CyberSecurity news

FlagThis - #iran

Ben Weiss@fortune.com //

Iran Crypto Exchange Hacked by Predatory Sparrow

A pro-Israel hacktivist group known as Predatory Sparrow has claimed responsibility for a cyberattack on Nobitex, Iran's largest cryptocurrency exchange. The attack resulted in the theft and destruction of approximately $90 million in cryptocurrency. The group stated that Nobitex was targeted for allegedly financing terrorism and evading international sanctions for the Iranian regime. This incident highlights the increasing cyber conflict between Israel and Iran, with hacktivist groups playing a significant role in disruptive operations.

The hackers reportedly sent the stolen funds to inaccessible blockchain addresses, effectively "burning" the cryptocurrency and taking it out of circulation. Blockchain analysis firm Elliptic confirmed the transfer of over $90 million to multiple vanity addresses containing variations of "F--kIRGCterrorists" within their public key. This symbolic act suggests the intention was to send a political message rather than financial gain. It has been noted that Nobitex has over 10 million customers, raising concerns about the potential impact of the breach.

The attack on Nobitex follows a recent claim by Predatory Sparrow of hacking Bank Sepah, another major Iranian financial institution. These cyberattacks come amid escalating tensions and exchanges of airstrikes between Israel and Iran. Cybersecurity experts warn of a growing digital conflict unfolding behind the scenes, with the potential for broader spillover effects. The situation emphasizes the vulnerability of cryptocurrency exchanges to sophisticated cyberattacks and the need for enhanced cybersecurity measures.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • infosec.exchange: LorenzoFB post on Infosec Exchange about the group claiming responsibility for Iranian Bank Hack.
  • techcrunch.com: TechCrunch article on pro-Israel hacktivist group claiming responsibility for Iranian bank hack
  • Risky Business Media: Risky Bulletin: Israel-linked hackers claim Iran bank disruption
  • techcrunch.com: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
  • CyberScoop: Iran’s financial sector takes another hit as largest crypto exchange is targeted
  • fortune.com: The hackers, who call themselves Predatory Sparrow, sent the funds to likely inaccessible blockchain addresses, burning the cryptocurrency.
  • Zack Whittaker: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
  • www.nftgators.com: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex
  • bsky.app: My latest for BBC Persian: 'Predatory Sparrow' hackers stole $90 million from Iranian cryptocurrency company to 'send a message'.
  • WIRED: Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran’s Financial System
  • NFTgators: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex.
  • Metacurity: Metacurity reports on the Predatory Sparrow group's activities, including the Nobitex attack and other Iranian targets.
  • Risky Business Media: Tom Uren and Patrick Gray talk about a Minnesota man who used people-search services to locate, stalk and eventually murder political targets. They also discuss purported hacktivist group Predatory Sparrow weighing in on the Iran-Israel conflict. It has attacked Iran’s financial system including a bank associated with the Iranian Revolutionary Guard Corp and also burnt USD$90 million worth of cryptocurrency from an Iranian exchange This episode is also available on Youtube.
  • aboutdfir.com: Pro-Israel hackers drain $90 million from Iran crypto exchange, analytics firm says  Iran’s largest cryptocurrency exchange, Nobitex, was hacked for more than $90 million Wednesday, according to blockchain analytics firm Elliptic.
  • SecureWorld News: Israel–Iran Conflict Escalates in Cyberspace: Banks and Crypto Hit, Internet Cut
  • www.metacurity.com: Israeli-linked hackers seized and burned $90 million from Iran's Nobitex exchange
  • aboutdfir.com: Pro-Israel hackers drain $90 million from Iran crypto exchange, analytics firm says 
Classification:
  • HashTags: #IranHack #CryptoSecurity #PredatorySparrow
  • Company: Iran
  • Target: Nobitex
  • Attacker: Predatory Sparrow
  • Product: Nobitex
  • Feature: Data Theft and Destruction
  • Malware: encryption.exe
  • Type: Hack
  • Severity: Major
@therecord.media //

Iranian APT BladedFeline Espionage Campaign Unveiled by ESET

ESET researchers have revealed a long-running cyber espionage campaign conducted by an Iranian APT group named BladedFeline. The group has been actively targeting government and telecom networks in Kurdistan, Iraq, and Uzbekistan since at least 2017. BladedFeline is believed to be a subgroup of OilRig, a well-documented Iranian state-backed actor, and has managed to stay undetected within these networks for approximately eight years, continually expanding its cyber espionage capabilities.

BladedFeline utilizes a variety of malicious tools for maintaining and expanding access within targeted organizations. Notable malware includes Shahmaran, a simple backdoor used against Kurdish diplomatic officials, and more sophisticated tools like Whisper and PrimeCache. Whisper communicates with attackers through email attachments sent via compromised Microsoft Exchange webmail accounts, while PrimeCache bears similarities to RDAT, a backdoor previously associated with OilRig. Researchers suggest that BladedFeline may have initially gained access to Iraqi government systems by exploiting vulnerabilities in internet-facing servers, using a webshell called Flog to maintain control.

