For years, Iran has employed overt and covert influence mechanisms against its adversaries[1]—foremost among them Israel and the United States, and at times even against states that maintain diplomatic relations with it. These actions are intended to exploit vulnerabilities and sensitive political situations in order to undermine the stability of target states, deepen internal rifts, and reinforce narratives aligned with Tehran’s strategic interests. The mechanisms employed rely on a combination of cyberattacks and influence operations, primarily on social media, conducted at varying levels of secrecy and deniability.*
The leadership repeatedly underscores the need to control the cognitive domain. Supreme Leader Ali Khamenei has often portrayed “soft power” as a central dimension of Iran’s strength. In January 2024, he argued that for four decades the Islamic Republic has relied more on ideological power, messaging, and consciousness than on military force, and that alongside the development of advanced weapons, “intellectual and verbal weapons” must constitute a central component of the national toolbox.[2]
It is important to note that despite the substantial investment in influence capabilities, no Iranian campaign has yet been exposed that produced a clear, large-scale effect. Nevertheless, the consistency, scale of activity, and ongoing improvements point to a long-term strategic concept and a willingness to expand efforts—whether in the overt domain or in the covert domain, where the likelihood of detection is lower. Moreover, it is possible that effective influence operations have not been uncovered, or that they will emerge in future arenas through the application of lessons learned from previous operations.
The major events of recent years—the outbreak of the Swords of Iron war and the events of Operation Rising Lion—show how Iran employs its cyber and influence capabilities in times of crisis, and they also reveal the limits of those capabilities and of Iran’s willingness to act. The patterns that have emerged point to a relatively stable framework that targets domestic and foreign audiences simultaneously, drawing on a varied set of tools, narratives, and denial mechanisms.
This article examines how Iran operates in the covert influence sphere—its objectives, the tools it employs, and the patterns that characterize its activity, particularly during sudden escalations and regional crises. It begins by outlining the broader context of Tehran’s influence and propaganda mechanisms, then analyzes the objectives, tools, and practices of its covert influence apparatus, and concludes with case studies related to Iran’s activity during the Swords of Iron war and Operation Rising Lion.
Iran’s Covert Influence: Operational Mechanisms, Camouflage Patterns, and Methods of Denial
The Iranian regime employs a wide range of overt instruments to advance its positions in the international arena, including multilingual media outlets, diplomatic engagement within international institutions, and official statements by senior regime figures. These activities are openly attributable to Iran, and their declared objectives make them relatively straightforward to identify and analyze as formal expressions of state policy.
Alongside these overt channels, Iran operates a broad infrastructure of covert influence operations designed to avoid direct attribution and to shape public opinion in target countries more deeply and persistently. Many of these campaigns aim to project a high level of authenticity: their content, language, and tone are deliberately crafted to resemble genuine local voices, at times closely mimicking domestic protest movements or political discourse. Other operations take the opposite approach, relying on high visibility and intense media saturation, while carefully obscuring their Iranian origin in order to prevent direct attribution.
Two principal patterns of denial can be identified in Iran’s covert influence activity:
1. Complete denial: a situation in which the target state is entirely unaware that a hostile operation is underway. This pattern is characteristic of campaigns designed to blend into local discourse, project authenticity, and amplify internal divisions. Exposure of their Iranian origin almost entirely neutralizes their effectiveness.
2. Denial of attribution to Iran: a situation in which hostile activity is clearly evident, yet cannot be attributed to Iran. This pattern is most common in cyber operations, which may trigger significant diplomatic or security responses. Unlike campaigns that seek to blend into local discourse, cyberattacks are typically intended to generate broad impact, disruption, or media attention—while concealing the identity of the actor behind them.
Key Institutions and Organizations
Several organizations in Iran are known to be involved in operating covert influence apparatuses. This activity takes place alongside the regime’s overt propaganda and influence infrastructure, which includes, among other elements, the Iranian state broadcaster (IRIB) and parts of the Ministry of Foreign Affairs. Covert influence bodies operate in accordance with the denial patterns described above and employ a broad array of tools and capabilities to that end.
1. The Islamic Revolutionary Guard Corps (IRGC) – the regime’s central armed political force. The IRGC is subordinate to the General Staff of the Armed Forces, which operates under the direct authority of Iran’s Supreme Leader. Several bodies within the IRGC are engaged in covert influence through offensive cyber means, most notably the IRGC Intelligence Organization and the Defensive Cyber and Electronic Warfare Organization. These bodies operate offensive cyber units as well as cyber personas used to amplify the cognitive and psychological impact of broader cyber operations. This activity is carried out both by organic IRGC personnel and through outsourcing to private entities.[3]
2. The Ministry of Intelligence – the Ministry of Intelligence is a government ministry subordinate to the President of Iran and functions as one of the regime’s central intelligence arms. It is responsible for extensive activity in espionage, intelligence collection, and surveillance. Alongside these capabilities, the ministry operates cyber capabilities parallel to those of the IRGC, including offensive cyber units and units that deploy cyber personas for influence purposes. Like the IRGC, the Ministry of Intelligence also relies in part on cooperation with private entities, as part of its force-buildup process and the expansion of its cyber capabilities.[4]
3. The Ministry of Foreign Affairs – alongside its formal role in managing Iran’s diplomatic policy, the Ministry of Foreign Affairs also maintains networks of undeclared contacts and cooperation intended to advance covert influence activity in line with the regime’s interests. This activity focuses, among other things, on cultivating relationships with foreign actors, influencers, and intellectuals, and on embedding messages and narratives in an indirect manner that projects an appearance of independence. These aspects will be discussed in greater detail later in the article (see “Recruitment of Influencers and Intellectuals”).
