top of page
Search

Inside the Digital Battlefield: How Iran-Aligned Hackers Launched a Coordinated Cyber Offensive During the 12-Day War

In the fog of war, the first salvos may be kinetic—but the digital volleys come fast behind.


During the 12-day conflict between Iran and Israel in June 2025, cyberspace became a chaotic, coordinated battleground. A sprawling network of Iran-aligned hackers—ranging from state-sponsored cyber brigades to loosely organized hacktivist cells—mounted an aggressive offensive to destabilize, intimidate, and sway perception across the region and beyond.


The scope and structure of these campaigns were revealed in a sweeping analysis from SecurityScorecard’s STRIKE threat intelligence unit. Drawing on over 250,000 messages across 178 active cyber groups, the report unpacks the unprecedented scale and coordination of Tehran’s digital allies, exposing how ideology, military objectives, and opportunism converged to create a new kind of warfare.


“This wasn’t just a flurry of attacks—it was a synchronized digital blitz that evolved with the conflict on the ground,” said a STRIKE intelligence lead, speaking under condition of anonymity due to ongoing threat monitoring.

Cyber Command by Proxy


At the center of the report lies a nuanced map of threat actors, categorized into three main groups: ideological hacktivists, IRGC-linked proxies, and state-aligned cyber forces. These groups operated with varying degrees of oversight but with overlapping missions—data theft, disruption, psychological warfare, and propaganda amplification.


Telegram, often dismissed as just a messaging app, became a digital war room. Hackers used it to organize attacks, share stolen data, and recruit sympathizers. Malware laced phishing domains were spun up just hours after bombs fell, designed to harvest credentials from targeted government and infrastructure employees in Israel and its allies.


The campaigns weren’t random. “The speed and precision of infrastructure setup—especially in operations attributed to IRGC-linked actors like Imperial Kitten—suggest premeditation and tight coordination with real-world events,” said the STRIKE researcher.


Imperial Kitten, also known as Tortoiseshell or Yellow Liderc, is a longtime Iranian cyber-espionage actor. According to STRIKE’s findings, the group deployed conflict-themed phishing lures mere hours after the initial airstrikes—part of a campaign that harvested credentials and deployed remote access tools in targeted systems.


From Defacement to Data Dumps


The attacks varied in sophistication. Some were textbook SQL injection or DDoS floods that defaced websites with pro-Iranian or pro-Palestinian messaging. Others involved advanced reconnaissance scripts and zero-day exploitation, especially targeting financial, government, and media institutions.


Groups like Cyber Fattah and Fatimion Cyber Team carried out noisy psychological warfare—defacing sites with graphic imagery and doxxing targeted individuals. Others, such as the Cyber Islamic Resistance, appeared more disciplined and intent on long-term intelligence collection.


Even less structured outfits, like the Tunisian Maskers Cyber Force—a financially motivated but ideologically sympathetic collective—participated in coordinated actions during the conflict window, underscoring how ideology and opportunity often intersect in this shadowy domain.


“There’s a myth that cyberwarfare is only about destruction. What we see here is disruption at scale—credibility sabotage, morale erosion, and intelligence collection, all at once,” said another threat analyst who reviewed the report.

Timing the War


The campaigns didn’t emerge in isolation—they were tactically timed with the war’s progression. Phishing operations surged after missile strikes. Leaked data followed high-profile political statements. Cyberattacks on Israeli infrastructure mirrored battlefield escalations.


The STRIKE report makes a compelling case that cyber campaigns are no longer sideshows. They’re embedded directly into the theater of war.


Notably, the campaigns weren’t just aimed at Israel. Allied countries, including those offering diplomatic or logistical support, found themselves on the receiving end of spear-phishing and credential harvesting campaigns. This reflects a broader strategic pivot—one that treats cyberspace as a borderless warfront where influence, not just infrastructure, is up for grabs.


Lessons for Defenders


The report's implications for cyber defense are sobering. Classic indicators of compromise (IOCs) and malware signatures are no longer enough. Defenders must watch the channels where coordination happens—Telegram, dark web forums, even open social media chatter—and anticipate that conflict anywhere can trigger targeted attacks everywhere.


In this case, the malware was just the tip of the spear. The real power came from synchronization—between narrative, action, and digital sabotage.


“This isn’t just about stopping malware. It’s about understanding how geopolitical flashpoints instantly translate into coordinated cyber offensives,” said the STRIKE lead.

As geopolitical conflicts grow more complex, and cyber-enabled influence becomes central to modern warfare, the defense playbook must evolve. That means threat intelligence teams need faster pipelines, stronger collaboration with geopolitical analysts, and the ability to adapt in real time—not just after the breach.


Because the next cyberwar won’t wait for a declaration. It will unfold in the group chats, phishing kits, and zero-day exploits already spinning up long before the bombs drop.

bottom of page