Predatory Sparrow has emerged as a formidable cyber-sabotage group, focusing its operations on critical infrastructure within the Middle East, particularly in Iran and Syria. Believed to have affiliations with Israeli interests, the group has executed a series of sophisticated cyberattacks from 2019 through 2025, targeting sectors such as transportation, manufacturing, finance, and energy.
Operational Timeline and Notable Attacks
The group’s activities began in 2019, initially targeting Syrian entities like Alfadelex Trading and Cham Wings Airlines. These early operations demonstrated their capability to infiltrate networks and disrupt services.
A significant escalation occurred in July 2021 when Predatory Sparrow deployed the Meteor wiper malware against Iran’s national railway system. This attack led to widespread service disruptions, with taunting messages displayed on station boards, showcasing their ability to compromise critical national infrastructure with precise timing.
In June 2025, following Israeli airstrikes on Iran, the group expanded its focus to financial infrastructure. They launched coordinated attacks against Bank Sepah and the Nobitex cryptocurrency exchange. In the Nobitex breach, they claimed to have rendered $90 million in cryptocurrency permanently unrecoverable by transferring assets to inaccessible addresses, while simultaneously leaking the exchange’s complete source code and infrastructure documentation.
Technical Execution and Wiper Deployment Mechanisms
Predatory Sparrow’s attacks are characterized by a sophisticated multi-stage methodology. Analysts have identified that the group employs a complex chain of batch scripts and encrypted payloads to establish persistence, disable defenses, and deploy destructive wipers. Their operations demonstrate advanced environmental awareness, conducting reconnaissance to identify specific target systems before payload execution.
The technical architecture centers on their custom Meteor wiper malware, which utilizes encrypted configuration files and multi-stage batch script execution. The attack chain begins with a setup.bat script that performs hostname verification against specific Passenger Information System servers, ensuring malicious payloads avoid execution on display systems while guaranteeing the attacker’s messaging appears on public-facing boards.
The msrun.bat script serves as the deployment mechanism for the wiper payload, creating a scheduled task configured to execute at a specified time through Windows Task Scheduler. Prior to wiper execution, the cache.bat script systematically disables all network adapters using PowerShell commands.
Defense evasion techniques include clearing Windows Event Logs through wevtutil commands targeting Security, System, and Application logs, effectively erasing forensic evidence.
The Meteor wiper employs XOR-based encryption for its configuration file and log files. Researchers developed Python decryption utilities revealing the malware’s internal operations.
To ensure complete system destruction, the bcd.bat script manipulates boot configuration data and removes volume shadow copies, preventing recovery.
Implications and Strategic Objectives
Predatory Sparrow’s operations are not merely disruptive but are strategically designed to cause irreversible damage to critical infrastructure. Their focus on data destruction over data exfiltration aligns with a mission of retaliatory cyber warfare against Iranian interests.
The group’s activities underscore the evolving landscape of cyber warfare, where non-state actors can execute attacks with precision and sophistication previously attributed to nation-states. Their ability to target and disrupt essential services highlights the need for robust cybersecurity measures and international cooperation to protect critical infrastructure from such threats.
