TL;DR: During the June 2025 Israel-Iran conflict, coordinated reconnaissance, phishing, data theft, defacement, and malware activity tied to war objectives emerged across Iranian proxies and hacktivists, according to SecurityScorecard’s STRIKE team. The analysis of 250,000 messages from more than 178 active groups shows conflict-linked cyber operations now blend propaganda, recruitment, and disruption, which raises the bar for detection and response.
At a glance
What this is: SecurityScorecard’s research shows how Iran-linked hackers, proxies, and hacktivists coordinated cyber operations during the June 2025 conflict, combining reconnaissance, phishing, defacement, malware, and propaganda.
Why it matters: For defenders, the key lesson is that conflict-driven campaigns can move quickly across platforms and targets, so IAM, NHI, and broader security teams need monitoring, attribution, and response plans that account for social engineering and coordinated abuse.
👉 Read SecurityScorecard’s analysis of Iran-linked cyber operations during the June 2025 conflict
Context
The core problem is not just malware or defacement, but coordinated cyber activity that tracks real-world conflict and uses timing, narrative, and social channels to shape impact. Security teams often model these campaigns as isolated incidents, yet the article shows a broader operating pattern where propaganda, recruitment, phishing, and disruption are planned as part of the same effort.
That matters for identity and access governance because conflict-linked campaigns often rely on social engineering, credential theft, and third-party trust to gain reach. For programmes responsible for IAM, PAM, NHI, and identity verification, the operational question is how to detect coordinated abuse when the attack surface includes messaging platforms, public-facing brands, and workload credentials, not only traditional perimeter controls.
Key questions
Q: How should security teams respond to conflict-themed phishing campaigns?
A: Security teams should treat conflict-themed phishing as both a social engineering and intelligence problem. Strengthen email and messaging filters, require stronger verification for urgent requests, and train analysts to connect lures with broader campaign timing. Use public-event context as a trigger for heightened review, especially when messages aim to capture credentials or push malware.
Q: Why do messaging platforms matter in coordinated cyber campaigns?
A: Messaging platforms matter because they can function as coordination hubs for tasking, recruitment, narrative shaping, and payload timing. That creates earlier warning opportunities than traditional malware telemetry alone, but only if teams monitor actor chatter and link it to observed activity. Without that visibility, defenders see fragments rather than the campaign structure.
Q: What breaks when attribution is uncertain in politically motivated attacks?
A: What breaks is the tendency to wait for perfect attribution before acting. Politically motivated attacks often mix state-linked actors, proxies, and ideologically aligned groups, which makes sponsor certainty difficult. Security teams should instead respond to observable behaviours, including phishing patterns, defacement timing, and data-leak coordination, because those signals are enough to justify containment.
Q: Who is accountable when external chat channels are used to coordinate attacks?
A: Accountability sits with the organisation’s threat intelligence, SOC, and security leadership functions together. When attacks are coordinated through external chat channels, the issue is not only threat detection but whether the programme is watching the right sources, escalating quickly, and tying external chatter to business risk. Governance should define who owns that visibility and response loop.
Technical breakdown
Conflict-linked phishing infrastructure and social engineering
The article describes phishing domains and conflict-themed lures that appeared as military operations escalated. That pattern matters because adversaries use current events to increase click-through, lower suspicion, and compress defender reaction time. In practice, the mechanism is simple: attackers bind a real-world narrative to a malicious payload, then use that narrative across email, messaging apps, and copied branding to move victims toward credential submission or malware execution. This is less about a single exploit and more about social pressure weaponised at scale.
Practical implication: monitor for event-themed lures and tighten verification for any login, file, or payment request that claims conflict-related urgency.
Telegram as a coordination layer for cyber operations
SecurityScorecard’s analysis highlights Telegram channels as shared staging and recruitment hubs. That shifts Telegram from a communications app into part of the threat infrastructure, where tasking, propaganda, and operational coordination can happen in public or semi-public spaces. For defenders, this means threat intelligence must include channel monitoring, narrative analysis, and actor linkage, not just signatures for malware families. The operational challenge is that coordination can happen well before a payload is delivered, so traditional detection may arrive late.
Practical implication: add messaging-platform monitoring to your threat intelligence workflow and map channels to emerging campaigns before they reach production systems.
Data theft, defacement, and malware as a blended impact model
The article shows that these campaigns combine low-complexity tactics like defacement and DDoS with higher-value actions such as data theft and malware delivery. That blend is important because the attacker objective is not always persistence or exfiltration alone. Often the real goal is to create noise, erode trust, and amplify a political narrative while simultaneously collecting intelligence or preparing follow-on compromise. Defenders should therefore treat disruptive events and theft events as potentially linked parts of the same campaign rather than separate incidents.
Practical implication: correlate defacement, credential abuse, and data-leak indicators into one investigation queue instead of triaging them as unrelated events.
Threat narrative
Attacker objective: The objective is to support Iran-aligned war aims by disrupting adversaries, stealing data, amplifying propaganda, and intimidating targeted organisations.
- Entry begins with conflict-themed phishing, social recruitment, and coordinated reconnaissance across public channels and targeted domains.
- Escalation follows when victims or targets interact with the lure, allowing credential capture, malware delivery, defacement access, or data-theft operations.
- Impact is achieved through disruption, intimidation, propaganda amplification, and selective data dumps that support the wider conflict narrative.
NHI Mgmt Group analysis
Conflict-aligned cyber operations are now an identity problem as much as a malware problem. The article shows that attackers used recruitment, phishing, and narrative manipulation alongside technical intrusion. That means identity verification, access validation, and trust decisions are all part of the attack surface, not just endpoint or email security. Practitioners should treat conflict-driven social engineering as a cross-domain identity and security governance issue.