Strategic Objectives of Iran’s Covert Influence Apparatus
Available research, together with analysis of Iran’s operational behavior, point to four central strategic objectives guiding its covert influence apparatus:
1. Undermining the internal stability of its adversaries, particularly Israel and the United States
Iran exploits existing social and political tensions within target states and amplifies them in order to undermine governmental stability and weaken social cohesion. In Israel, these efforts focused on spreading polarizing content around political and social disputes, including the 2023 judicial reform, secular–ultra-Orthodox relations,[5] and campaigns targeting senior security officials.[6]
Internationally, Iran promoted separatist narratives in the United Kingdom, such as encouraging Scottish nationalism,[7] and in the United States sought to interfere in the 2024 election by hacking Donald Trump’s campaign systems in an effort to damage his electoral prospects.
2. Preserving regime stability in Iran
During the direct confrontation between Iran and Israel, elements of Iran’s influence apparatus focused on the Iranian domestic arena. Bot networks and online assets promoted narratives of national unity, resilience in the face of external threats, and willingness to make sacrifices for the state.[8] After the conclusion of Operation Rising Lion, these campaigns emphasized internal cohesion, alongside enforcement measures and punitive actions against those suspected of cooperating with Israel. In this way, the influence apparatus also functions as an additional instrument of social control.
3. Advancing an anti-Israel (and thus pro-Palestinian) agenda
Iran seeks to portray Israel as an aggressive state acting against the Palestinian population. After October 7, resources were redirected from other campaigns, including a campaign targeting the United Kingdom, to reinforce anti-Israel propaganda.[9] Iran also disseminates conspiracy narratives among Western audiences portraying Israel as manipulating U.S. policy and decision-makers.[10] In parallel, Iran works to “impose costs” on states that maintain security or technological ties with Israel through cyberattacks or covert campaigns, highlighting these actions in both domestic and international messaging.[11]
4. Targeting the Iranian opposition in exile
Iranian influence mechanisms are also deployed against opposition actors outside the country who are perceived as a threat to regime stability. A prominent example is the cyberattack by the “Handala” group against journalists at the Iranian opposition channel in exile Iran International,[12] one of the regime’s most outspoken critics. Such actions are intended to deter and disrupt opposition activity and to undermine the credibility of Western media outlets that expose sensitive and damaging information from within Iran.
Key Instruments of Iran’s Covert Influence Apparatus
To advance its strategic objectives in the covert domain, the Iranian regime employs a broad range of tools and operational methods, often combined within multidimensional campaigns. The principal instruments are outlined below.
1. Bot networks
Bot networks are among the main tools in Iran’s influence operations. They consist of fake profiles operating in close coordination across social media platforms to promote specific narratives and messages. Most activity takes the form of simple automated actions—for example, likes, shares, and hashtag amplification[13]—but in some instances the bots also produce original content. Identifying characteristics include synchronized activity patterns, tight coordination among multiple profiles, and repeated use of the same messages and digital assets.
In this context, advances in large language models (LLMs) and other AI tools now enable the large-scale production of persuasive content, significantly enhancing impersonation capabilities and making detection more difficult. Iran uses bot networks both to amplify official positions and to intensify divisive local narratives within target states.
2. Impersonation of known entities
Iran operates online pages that impersonate existing entities—organizations, civil initiatives, and even Hamas-affiliated bodies—in order to establish credibility, mislead the public, and collect information. Prominent examples include:
- “Kan+”: A platform exposed by the Israel Security Agency (Shin Bet) that presented itself as a legitimate Israeli entity while collecting personal information from citizens through fictitious surveys.[14]
- “BringHomeNow”: A web page that impersonated a hostage-support initiative by mimicking the hashtags and visual style of the official campaign to return the hostages during the Swords of Iron War, with the aim of collecting personal information through “volunteer forms.” Its name closely resembled the prominent English-language campaign Bring Them Home Now. The fictitious campaign was exposed by the Shin Bet.[15]
These web pages were likely intended to serve as a foundation for recruiting local assets or for building infrastructure for future influence operations. Had they not been exposed, they would likely have progressed to the dissemination of propaganda messages.
3. Complex fictitious entities
Beyond bot networks and impersonation pages, Iran establishes entities with “deep identities”—web pages or fictitious organizations that claim to represent local civil groups. These entities produce substantial volumes of original content in order to build an audience, establish credibility, and embed themselves within local discourse over time.
This pattern was evident in the Israeli arena, where Iranian actors established Telegram channels that presented themselves as local “civil campaigns.” These channels disseminated extreme and polarizing messages on sensitive issues within Israeli society while fully concealing their connection to Iran, in order to create the appearance of authentic grassroots activity.[16] In several cases, the operators also recruited Israeli agents to provide a physical presence and further enhance their credibility.[17] In January 2024, the Shin Bet exposed several such channels and formally attributed them to Iranian intelligence actors.
