Close
Blog, Learning Center, STRIKE August 5, 2025 Reading Time: 5 minutes

From the Depths of the Shadows: IRGC and Hacker Collectives Of The 12-Day War

In June 2025, during the 12-day conflict between Israel and Iran, a network of Iran-linked hackers launched a flurry of cyber-operations aligned with the war. As air strikes crossed borders, a vast array of hacking groups began working to sway public opinion, disrupt businesses, and intimidate and undermine adversaries. These threat actors worked in a coordinated web across borders to steal data, deface websites, spread propaganda, and launch malware attacks.

Some of the digital onslaught came from groups with known ties to Iran’s Islamic Revolutionary Guard Corps (IRGC). Other hacking groups supported Iranian state-backed priorities with their campaigns. Other groups were also ideologically-aligned with Iran’s goals, but operated without clear oversight.

SecurityScorecard’s STRIKE threat intelligence team conducted a comprehensive analysis of 250,000 messages from Iranian proxies and hacktivists from over 178 active groups over the 12-day war. The resulting research reveals exactly how Iranian hackers, proxies, and allies supported Iran’s war goals in a disruptive digital offensive. STRIKE also uncovered an IRGC-linked malware-laden phishing operation launched at the outset of the conflict, suggesting the threat actor orchestrated and planned the campaign in step with the war.

The report presents a detailed account of the wide variety of groups that make up Iran’s digital footsoldiers and probes how ideology, opportunism, and tasking intersect with broader warfare. 

Moving forward, defenders must understand more than malware, tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs). Coordinated hackers now include Telegram channels as a shared hub, social engineering hooks tied to conflict, and phishing domains timed to military action. Taken together, this suggests deep integration between military operations and state-linked (or state-inspired) cyber-operations.

Key Takeaways

Our research offers a look inside the campaigns’ operational mechanics and motivations. From phishing infrastructure to propaganda coordination, this report covers how the groups:

  • Conducted reconnaissance
  • Recruited via Telegram
  • Coordinated with cyber brigades
  • Discussed punishing adversaries and collecting intelligence
  • Targeted adversaries with intimidation, defacement, and phishing
  • Planned malware operations targeting Israel’s allies
  • Used custom scripts and scanned for vulnerabilities
  • Stole data and coordinated data dumps
  • Advertised zero-days and other vulnerabilities

The report also reveals a campaign from IRGC-linked Imperial Kitten (also known as Tortoiseshell, Cuboid Sandstorm, and Yellow Liderc) that shows how it changed its tactics to match Iran’s military actions.

Read the full report here.

Background

In concert, the hacker chatter and activity that emerged during the 12-day conflict between Iran and Israel can appear sweeping, scattered, or even disparate. But a closer review shows clear patterns, signs of coordination, and targeted alignment between hundreds of threat actors.

Our analysis outlines a series of operations that were fast, targeted, and ideologically charged. In many cases, the threat groups appear to have coordinated their operations with agility and deep alignment.

We identified three main categories of threat actors on this digital front. First, we observe a layer of hacktivists, which are aligned with the IRGC but which appear to lack clear tasking. We also see IRGC-aligned clusters and state-sponsored actors.

Both the structured proxies aligned with the IRGC and the looser constellation of regional hacktivist groups participated in coordinated activity against a set of overlapping targets. Their levels of discipline, command, and technical capacity varied.

Messaging & TTPs

Some IRGC-inspired groups targeted financial, government, and media organizations. Other state-aligned groups focused on defacement, disruption, and data-theft. Several hacktivist and state-aligned groups focused on gathering intelligence and conducting offensive operations with intent to punish “collaborators.” They crafted their campaigns to intimidate adversaries, weaken Israeli morale, and amplify Iran-aligned “cyberwarfare” in support of Palestinian causes.

From data theft to SQL injection and DDoS campaigns, some threat groups appear to operate with tasking that closely aligns with the IRGC. Some hacking collectives acted on ideological fervor, which made attribution harder and muddied defenders’ responses.

Several key groups stand out in this fragmented ecosystem and offer lessons for defense moving forward, including the ideologically aligned Fatimion Cyber Team, the Cyber Fattah group, collectives like the Cyber Islamic Resistance, and the Tunisian Maskers Cyber Force, a financially-motivated and ideologically aligned threat actor.

Defending as Conflict Unfolds

A more covert player also changed tactics as the fighting escalated. Tortoiseshell or Imperial Kitten, a known Iranian state-linked threat actor, adopted conflict-themed phishing lures and built campaign infrastructure almost immediately after kinetic operations began. This campaign suggests the threat actor, notorious for its social engineering and malware, has planning or tasking cycles that respond quickly to conflict flashpoints.

The report considers how platforms like Telegram are now crucial staging grounds for threat actors and how basic DDoS and defacement techniques retain disruptive value. We also examine how hackers are both timing their operations to cause chaos during conflict and leveraging emotional manipulation linked to conflict to weaponize campaigns.

While typical characterizations of “cyberwarfare” can evoke offensive cyber-operations that lead to destruction, this research shows that cyber-operations during conflict can also cause disruption, intimidation campaigns, data leaks, and phishing.

Persistent Threats

This report presents key insights for defenders operating in the context of kinetic conflict. As air strikes cross borders, cyber proxies and hacktivists are launching well-planned cyberattacks, complete with reconnaissance, recruitment, defacement, data theft, data dumps, phishing, and malware delivery.

The sustained nature of these campaigns suggests that these attackers aren’t opportunists. They are committed to their objectives, making them persistent threats globally, not just regionally.

As hacking campaigns tied to kinetic conflict evolve so too must defense. Defense against offensive cyber-operations during times of great turmoil requires real-time hacker chatter and threat monitoring, not just historic playbooks.

Read the full report here.

Contact STRIKE for Incident Response

SecurityScorecard’s STRIKE Team has access to one of the world’s largest databases of cybersecurity signals, dedicated to identifying threats that evade conventional defenses. With proactive risk management and a rapid response approach, SecurityScorecard offers companies protection against third-party risks and the ability to counter active threats like those tied to Iran.

Discover how SecurityScorecard and its STRIKE Team can strengthen your enterprise’s security. 

For STRIKE media inquiries, contact us here.

 

Ryan Sherstobitoff

Field Chief Threat Intelligence Officer

Gilad Friedenreich Maizles

Security Researcher