In June 2025, reports emerged of a new cyber campaign dubbed “Ziggy Strike.” Public details on this exact label are scarce; however, the campaign’s characteristics align with a surge of Iran-linked and pro-Iran hacktivist activity in the Middle East. Analysts note extensive spear-phishing and credential-harvesting attacks against Israeli and regional targets, using fake meeting invites and credential portals. At the same time, hundreds of hacktivists and state-backed incidents were observed striking Middle Eastern sectors. For example, NSFOCUS reported pro-Iranian groups hitting Israeli government, defense/aerospace, telecommunications, and education sectors, while attacks on Iran (prior to major strikes) targeted finance, media, internet, and telecom firms. Exploits against networked devices (e.g., security cameras) have also been seen. Overall, Ziggy Strike appears to embody aggressive social-engineering (often AI-generated phishing), destructive malware (wipers, ransomware), and network-disruption tactics consistent with Iran/Proxy actors in this conflict period
The Ziggy Strike campaign employs a multi-phased attack chain and a mix of sophisticated and opportunistic tactics:
Spear-Phishing & Social Engineering: Victims (often Israeli or Middle East targets) receive carefully crafted messages impersonating trusted contacts (e.g., technology executives or researchers) via email or WhatsApp. Messages use AI-enhanced language and conflict-related lures to build rapport and push victims to “meetings.” Targets are directed to click links leading to bogus login pages. Check Point documented one such wave by the IRGC-linked APT35 (aka Educated Manticore), where attackers posed as assistants and sent fake Google Meet invitations or Gmail credential pages. These phishing kits are custom-built (React-based single-page apps) to mimic legitimate Google login flows and even capture 2FA codes (including a passive keylogger).
Infrastructure & Domains: The threat uses highly disposable infrastructure. Researchers observed 100+ attacker-owned domains (with dozens of subdomains) used for credential harvesting and malware hosting. Many domains mimic legitimate names or include fragments of words (e.g., conn-ectionor[.]cfd, ques-tion-ing[.]xyz, sendly-ink[.]shop). Notably, numerous “live-meet” domains (e.g., live-meet[.]cloud, live-meet[.]info, live-meet[.]cfd) were registered to host fake Google Meet pages. Behind these sites are C2 servers on a handful of IP addresses (for example, 185.130.226.71 and 45.12.2.158 appear in the phishing infrastructure). The infrastructure is rotated rapidly: domains are registered en masse (often via NameCheap) and torn down once flagged.
Malware & Exploits: Infiltration likely involves installing backdoors and wipers after initial access. Iranian APT groups commonly deploy custom Windows backdoors (e.g., “CharmPower”/PowerSTAR and PowerLess drivers) to maintain persistence. Destructive malware is also a feature – in prior campaigns targeting Israel, wipers have been used to wipe systems once data is exfiltrated. Independent reports note samples of destructive wipers and even crypto-wallet cleaners tied to the Iran–Israel conflict, alongside $90 million in crypto assets destroyed in a June 2025 breach. Other observed methods include exploitation of exposed devices: for instance, scans and attacks against Chinese-made security cameras in Israel were reported, presumably to gather intelligence on physical damage. Distributed denial-of-service (DDoS) attacks and website defacements have also been used en masse by hacktivists in this campaign phase.
Tactics, Techniques and Procedures: Key TTPs include targeted spear-phishing (T1566), use of custom credential-stealing kits, and rapid domain rotation. The adversary shows emphasis on aggressive credential harvesting (spear-phishing + fake OAuth pages), DDoS/hacktivism (symmetrical disruption operations), and destruction/hack-and-leak (wipers and data dumps). Malware deployment and lateral movement are likely aided by stolen credentials and exploits. The campaign’s tools and infrastructure mirror known IRGC-aligned APTs (like Educated Manticore/APT35) and hacktivist collectives (e.g., “Team Fearless” or “Arabian Ghosts”) active in the Iran–Israel conflict.
The Ziggy Strike campaign, by targeting critical sectors in the Middle East, poses risks of data breaches, operational disruption, and damage to public trust. Affected industries include government services, defense/aerospace, finance, telecommunications, IT/Internet services, and critical utilities (especially water and energy). For instance, a May 2025 ransomware incident hit Israel’s water systems, underscoring vulnerabilities in utility networks. Impacts may range from espionage and theft of intellectual property to outright sabotage. In previous related incidents, attackers have wiped servers (denying access) and hijacked emergency alerts to create panic. Even when immediate physical damage is avoided, such campaigns inflict economic and psychological harm (e.g., fake nuclear alerts to citizens, or loss of sensitive data). As of mid-2025, most disruptions reported have been comparatively modest (limited DDoS or credential theft), but escalation is possible if tensions continue.
https://unit42.paloaltonetworks.com/iranian-cyberattacks-2025/
