During the 12-day conflict between Israel and Iran in June 2025, Iranian-linked cyber threat actors executed a highly coordinated digital campaign targeting global critical infrastructure. This operation marked an unprecedented fusion of military action and cyberwarfare, with financial institutions, government bodies, and media organizations across various countries falling victim to widespread attacks. The campaign showcased Iran’s ability to synchronize real-world military offensives with cyber operations, intensifying both physical and digital threats in parallel.

According to the Researcher, the threat landscape involved a multifaceted ecosystem of actors, including state-sponsored hacking groups directly tied to Iran’s Islamic Revolutionary Guard Corps (IRGC) and ideologically driven hacktivist collectives. These actors utilized a wide range of attack vectors, such as malware-laced phishing emails, DDoS attacks, SQL injection, and advanced social engineering tactics. These methods were designed to steal sensitive information, cripple operational capabilities, and erode public trust in institutions under attack. Security researchers noted a surge in activity, with over 178 hacker groups involved and more than 250,000 intercepted communications analyzed.

A major player in this campaign was the Imperial Kitten group (also known as Tortoiseshell, Cuboid Sandstorm, and Yellow Liderc), which quickly adapted its tactics in alignment with Iran’s military objectives. Their operations were evidence of strategic coordination and planning, with phishing campaigns launched within hours of the conflict’s onset. These lures exploited themes related to the war, such as airstrikes and humanitarian crises, to manipulate recipients into opening malicious attachments, allowing attackers to gain long-term access to networks during periods of heightened vigilance.

What made this campaign particularly dangerous was the rapid evolution of threat actor tactics in response to unfolding geopolitical events. The deployment of conflict-specific phishing infrastructure and the use of contextually relevant lures demonstrate how state-linked cyber groups can swiftly align with national objectives. This adaptability complicates defensive efforts, as traditional cybersecurity systems struggle to detect and counter such dynamic, timely, and psychologically manipulative threats, underscoring the increasing convergence of cyber and conventional warfare in modern conflict scenarios.