Telegram-driven coordination creates a detection gap that conventional control stacks do not cover. When tasking, propaganda, and operational planning happen in messaging channels, defenders are no longer dealing only with malicious payloads. They are dealing with a distributed command environment that can change quickly and remain partially hidden. Security programmes need threat intelligence that follows actor coordination, not just IOC matching, because timing and narrative are operational signals in their own right.
Conflict-themed phishing is a named concept worth tracking because it turns real-world events into an access-control bypass. The lure works by manipulating urgency and shared identity, then moving the target toward credential submission or malware execution. In governance terms, the failure is not only user awareness but the absence of strong verification gates when contextual pressure is highest. Practitioners should recognise this as a repeatable pattern, not an isolated social engineering trick.
State-linked and ideologically aligned actors blur attribution, but the governance response should not wait for perfect certainty. The article shows a mix of IRGC-aligned groups, state-sponsored actors, and ideologically motivated collectives. That mix complicates attribution, yet the operational effect is the same: coordinated abuse of trust, channels, and brand credibility. Teams should therefore build response playbooks around observable behaviour and campaign structure, not around waiting to name the sponsor.
Persistent conflict-linked campaigns validate the need for continuous monitoring of external chatter and third-party exposure. The report’s scale and timing show these actors are committed, organised, and responsive to geopolitical triggers. For practitioners, the lesson is that perimeter monitoring alone is insufficient when the earliest warning signs may appear in public channels or third-party relationships. Security teams should treat external intelligence as an operational control, not a supplementary feed.
What this signals
Conflict-linked campaigns show why security programmes need to treat external chatter as an operational signal rather than an intelligence side note. The strongest early indicators may emerge before malware or defacement, which means response teams need better correlation between narrative shifts, platform activity, and authentication events. That is especially true when adversaries use urgency and public events to increase the likelihood of credential capture.
Verification under pressure: when an attack uses a real-world crisis to prompt action, the control gap is not just awareness but the lack of high-friction verification at the point of trust. Teams that can challenge urgent requests, validate external claims, and link identity checks to anomaly detection will reduce the odds of social engineering becoming an access event.
For identity and access programmes, the practical signal is that trust assumptions must be stress-tested against adversarial timing. Conflict, major news, and geopolitical events can all become access paths if staff, suppliers, or admins are conditioned to respond quickly. Security leaders should align IAM, SOC, and threat intelligence so that escalation paths exist before the next campaign begins.
For practitioners
- Add conflict-themed lure detection Create detection rules for phishing messages that reference wars, sanctions, military events, or humanitarian crises, then route those alerts into your SOC and awareness channels for rapid review.
- Monitor messaging platforms for campaign coordination Include Telegram and similar channels in threat intelligence workflows so analysts can map recruitment, tasking, and propaganda before those signals turn into phishing or malware delivery.
- Correlate disruptive and theft-focused incidents Link defacement, DDoS, credential abuse, and data dump signals in one investigation path so analysts can see whether they are part of the same campaign rather than separate events.
- Harden verification during periods of heightened tension Require stronger identity checks for urgent requests, password resets, domain changes, and payment approvals when public events could be used to manipulate staff or suppliers.
Key takeaways
- The report shows that conflict-linked cyber activity now blends phishing, propaganda, reconnaissance, and disruption into one coordinated campaign model.
- SecurityScorecard’s analysis of 250,000 messages across more than 178 groups shows the scale of the coordination problem, not just the presence of isolated attackers.
- The control gap is faster verification and better external monitoring, especially when adversaries use current events to bypass normal trust checks.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0001 , Initial Access; TA0006 , Credential Access; TA0040 , Impact | The article covers conflict-themed phishing, credential capture, and disruptive outcomes. |
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring is central when threat signals emerge from public chatter and external channels. |
| NIST SP 800-53 Rev 5 | SI-4 | Threat monitoring and analysis align with the article’s call for real-time visibility into active campaigns. |
| CIS Controls v8 | CIS-14 , Security Awareness and Skills Training | Conflict-themed social engineering depends on people being manipulated under urgency and uncertainty. |
| NIST AI RMF | MAP | The article shows a need to map external threat context into programme risk understanding. |
Map campaign indicators to initial access, credential access, and impact techniques to improve detection and triage.
Key terms
- Conflict-themed phishing: Phishing that uses wars, disasters, political events, or other high-emotion situations as the lure. Attackers borrow real-world urgency to increase trust, accelerate clicks, and bypass normal caution. It is effective because the message feels timely and relevant, not because the technical payload is sophisticated.
- Coordination layer: A communication channel or platform used to organise cyber activity before or during an attack. In this context, it includes messaging apps, recruitment channels, and tasking spaces that help groups align timing, narratives, and targets. It is part of the operational environment, even when it is not the payload delivery system.
- Conflict-linked cyber operations: Cyber activity that is timed to, shaped by, or intended to support an ongoing political or military conflict. These operations often combine disruption, propaganda, reconnaissance, theft, and intimidation. The key feature is alignment with real-world events, which changes how defenders should prioritise monitoring and response.
What's in the full report
SecurityScorecard’s full report covers the operational detail this post intentionally leaves for the source:
- The campaign-by-campaign breakdown of how Iranian proxies, hacktivists, and state-aligned actors were grouped and characterised.
- The messaging and targeting patterns that linked Telegram coordination, propaganda, and conflict-timed phishing lures.
- The Imperial Kitten timeline that shows how one IRGC-linked actor adjusted tactics as military activity escalated.
- The raw operational examples behind reconnaissance, data theft, defacement, malware planning, and vulnerability scanning.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle controls. It is designed for practitioners who need to connect identity governance to real-world attack patterns and operational risk.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org