- “Tears of War”: promotion of extremist content and attempts to recruit Israelis for activities related to the hostage issue.[18]
- “Egrof,” “Hasrot Onim” (hasrotonim), “Second Israel,” and “The Avengers”—web pages designed to deepen and amplify social and political divisions.[19]
Evidence suggests that Iran at times supplements its digital influence campaigns with on-the-ground activity, such as posting notices or distributing propaganda, using locally recruited agents to reinforce credibility and strengthen the linkage between the digital and physical spheres.[20]
4. “Hacktivists”: Cyber Personas and Destructive Attacks
Iran conducts destructive cyber operations through formal state units, but externally frames them as the actions of “ideological hacker groups” (hacktivists). To support this narrative, Iran constructs cyber personas—fictitious identities and social media accounts—that publicly claim responsibility for attacks and provide a layer of deniability to coordinated state activity.
A. Cyber Personas
Iran operates these personas by establishing dedicated social media accounts for the purported “hacktivist” groups. In professional terminology, these accounts are referred to as cyber personas. They are used to claim responsibility for attacks and to disseminate materials intended to reinforce the impression that they were carried out by an independent attacker. In practice, these operations are run from within Iran under the authority of two principal security organizations. Prominent examples include:
- “BlackShadow”
Best known as the public-facing persona behind the Iranian cyberattack on the Israeli insurance company Shirbit in 2020. Israel’s National Cyber Directorate linked BlackShadow to the Iranian attack framework known as Agrius and to the Malek Team persona, both operating under Iran’s Ministry of Intelligence. The same framework was also responsible for the attempted cyberattack on Ziv Medical Center in Safed in 2023, carried out in cooperation with Hezbollah’s cyber unit, “Lebanese Cedar.”[21] - “Handala” [22]
This persona is effectively part of an offensive cyber unit operating under Iran’s Ministry of Intelligence. It has carried out a sustained campaign of attacks against Israel under an ideological cover of support for the Palestinian cause and is currently assessed as the most active Iranian offensive cyber unit targeting Israel. In addition to Israeli targets, the group has also attacked the London-based news outlet Iran International.[23] - “Darkbit”
This persona also operates within a cyber unit of Iran’s Ministry of Intelligence and served as the public-facing cover for a destructive Iranian cyberattack against the Technion-Israel Institute of Technology’s servers in 2023, carried out by the unit known in the West as Muddy Water. The operation was framed through narratives linked to the Israeli–Palestinian conflict, likely to obscure attribution and deflect suspicion from a coordinated Iranian state operation.[24] Iran employed a similar model in its September 2022 cyberattack against the government of Albania, which was publicly claimed by another persona, Homeland Justice, [25]likewise operated by a Ministry of Intelligence–affiliated team.[26] - “Moses Staff”
This persona operates under the cyber unit of the Islamic Revolutionary Guard Corps[27] and primarily targets Israeli organizations. Its operations are designed to inflict maximum damage through the theft and public release of sensitive data from compromised systems. Like other Iranian cyber personas, Moses Staff consistently embeds Palestinian and anti-Israel narratives into its public messaging.[28]
B. Operational Methods
Cyber operations employ several recurring operational methods, typically designed to inflict the maximum possible damage on the target.
- Corruption and leakage of sensitive materials (Hack & Leak)
In this method, Iranian actors penetrate target networks and steal sensitive—often personal—data with the deliberate intent of leaking it. Such attacks are typically designed to undermine the stability of the affected organization and, by extension, to harm the target state (most often Israel). A prominent example of a successful operation of this kind is the 2020 cyberattack against the Israeli insurance company Shirbit, which likely played a decisive role in the collapse of its independent operations and its subsequent sale to Harel.[29] In many cases, these operations involve not only data theft but also the deliberate corruption of the stolen information. - Attacks against operational technology (OT) components
These are technically complex attacks, in which Iranian success rates have generally been low. One notable exception occurred in December 2023, when an Iranian cyber unit affiliated with the Islamic Revolutionary Guard Corps succeeded in disrupting the water supply in a small district in Ireland by targeting the control components of the water network. The “CyberAveng3rs” persona, which claimed responsibility for the attack, stated that the components were targeted because they were Israeli manufactured.[30] - Website defacement and distributed denial-of-service (DDoS) attacks
These are relatively simple attacks aimed at disrupting a website or online service. In DDoS attacks, the network infrastructure is flooded with requests, causing it to collapse—usually for short periods. Website defacement involves visual alteration of web pages, typically accompanied by hostile messages posted by the attacker, and in most cases also results in only temporary disruption.[31] - Dissemination of threatening messages
This method involves the mass distribution of threatening communications via SMS or public address systems. Notable examples include the activity of the “Handala” persona, which sent threatening text messages to residents of a local municipality in northern Israel and, in several cases during 2024–2025, triggered alarms in kindergartens.[32]
C. Western Efforts Against Iran’s Cyber Apparatus