The group's targeting reflects Iran's strategic interests in the Middle East. The Kurdistan Regional Government's diplomatic relationships and oil reserves make it an attractive target for espionage, while the focus on Iraqi governmental circles suggests an attempt to counter Western influence. ESET warns that BladedFeline is likely to continue developing its malware arsenal to retain access to compromised systems for cyber espionage purposes. The discovery highlights the persistent threat posed by Iranian APT groups and the need for robust cybersecurity measures to protect critical infrastructure and sensitive government data.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • cyberpress.org: Iranian APT ‘BladedFeline’ Stays Undetected in Networks for 8 Years
  • The Hacker News: Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware
  • therecord.media: Iran-linked hackers target Kurdish, Iraq cyber espionage
  • Cyber Security News: Iranian APT ‘BladedFeline’ Stays Undetected in Networks for 8 Years
  • Catalin Cimpanu: -New Imn Crew ransomware gang -Malware reports on ViperSoftX, Play ransomware, Chaos RAT -PathWiper destructive attacks hit Ukraine -UNC1151 targets Roundcube servers in Poland -Bitter APT formally linked to India -BladedFeline APT (aka Oilrig) op targets Iraq -OpenAI disrupts APTs and info-ops abusing ChatGPT -New Roundcube under attack -Cellebrite buys Corellium -OWASP Top 10 for Business Logic Abuse -YARA-X reaches v1.0
  • www.welivesecurity.com: ESET researchers analyse a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group with likely ties to OilRig. The group added 2 reverse tunnels (Laret & Pinar), a backdoor (Whisper), a malicious IIS module (PrimeCache) & various tools
  • www.scworld.com: Multi-year cyberespionage campaign launched by BladedFeline APT
  • WeLiveSecurity: BladedFeline: Whispering in the dark
  • The Record: Researchers at ESET describe the activities of an Iran-linked group that has been operating since at least 2017, initially breaching systems belonging to the Kurdistan Regional Government and expanding its reach to the Central Government of Iraq as well as a telecommunications provider in Uzbekistan.
  • ciso2ciso.com: Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware – Source:thehackernews.com
  • ciso2ciso.com: Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware – Source:thehackernews.com
  • ESET Research: analyzed a campaign deployed by BladedFeline, an Iran-aligned threat actor with likely ties to . We discovered the campaign, which targeted Kurdish and Iraqi government officials, in 2024.
  • github.com: analyzed a campaign deployed by BladedFeline, an Iran-aligned threat actor with likely ties to . We discovered the campaign, which targeted Kurdish and Iraqi government officials, in 2024.
Classification:
  • HashTags: #APT #CyberEspionage #Iran
  • Company: ESET
  • Target: Kurdistan, Iraq, Uzbekistan
  • Attacker: BladedFeline
  • Product: ESET
  • Feature: Cyber Espionage
  • Malware: Whisper
  • Type: Espionage
  • Severity: Major
info@thehackernews.com (The@The Hacker News //

Iranian Hackers Target Middle East CNI in Long Term Attack

A long-term cyber intrusion aimed at critical national infrastructure (CNI) in the Middle East has been attributed to an Iranian state-sponsored threat group. The attack, which persisted from May 2023 to February 2025, entailed extensive espionage operations and suspected network prepositioning, a tactic used to maintain persistent access for future strategic advantage. The network security company noted that the attack exhibits tradecraft overlaps with Lemon Sandstorm (formerly Rubidium), also tracked as Parisite, Pioneer Kitten, and UNC757, an Iranian nation-state threat actor active since at least 2017.

The attackers gained initial access by exploiting stolen login credentials to access the victim's SSL VPN system, deploying web shells on public-facing servers, and deploying three backdoors: Havoc, HanifNet, and HXLibrary, for long-term access. They further consolidated their foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim's emails, and conducting lateral movement to the virtualization infrastructure. In response to the victim's initial containment and remediation steps, the attackers deployed more web shells and two more backdoors, MeshCentral Agent and SystemBC.

Even after the victim successfully removed the adversary's access, attempts to infiltrate the network continued by exploiting known Biotime vulnerabilities and spear-phishing attacks aimed at employees to harvest Microsoft 365 credentials. Researchers identified an evolving arsenal of tools deployed throughout the intrusion, including both publicly available and custom-developed malware. The custom tools, such as NeoExpressRAT, a Golang-based backdoor with hardcoded command and control communication capabilities, allowed the threat actors to maintain persistent access while evading traditional detection methods.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • The Hacker News: An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.
  • cybersecuritynews.com: Threat Actors Target Critical National Infrastructure with New Malware and Tools
  • gbhackers.com: Threat Actors Target Critical National Infrastructure with New Malware and Tools
  • securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
  • Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
  • securityonline.info: Recently, the FortiGuard Incident Response (FGIR) team has released an in-depth analysis detailing a prolonged, state-sponsored intrusion into The post appeared first on .
  • gbhackers.com: A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group.
  • www.scworld.com: Middle Eastern critical infrastructure targeted by long-term Iranian cyberattack
  • industrialcyber.co: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
  • Industrial Cyber: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
  • Virus Bulletin: Fortinet's IR team investigate an Iranian-led long-term intrusion on critical infrastructure in the Middle East. Attackers used stolen VPN creds, in-memory loaders for Havoc/SystemBC, and backdoors like HanifNet, HXLibrary, and NeoExpressRAT.
Classification:
  • HashTags: #APT #CNI #Espionage
  • Company: FortiGuard
  • Target: Middle East CNI
  • Attacker: Iranian state-sponsored group
  • Product: VPN
  • Feature: espionage
  • Malware: DarkWatchman
  • Type: Espionage
  • Severity: Major

Posts

Blogs

Research Tools