TL;DR: During the June 2025 Israel-Iran conflict, coordinated reconnaissance, phishing, data theft, defacement, and malware activity tied to war objectives emerged across Iranian proxies and hacktivists, according to SecurityScorecard’s STRIKE team. The analysis of 250,000 messages from more than 178 active groups shows conflict-linked cyber operations now blend propaganda, recruitment, and disruption, which raises the bar for detection and response.
NHIMG editorial — based on content published by SecurityScorecard: Iran-linked cyber operations during the June 2025 conflict
Questions worth separating out
Q: How should security teams respond to conflict-themed phishing campaigns?
A: Security teams should treat conflict-themed phishing as both a social engineering and intelligence problem.
Q: Why do messaging platforms matter in coordinated cyber campaigns?
A: Messaging platforms matter because they can function as coordination hubs for tasking, recruitment, narrative shaping, and payload timing.
Q: What breaks when attribution is uncertain in politically motivated attacks?
A: What breaks is the tendency to wait for perfect attribution before acting.
Practitioner guidance
- Add conflict-themed lure detection Create detection rules for phishing messages that reference wars, sanctions, military events, or humanitarian crises, then route those alerts into your SOC and awareness channels for rapid review.
- Monitor messaging platforms for campaign coordination Include Telegram and similar channels in threat intelligence workflows so analysts can map recruitment, tasking, and propaganda before those signals turn into phishing or malware delivery.
- Correlate disruptive and theft-focused incidents Link defacement, DDoS, credential abuse, and data dump signals in one investigation path so analysts can see whether they are part of the same campaign rather than separate events.
What's in the full report
SecurityScorecard’s full report covers the operational detail this post intentionally leaves for the source:
- The campaign-by-campaign breakdown of how Iranian proxies, hacktivists, and state-aligned actors were grouped and characterised.
- The messaging and targeting patterns that linked Telegram coordination, propaganda, and conflict-timed phishing lures.
- The Imperial Kitten timeline that shows how one IRGC-linked actor adjusted tactics as military activity escalated.
- The raw operational examples behind reconnaissance, data theft, defacement, malware planning, and vulnerability scanning.
👉 Read SecurityScorecard’s analysis of Iran-linked cyber operations during the June 2025 conflict →
Iran-linked cyber operations during conflict: what defenders need to know?
Explore further
Conflict-aligned cyber operations are now an identity problem as much as a malware problem. The article shows that attackers used recruitment, phishing, and narrative manipulation alongside technical intrusion. That means identity verification, access validation, and trust decisions are all part of the attack surface, not just endpoint or email security. Practitioners should treat conflict-driven social engineering as a cross-domain identity and security governance issue.
A question worth separating out:
Q: Who is accountable when external chat channels are used to coordinate attacks?
A: Accountability sits with the organisation’s threat intelligence, SOC, and security leadership functions together. When attacks are coordinated through external chat channels, the issue is not only threat detection but whether the programme is watching the right sources, escalating quickly, and tying external chatter to business risk. Governance should define who owns that visibility and response loop.
👉 Read our full editorial: Iran-linked cyber operations in conflict show how warfare scales online