Understanding Iranian Capabilities and Hacktivist Activities

By John Fokker · June 23, 2025

As geopolitical tensions flare again in the Middle East, cyber operations are increasingly becoming an extension of physical conflict. State-aligned threat actors, patriotic hackers, and ideologically motivated groups are exploiting the moment, pushing digital conflict beyond traditional boundaries.

At Trellix, we’ve been closely tracking Iranian cyber operations for years. Our research has shown that Iran maintains a mature and diverse cyber capability, executed through a combination of government agencies, contractors, and loosely affiliated proxy groups. These actors are capable of a broad spectrum of operations—from espionage and wiper attacks to disruptive campaigns targeting critical infrastructure.

To help organizations contextualize this threat, we published a detailed breakdown of Iranian cyber capabilities in this recent blog post: The Iranian Cyber Capability.

Wipers are a staple in the Iranian cyber arsenal, aimed not at profit but at maximum disruption and psychological impact. These attacks, often attributed to state-aligned groups like APT33 (Elfin), APT34 (OilRig), and DEV-0270 (Nemesis Kitten), involve malware designed to delete or corrupt data beyond recovery, rendering systems inoperable. Over the past decade, Iran has repeatedly used wipers to retaliate against geopolitical rivals, disrupt infrastructure, and signal capability. Notable examples include the Shamoon attacks (2012, 2016) which crippled Saudi Aramco and other Gulf entities; ZeroCleare (2019), and the wiper from known activist group Handala we reported on last year.

But the story doesn’t end there.

Alongside state operations, we’re witnessing a surge in hacktivist activity. These groups—often claiming to act out of patriotic or religious allegiance—are becoming increasingly sophisticated and, at times, aligned (tacitly or explicitly) with nation-state agendas. These groups act as accelerants: launching disruptive attacks like distributed denial of service (DDoS) or wiper attacks, defacing websites, leaking data, or conducting psychological operations like the spread of misinformation with global ripple effects.

In another recent blog, we unpacked the connections between hacktivist groups and nation-state objectives: Hacktivist Groups and the Shadowy Links to Nation-State Agendas.

And as expected, the hacktivist group Handala was quick to re-emerge in the aftermath of the first wave of Israeli attacks, posting with new data leaks of Israeli organizations.

These developments are not just a regional issue—they hold global cybersecurity implications. In fact, 90% of CISOs in the public sector are concerned cyberattacks on partner nations could serve as a gateway to attacks on their own government or critical infrastructure.

As organizations across sectors prepare for potential spillover or retaliatory activity, having access to timely, contextual operational threat intelligence is essential for an enhanced defense strategy. Identifying the threat actors likely to target your organization and understanding their motives will help determine the security controls and mitigation strategies needed in advance and improve your security posture.

At Trellix, we’re committed to arming defenders with the foresight they need to stay resilient, even as the lines between kinetic and cyber conflict continue to blur.

Stay vigilant. Stay informed.

____

John Fokker is the Head of Threat Intelligence at Trellix, leading efforts to track, analyze, and disrupt global cyber threats.

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/