Nine Egypt Islamic Hacker Army Iran Cyber Islamic Resistance Israel Nation of Saviors Israel Unknown Cybers Team UAE Mr Hamza Israel EvilByte Israel Digital Ghost Israel Cyber Fattah Team Israel Predatory Sparrow Iran On June 16, a ransomware or wiper executable identified as "encryption.exe" was observed in the wild and attributed to a previously unreported threat actor known as Anon-g Fox. Notably, the malware checks the system's time zone as Israel Standard Time (IST) and language as Hebrew before further executing. If those conditions are not present, it prevents execution with the error statement 'This program can only run in Isreal', thus suggesting a geopolitical motive, potentially linked to the ongoing Iran-Israel cyber conflict. Cyble Research and Intelligence Labs researchers also uncovered a campaign involving the IRATA Android malware targeting banking applications in Iran. The malware has been observed impersonating government entities, including the Judicial System of the Islamic Republic of Iran and the Ministry of Economic Affairs and Finance. It targets over 50 banking and cryptocurrency applications, abusing the Accessibility service to identify the targeted bank, steal bank account numbers and balances, and harvest card data. The malware is capable of remotely controlling the infected device and executing various actions such as hiding its icon, collecting SMS messages and contacts, capturing screenshots, and retrieving a list of installed applications. These capabilities enable the malware to gather comprehensive information, which can be used to carry out fraudulent transactions from the victim’s account, potentially leading to significant financial loss. Hacktivists and Conflict Hacktivists often see conflict as an opportunity to promote their agenda, to retaliate, and to amplify impressions of fear and chaos, as happened in the Indian state of Jammu and Kashmir last month. And as the Iran-Israel conflict shows, allied nations on either side of a conflict can find themselves targeted by hacktivist attacks. Organizations that could find themselves a target of hacktivism are advised to invest in DDoS protections and to take steps to ensure against data breaches, website defacements – and increasingly, ransomware attacks.
Analysis Summary
# Incident Report: Geopolitically Motivated Cyber Activities Amid Israel-Iran Conflict
## Executive Summary
The ongoing Israel-Iran conflict has instigated a wider cyber conflict involving multiple threat actors, resulting in the deployment of new malware and an increase in hacktivist activity. Specific findings include a sophisticated Windows malware designed exclusively to operate within Israel ("This program can only run in Isreal") and the IRATA Android banking malware targeting vulnerable Iranian financial applications. The primary impact involves potential data theft, financial fraud, and geopolitical disruption through cyber means.
## Incident Details
- Discovery Date: June 18, 2025 (Based on reporting date)
- Incident Date: Ongoing, related to evolving conflict dynamics.
- Affected Organization: Broadly impacts entities in Israel and Iran, specifically banking/financial sectors in Iran.
- Sector: National Security, Finance, and Government (implied).
- Geography: Israel and Iran.
## Timeline of Events
### Initial Access
- Date/Time: Not specified, ongoing activity.
- Vector: Deployment of the geographically restricted Windows malware; social engineering/impersonation for Android malware.
- Details: A previously unknown Windows malware variant was discovered that prevents execution unless the system is located in Israel, indicating a targeted, geopolitically motivated campaign. Concurrently, the IRATA Android malware was observed targeting Iranian banking apps.
### Lateral Movement
- Not explicitly detailed for the Windows malware, but the IRATA malware exhibits remote control capabilities over infected devices.
### Data Exfiltration/Impact
- **Windows Malware:** Intended impact appears to be disruptive or focused on Israeli infrastructure/systems, based on its geographical lock.
- **IRATA Android Malware:** Stealing bank account numbers, balances, credit card data, SMS messages, contacts, and capturing screenshots from over 50 banking and cryptocurrency applications.
### Detection & Response
- **Detection:** Cyble Research and Intelligence Labs researchers uncovered the Windows malware characteristics. Researchers also uncovered the IRATA Android malware campaign.
- **Response Actions:** Unknown, although the findings prompt immediate alerts regarding new geographically targeted threats and sustained Android malware activity.
## Attack Methodology
- **Initial Access:** Unknown for Windows malware; Likely phishing/trojan distribution for IRATA Android malware targeting vulnerable apps.
- **Persistence:** IRATA malware capable of hiding its icon.
- **Privilege Escalation:** IRATA malware abuses the Android Accessibility service.
- **Defense Evasion:** Not detailed, but required to operate past security controls to harvest data.
- **Credential Access:** Harvesting bank data, account numbers, and card data via the Accessibility service.
- **Discovery:** IRATA malware retrieves a list of installed applications to identify targets.
- **Lateral Movement:** Unknown.
- **Collection:** Gathering SMS messages, contacts, and screenshots.
- **Exfiltration:** Data gathered (account numbers, balances) is precursory to fraudulent transaction execution.
- **Impact:** Financial fraud enabled by stolen access details; geopolitical disruption.
## Impact Assessment
- **Financial:** High potential for financial loss due to fraudulent transactions enabled by the IRATA malware stealing banking credentials.
- **Data Breach:** Compromise of sensitive financial details (account numbers, balances) and personal information (contacts, SMS).
- **Operational:** Potential disruption to financial processes in Iran through malware infection and potential targeted disruption within Israel via the geo-locked malware.
- **Reputational:** Damage to trust in financial institutions targeted by the Android malware.
## Indicators of Compromise
*(Note: Specific IoCs were not provided in the text and must be synthesized defensively)*
- **Network indicators:** N/A (Not provided)
- **File indicators:** Unknown hashes for the geographic-specific Windows malware; IRATA Android package characteristics.
- **Behavioral indicators:** Abuse of Android Accessibility Service; attempts to initiate fraudulent transactions; application icon hiding; excessive data collection on mobile devices.
## Response Actions
- **Containment measures:** Identification and removal of IRATA malware from affected Iranian users; blocking C2 communication (if known).
- **Eradication steps:** Updating banking applications to mitigate new attack vectors; patching systems exploited by the geo-locked malware (if scope is determined).
- **Recovery actions:** Financial institutions monitoring for anomalous transactions originating from compromised accounts.
## Lessons Learned
- **Key takeaways:** Geopolitical conflicts serve as a catalyst for novel, highly targeted cyber operations (e.g., geo-locked malware). Android banking malware remains a significant threat, particularly leveraging OS-level features like Accessibility services.
- **What could have been done better:** Proactive monitoring for politically motivated cyber activity and rapid public alerting on new, region-specific threats.
## Recommendations
- **Prevention measures for similar incidents:** Enhanced endpoint security for Windows systems targeting Israeli infrastructure. Robust security education for users in Iran regarding threats impersonating government entities. Strict application permission auditing on Android devices, especially limiting Accessibility Service access. Organizations should invest in DDoS protection and defense against website defacement, anticipating hacktivist escalation linked to international conflicts.