A central component of the Western response to Iran’s cyber apparatus focuses on exposing its activities and imposing personal restrictions on key figures involved. These measures are intended not only to impair the operational capabilities of the exposed network, but also to undermine the personal sense of security of those involved, while simultaneously conveying a deterrent message regarding the monitoring and enforcement capabilities of Western agencies. For example, in early December 2025, the United States exposed Mohammad Bagher Shirinkar and Fatemeh Sadeghian Kashi and offered a reward for information leading to their capture. Shirinkar and Sadeghian Kashi are central figures in the cyber unit known as “Shahid Shoushtari.”[33]
Another significant example is the leak of documents from the attack group known in the West as “Charming Kitten” in November 2025. The group’s formal designation is “Cyber Intelligence Group 1500,” and it is affiliated with the Intelligence Organization of the Islamic Revolutionary Guard Corps. The leaked materials exposed attack tools, spyware, operational methods, names and identifying details of operatives, as well as targets the group attempted or successfully penetrated.[34]
In addition, an analysis by Haaretz of leaked cryptocurrency invoices indicates that the same group purchased Israeli-based servers using false identities and employed them to conduct attacks against companies in Israel. The identity of the actor behind the document leak remains unclear; while the modus operandi is consistent with that of Western entities, it may instead reflect an internal Iranian dispute.[35]
5. Recruitment of Influencers and Intellectuals
Iran also seeks to recruit researchers and intellectuals of Iranian origin living in the West in order to advance its positions among the public and decision-makers. Emails exposed by Iran International revealed that Iranian-origin intellectuals residing and working in Western countries maintain ongoing contact with the Iranian regime alongside their professional activity in Western institutions. Their activity was carried out primarily within research institutes and official bodies and included close ties with officials in Iran’s Ministry of Foreign Affairs. In this context, they sought consultations with ministry officials regarding articles they intended to publish, as well as concerning participation in specific conferences. These interactions took place within the framework of a formal organization established by the regime, the IEI (The Iran Experts Initiative), which coordinated the activity.[36] It is plausible that additional networks of this kind exist, as the Iranian regime consistently seeks to strengthen its ties with Iranian citizens living outside Iran.
Iranian Influence Activity Against Israel Since October 7 and During Operation Rising Lion
1. Iranian Influence Activity Since October 7
With the outbreak of the Swords of Iron war, there was a sharp increase in both the scope and intensity of cyberattacks and covert influence operations conducted by Iran against Israel. During this period, Tehran deployed its full digital toolkit—bot networks, destructive cyberattacks, cyber personas, fictitious entities, and overt and covert cognitive activity—in an effort to support Hamas and undermine stability in Israel. Although the direct damage inflicted on Israel remained limited, this period nonetheless constituted a significant “capability demonstration” of Iran’s intent to exert sustained and intensified pressure in this domain.
In February 2024, Microsoft reported that during the first 75 days of the war, the rate of Iranian cyberattacks against Israel nearly doubled.[37] In April 2024, Israel’s former National Cyber Directorate head, Gaby Portnoy, stated that the intensity of Iranian cyberattacks had “tripled” compared to the prewar period.[38]
At the same time, a Microsoft study from February 2024 found that consumption of Iranian propaganda also surged in Western countries. The study showed an increase of approximately 42 percent in the consumption of Iranian content following the October 7 attack, later stabilizing at roughly 28–29 percent above the prewar average. Most of this exposure came from English-speaking audiences, indicating effective Iranian targeting.[39]
Most of the significant attacks were carried out by cyber units affiliated with Iran’s Ministry of Intelligence and the Islamic Revolutionary Guard Corps, and involved data theft, leaks, and corruption. Alongside these, several exceptional attacks stood out:
- OT attack in Ireland (December 2023)
A cyber unit of the IRGC successfully disrupted the water supply in a small district by targeting operational control components—one of the most successful offensive OT attacks attributed to Iran.[40] - Attack on Ziv Medical Center (December 2023)
Cyber units of Iran’s Ministry of Intelligence, alongside a Hezbollah cyber unit, attempted to disrupt operations at Ziv Medical Center in Safed. The attack was thwarted, but patient and staff data were stolen and published online.[41] - Campaign against Israel’s delegation to the Paris Olympics (July 2024)
Iran exposed personal information about Israeli athletes slated to compete in the Games, circulated boycott calls, and sent direct threats to athletes and their family members.[42] - Dissemination of 5 million threatening SMS messages (September 2024)
Iran and Hezbollah disseminated approximately five million threatening SMS messages by compromising a client account at an SMS distribution provider and using it to send the messages.[43] - Bots used to amplify internal divisions in Israel
Iran sought to exploit the heated public discourse in Israel over the war—including the hostage issue, Prime Minister Benjamin Netanyahu, and debates over the continuation of the fighting—to foment incitement and polarization within Israeli society. Many of these campaigns were exposed by the Shin Bet and effectively neutralized.[44] Iran also used bot networks to promote anti-Israel narratives on social media, emphasizing Palestinian suffering and Israeli brutality.[45]
Despite the breadth of these efforts, the tangible impact of the operations that were identified remained limited, due in part to technological and cognitive countermeasures, rapid detection, and high public awareness of hostile online activity.
Iranian Influence Activity During Operation Rising Lion (June 2025)
Israel’s surprise attack at the outset of Operation Rising Lion significantly degraded certain Iranian capabilities. Nevertheless, elements of Tehran’s cyber and influence apparatus regrouped rapidly and continued operating throughout the duration of the campaign (June 12–24, 2025).
A June 2025 study by Israel’s Ministry of Diaspora Affairs, titled “Coordinated Iranian Activity on Social Media Through Fake Accounts During Operation Rising Lion,” examined Iranian bot-network activity during the fighting with Israel. The findings indicate that the bulk of this activity was directed toward Iranian domestic public opinion. Bot networks promoted narratives emphasizing national unity, solidarity, and patriotism, while amplifying prominent Iranian accounts, foremost among them the X account of Supreme Leader Khamenei. To a more limited extent, the networks also promoted messages of revenge and demoralization aimed at Israeli audiences.[46]
Iranian influence activity in general, and bot activity in particular, was divided among several target audiences and, accordingly, articulated through distinct narrative frameworks:
1. The Iranian Arena – Consolidation and Regime Preservation
During the fighting, the Iranian regime operated simultaneously on the domestic front from both an internal and external perspective, seeking to combine the promotion of national unity with demonstrations of strength. Internally, the regime worked to elevate the image of Supreme Leader Khamenei and foster a sense of cohesion within Iranian society, drawing on military and religious motifs as well as familiar figures from Shiite Islamic history.[47]
From the external angle, Iran disseminated threats and presented supposed successes against Israel, including the use of fabricated images and videos on social media—particularly on TikTok—generated using artificial intelligence. These materials were intended to portray Israel as weak, undermine confidence in its leadership, and reinforce Iran’s military and political messaging.[48]
At the same time, beginning on June 18, the authorities almost entirely severed civilian internet connectivity,[49] claiming the move was intended to prevent cyberattacks on national infrastructure and preserve its stability.[50] This illustrates how the regime integrates outward-facing cyber activity with internal control over information and communications as part of the its broader security doctrine.
2. The Israeli Arena – Demoralization and Intimidation
In the Israeli arena, Iran focused primarily on disseminating threats against Israel, including messages in Hebrew, while amplifying claims of military success against the Israeli Air Force and other targets in Israel.[51] Alongside bot activity on social media, cybersecurity researcher Erez Dasa reported a surge of several hundred percent in DDoS defacement attacks following the launch of the operation, with attack levels remaining significantly higher than normal throughout the fighting.[52] Cyber units of both the Islamic Revolutionary Guard Corps and Iran’s Ministry of Intelligence were particularly active during this period.
In addition, Iran implemented a broader demoralization campaign targeting Israel, which included not only the dissemination of hashtags on social media but also the distribution of fabricated messages, such as false warnings of impending fuel shortages, aimed at undermining public confidence and Israeli’s sense of stability.[53]
3. The American Arena – Distancing the United States from the Conflict
In the American arena, Iran sought to generate propaganda narratives designed to discourage U.S. military involvement alongside Israel. Iranian messaging sought to portray President Donald Trump as being led and manipulated by Prime Minister Netanyahu and Jewish communities in the United States, and framed any potential war against Iranian nuclear facilities as an issue driven by Israel and its supporters rather than a direct American interest. Additional content depicted Israel as a terrorist state, with the aim of undermining both international and domestic legitimacy for its actions against Iran.[54]
4. The International Arena – Delegitimization of Israel
Bot networks promoted portrayals of Israel as a “terrorist,” “criminal,” and “satanic” state, and as a perpetrator of “genocide.” In parallel, Tehran circulated claims alleging that Israel was concealing severe damage inflicted on it by Iran during the twelve-day war.[55]
In conclusion, Iranian activity during Operation Rising Lion underscores that preserving regime stability remained Tehran’s primary objective. Cyber and influence efforts directed at Israel and international audiences were secondary to defensive measures, missile operations, and the political management of the crisis. Iranian setbacks in other arenas—particularly the military and diplomatic spheres, including the lack of Russian support[56]—may drive Tehran to invest even more heavily in cyber and influence capabilities in the future.
Implications and Future Trends
The Iranian covert influence apparatus constitutes a central pillar of the Islamic Republic’s broader strategy and has developed through a structured, multi-year process grounded in concepts of information and psychological warfare. Even though individual influence operations may achieve uneven or marginal results, the persistence of such activities reflect Iran’s sustained commitment to expanding its capabilities in the field, leveraging technological advances, and continuously drawing lessons from past operations.
Iran’s covert influence mechanism represents a core component of its policy and is characterized by strategic continuity. Despite capability gaps, and despite the fact that many operations ultimately yield only limited effects, this apparatus should be understood as a dynamic system sustained by the interaction of a coherent worldview with continuous learning and ongoing technological adaptation. Isolated failures do not indicate systemic weakness, just as isolated successes do not demonstrate overall superiority—particularly in an evolving operational domain in which a substantial activities remains entirely concealed.
Several key insights emerge from the overall pattern of activity:
1. The technological leap—led by the artificial intelligence revolution—is poised to change the rules of the game. AI significantly reduces linguistic and cultural barriers and enables the mass production of locally tailored content that appears highly authentic.[57] For Iran, which places strategic emphasis on impersonation and the construction of complex online identities, this represents a genuine force multiplier. At the same time, AI technologies may also enhance the technical capabilities of Iran’s offensive cyber apparatus, albeit to a lesser degree than their transformative impact on content creation.
2. The influence domain constitutes a foundational and historic component of Iran’s security doctrine. The regime views the information space as a strategic arena and invests in its development over the long term. Accordingly, even if only a portion of its activities are exposed, it is reasonable to assume the existence of a substantial layer of invisible operations. The dilemma of whether observed activity represents the “tip of a weak iceberg” or merely visible failures underscores the need for cautious analysis and a consistent assumption that undetected subversive activity is ongoing.
3. Early detection of future influence campaigns may be achieved by monitoring social and political pressure points. Iran tends to time its influence efforts to environments marked by unrest, polarization, or crisis. Protests, elections, security crises, and highly polarized political discourse provide fertile ground for focused Iranian activities.
4. The Iranian apparatus demonstrates an ability to focus activities during major events while maintaining high adaptive flexibility. Operational patterns surrounding October 7 indicate a sharp escalation in aggressiveness followed by a return to a baseline level of activity higher than the previous norm. This dynamism reflects rapid operational activation and a willingness to recalibrate tactics as circumstances evolve. The attacks on Ziv Hospital and Ireland’s water systems illustrate that the damage potential is not confined to low-level actions, but can extend to complex operations with destructive potential.
In conclusion, Iran’s covert influence and cyber apparatus is likely to continue to expand, driven both by a coherent strategic logic and by technological advances that are reshaping the production and dissemination of content.
For Israel and other states, this reality underscores the need for continuous monitoring, early identification of social and technological vulnerabilities, and a clear understanding that the influence domain is becoming a central arena of confrontation—one in which an adversary’s advantage can grow rapidly. Despite increased public attention to the Iranian influence threat, much work remains to be done. In a speech delivered on December 9, State Comptroller Matanyahu Englman warned that “Israel is not prepared to contend with foreign interference in Knesset elections,” cautioning that such intervention could undermine public trust in the electoral process itself. His remarks were directed primarily at Iran, which continues to conduct extensive cyber operations alongside covert influence activity targeting Israel. Englman further noted that during Operation Rising Lion, Israeli authorities identified approximately 1,200 influence operations aimed at its citizens with the explicit purpose of sowing fear and confusion.[58]
It is likely that Iran’s effort to interfere in Israel’s elections, expected to take place in 2026, is already underway and will incorporate elements discussed in this article. Iran may also deploy new entities prepared specifically for the election period. Moreover, it is plausible that Iranian actors are adopting operational methods that have proven effective in elections in other countries, such as Romania.
*This paper is based on information current as of December 1, 2025.
[1] Unlike cyber operations conducted for espionage purposes, or at times to inflict damage, which Iran carries out against a far broader range of countries, including states it considers friendly.Israel’s Head of the National Cyber Directorate,Gaby Portnoy:“Iran conducts cyberattacks even against its allies.” Israel National Cyber Directorate, June 25, 2024, https://www.gov.il/he/pages/portnoy_cyber_week_24
[2] “Soft Warfare, Soft War, Soft Power” (Persian), official website of the Supreme Leader of Iran, January 3, 2024. https://farsi.khamenei.ir/newspart-index?tid=1016
[3] ” Iran Cyber Threat Overview”, Sekoia, June 5, 2023, https://blog.sekoia.io/iran-cyber-threat-overview
[4] Ibid.
[5] “Adversarial Threat Report”, Meta, May 2024, https://transparency.meta.com/metasecurity/threat-reporting
[6] “An Image of Maj. Gen. Yehuda Fuchs Was Disseminated by a Fictitious Profile from Iran,” Israel Security Agency (Shin Bet) website, September 10, 2023,
https://www.shabak.gov.il/reports/publications/%D7%99%D7%94%D7%95%D7%93%D7%94-%D7%A4%D7%95%D7%A7%D7%A1
[7] “What’s Hiding Under the Kilt? Iranian Trolls for Scottish Independence”, Clemson University, September 16, 2024, https://open.clemson.edu/cgi/viewcontent.cgi?article=1005&context=mfh_reports
[8] “Coordinated Iranian Support Activity on Social Media Through Fake Accounts During Operation Rising Lion,” Israel’s Ministry of Diaspora Affairs, June 2025.
https://www.gov.il/he/pages/coordinated_iranian_fake_accounts_social_media_rising_lion_2025-06
[9] “What’s Hiding Under the Kilt? Iranian Trolls for Scottish Independence”, Clemson University, September 16, 2024, https://open.clemson.edu/cgi/viewcontent.cgi?article=1005&context=mfh_reports
[10] “Iran surges cyber-enabled influence operations in support of Hamas”, Microsoft, February 26, 2024, https://www.microsoft.com/en-us/security/security-insider/threat-landscape/iran-surges-cyber-enabled-influence-operations-in-support-of-hamas
[11] “Iran surges cyber-enabled influence operations in support of Hamas”, Microsoft. February 26, 2024, https://www.microsoft.com/en-us/security/security-insider/threat-landscape/iran-surges-cyber-enabled-influence-operations-in-support-of-hamas
[12] “Iranian intel officials tied to cyber group targeting Iran International journalists”, Iran International, August 15, 2025, https://www.iranintl.com/en/202508153061
[13] “Coordinated Iranian Support Activity on Social Media via Fake Accounts During Operation Rising Lion” (Hebrew), Israel Ministry of Diaspora Affairs, June 2025, https://www.gov.il/he/pages/coordina
[14] “Shin Bet Exposes Several Online Platforms Suspected of Being Operated by Iranian Security Services,” (Hebrew) Israel Security Agency (Shin Bet) website, January 15, 2024.
https://www.shabak.gov.il/reports/publications/שבכ-חושף-מספר-פלטפורמות-ברשת-שעל-פי-החשד-מופעלות-על-ידי-גורמי-הביטחון-האיראנים/
[15] Ibid
[16] “Shin Bet Exposes Popular Telegram Channels as Iranian: How Tehran Uses Israelis,” Ynet News, January 15, 2024, https://www.ynet.co.il/news/article/hjwhjfmyp
[17] “Iran surges cyber-enabled influence operations in support of Hamas”, Microsoft, February 26, 2024, https://www.microsoft.com/en-us/security/security-insider/threat-landscape/iran-surges-cyber-enabled-influence-operations-in-support-of-hamas
[18] “Shin Bet Exposes Several Online Platforms Allegedly Operated by Iranian Security Services” (Hebrew), Israel Security Agency (Shin Bet), January 15, 2024.
https://www.shabak.gov.il/reports/publications/שבכ-חושף-מספר-פלטפורמות-ברשת-שעל-פי-החשד-מופעלות-על-ידי-גורמי-הביטחון-האיראנים
[19] Ibid.
[20] “Iranian Foreign Intervention and Influence During the ‘Swords of Iron’ War” (Hebrew), in Intelligence: Theory and Practice, no. 10 — Foreign Influence and Intervention as a Strategic and Intelligence Challenge,
https://www.intelligence-research.org.il/post/IRAN-FOREIGN-INFLUANCE-SOCIAL-MEDIA-GAZA-ISRAEL-WAR
[21] “The Iranian Attack Group ‘Black Shadow’” (Hebrew), Israel National Cyber Directorate, April 9, 2024,
https://www.gov.il/BlobFolder/reports/alert_1727/he/ALERT-CERT-IL-W-1727.pdf
[22] For further discussion of the “Handala” persona and the operational framework behind it, see “Cyber as the Continuation of War by Other Means: Iranian ‘Handala’ Activity”, JISS,
https://jiss.org.il/en/davidi-cyber-as-the-continuation-of-war-by-other-means/
[23] “Cyber as the Continuation of War by Other Means: Iranian ‘Handala’ Activity,” Jerusalem Institute for Strategy and Security (JISS), August 28, 2025, https://jiss.org.il/en/davidi-cyber-as-the-continuation-of-war-by-other-means/
[24] “Investigation by Israel’s National Cyber Directorate into the Activity of the MuddyWater Group in Israel” (Hebrew), Israel National Cyber Directorate, March 13, 2023, https://www.gov.il/he/pages/_muddywater
[25] “Iranian State Actors Conduct Cyber Operations Against the Government of Albania”, CISA, September 23, 2022, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a
[26] “Iran surges cyber-enabled influence operations in support of Hamas”, Microsoft, February 26, 2024, https://www.microsoft.com/en-us/security/security-insider/threat-landscape/iran-surges-cyber-enabled-influence-operations-in-support-of-hamas
[27] “Iran surges cyber-enabled influence operations in support of Hamas”, Microsoft, February 26, 2024, https://www.microsoft.com/en-us/security/security-insider/threat-landscape/iran-surges-cyber-enabled-influence-operations-in-support-of-hamas
[28] “Uncovering MosesStaff techniques: Ideology over Money”, Check Point, November 15, 2021, https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies
[29] “After the Severe Cyber Incident: Yigal Ravinov Sells Shirbit to Harel for Only NIS 100 Million” (Hebrew), Globes, May 5, 2021, https://www.globes.co.il/news/article.aspx?did=1001369975.
[30] “Two-day water outage in remote Irish region caused by pro-Iran hackers”, The Record. December 11, 2023, https://therecord.media/water-outage-in-ireland-county-mayo
[31] “Iran surges cyber-enabled influence operations in support of Hamas”, Microsoft, February 26, 2024, https://www.microsoft.com/en-us/security/security-insider/threat-landscape/iran-surges-cyber-enabled-influence-operations-in-support-of-hamas
[32] “Cyber as the Continuation of War by Other Means: Iran’s ‘Handala’ Activity”, Jerusalem Institute for Strategy and Security (JISS), August 28, 2025. https://jiss.org.il/en/davidi-cyber-as-the-continuation-of-war-by-other-means/
[33] Fatemeh Sedighian Kashi & Mohammad Bagher Shirinkar”, Rewards for Justice’s internet site, visited: December 14, 2025, https://rewardsforjustice.net/rewards/fatemeh-sedighian-kashi-mohammad-bagher-shirinkar
[34] “Did a Predator Swallow a Cute Kitten? Iran’s Cyber Commando Exposed” (Hebrew), Haaretz, November 20, 2025.
https://www.haaretz.co.il/news/security/2025-11-20/ty-article-magazine/0000019a-9b3d-d5e6-abff-fffd8bc70000
[35] Ibid.
[36] “Inside Tehran’s Soft War”, Iran International, Visited: November 26, 2025, https://content.iranintl.com/en/investigates/inside-tehran-softwar/index.html?_gl=1*vfpdtk*_ga*NTgxOTA2OTgzLjE2OTYxODQzMTg
[37] Ibid.
[38] “National Cyber Directorate Head Gaby Portnoy at CyberTech Conference: The Intensity of Cyberattacks Increased Threefold During the War” (Hebrew), Israel National Cyber Directorate, April 9, 2024. https://www.gov.il/he/pages/cyber_tech_2024
[39] “Iran surges cyber-enabled influence operations in support of Hamas”, Microsoft. February 26, 2024, https://www.microsoft.com/en-us/security/security-insider/threat-landscape/iran-surges-cyber-enabled-influence-operations-in-support-of-hamas
[40] “Two-day water outage in remote Irish region caused by pro-Iran hackers”, The Record. December 11, 2023, https://therecord.media/water-outage-in-ireland-county-mayo
[41] “Iran and Hezbollah Behind Attempted Cyberattack on Ziv Medical Center During the ‘Swords of Iron’ War; Attack Failed to Disrupt Hospital Operations” (Hebrew), Israel National Cyber Directorate, December 18, 2023. https://www.gov.il/he/pages/ziv181223
[42] “State-Sponsored Campaign Against the Israeli Olympic Delegation” (Hebrew), Israel National Cyber Directorate, July 31, 2024. https://www.gov.il/BlobFolder/reports/alert_1781/he/ALERT-CERT-IL-W-1781.pdf
[43] “Iran and Hezbollah Behind the Dissemination of Threatening Text Messages” (Hebrew), Israel National Cyber Directorate, September 19, 2024. https://www.gov.il/he/pages/scarry_message_19_09_2024
[44] “Shin Bet Exposes Several Online Platforms Allegedly Operated by Iranian Security Services” (Hebrew), Israel Security Agency (Shin Bet), January 15, 2024.
https://www.shabak.gov.il/reports/publications/שבכ-חושף-מספר-פלטפורמות-ברשת-שעל-פי-החשד-מופעלות-על-ידי-גורמי-הביטחון-האיראנים/
[45] What’s Hiding Under the Kilt? Iranian Trolls for Scottish Independence”, Clemson University, September 16, 2024, https://open.clemson.edu/cgi/viewcontent.cgi?article=1005&context=mfh_reports
[46] “Coordinated Iranian Support Activity on Social Media Through Fake Accounts During Operation Rising Lion” (Hebrew), Ministry of Diaspora Affairs of Israel, June 2025.
https://www.gov.il/he/pages/coordinated_iranian_fake_accounts_social_media_rising_lion_2025-06
[47] Ibid.
[48] “Iranian TikTok Campaign Seeks to Shape War Perceptions Using AI”, The International Institute for Counter-Terrorism (ICT), June 20, 2025, https://ict.org.il/iranian-tiktok-campaign-seeks-to-shape-war-perceptions-using-ai
[49] “Confirmed: Live network data show #Iran is now in the midst of a near-total national internet blackout”, NetBlocks, June 18, 2025, https://x.com/netblocks/status/1935338921006641377
[50] “Iran Slows Internet to Prevent Cyber Attacks Amid Escalating Regional Conflict”, The Hacker News, June 18, 2025, https://thehackernews.com/2025/06/iran-restricts-internet-access-to.html
[51] “Coordinated Iranian Support Activity on Social Media Through Fake Accounts During Operation Rising Lion” (Hebrew), Ministry of Diaspora Affairs of Israel, June 2025.
https://www.gov.il/he/pages/coordinated_iranian_fake_accounts_social_media_rising_lion_2025-06
[52] “Operation Rising Lion—What Is Happening in the Cyber Domain?” (Hebrew), Cyber News – Erez Dasa, June 22, 2025. https://t.me/CyberSecurityIL/7216
[53] “Hybrid Warfare Unfolded: Cyberattacks, Hacktivism and Disinformation in the 2025 Israel-Iran War”, Radware, June 18, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/cyberattacks-hacktivism-and-disinformation-in-the-2025-israel-iran-war
[54] “Coordinated Iranian Support Activity on Social Media Through Fake Accounts During Operation Rising Lion” (Hebrew), Ministry of Diaspora Affairs of Israel, June 2025.
https://www.gov.il/he/pages/coordinated_iranian_fake_accounts_social_media_rising_lion_2025-06
[55] Ibid
[56] “Iran’s Disappointment with Russia and the Strategic Turn to China”, Jerusalem Institute for Strategy and Security, November 12, 2025.
https://jiss.org.il/en/davidi-iranian-disappointment-with-russia-and-the-strategic-turn-to-china/
[57] “Disrupting malicious uses of AI: June 2025”, OpenAI, June 5, 2025, https://openai.com/global-affairs/disrupting-malicious-uses-of-ai-june-2025
[58] “State comptroller: Foreign interference could undermine next year’s election”, Times of Israel, December 9, 2025, https://www.timesofisrael.com/state-comptroller-foreign-interference-could-undermine-next-years-election
JISS Policy Papers are published through the generosity of the Greg Rosshandler Family.
