Iran War's Cyber Front: Spyware in Bomb Shelters

Iranian hackers sent spyware disguised as bomb shelter apps to Israeli Android users during live missile strikes in March 2026. The operation — confirmed by Check Point Research and reported by the Associated Press — represents the first documented case of cyberattacks synchronised to the exact minute of incoming missiles. Meanwhile, security firm DigiCert has tracked nearly 5,800 cyberattacks from about 50 Iran-linked groups hitting US, Israeli, and Gulf state networks in just one month. The Iran war's information front isn't a sideshow. It's fused with the physical one.

The text message arrived while sirens wailed. Israelis running to shelters saw a link promising real-time bomb shelter locations. It looked helpful. It was a trap.

The link installed spyware that accessed the phone's camera, GPS location, and all stored data. Gil Messing, chief of staff at Check Point Research, told AP the timing was deliberate. "This was sent to people while they were running to shelters to defend themselves," he said. "The fact it's synced and at the same minute... is a first."

That's the new template. Physical strikes provide cover for digital ones. Panic makes people click.

5,800 attacks in 30 days

The spyware operation isn't an outlier. It's the sharp tip of a much larger campaign.

DigiCert, the Utah-based security firm, has tracked nearly 5,800 cyberattacks mounted by roughly 50 different groups tied to Iran since the conflict began on February 28. Most targeted US or Israeli companies. But DigiCert also found attacks on networks in Bahrain, Kuwait, Qatar, and other Gulf states.

The majority are low-sophistication — DDoS floods, ransomware, exploitation of known software vulnerabilities. Most can be stopped by current cybersecurity patches. But volume matters. Even failed attacks consume defensive resources.

"There are a lot more attacks happening that aren't being reported," DigiCert's field chief technology officer Michael Smith told AP.

A pro-Iranian hacking group also claimed to have infiltrated the personal email of FBI Director Kash Patel. The attack's authenticity hasn't been independently verified, but it follows the pattern: target institutions, generate headlines, create doubt.

The AI propaganda flood

Cyberattacks are half the digital war. The other half is content.

Research firm Cyabra documented a pro-Iran campaign generating over 145 million views within days of the conflict's start. The operation deployed tens of thousands of fake accounts spreading AI-generated deepfakes showing Iran as victorious. A fake video of an Iranian missile destroying a US fighter jet — traced by BBC Verify to a military flight simulator — got 70 million views in a single weekend.

The New York Times identified more than 110 distinct AI-generated images and videos in the first two weeks. NewsGuard tracked 50 false claims in 25 days — two per day on average, with sophistication climbing.

IRGC spokesman Ali Mohammad Naini claimed 650 American troops were killed or wounded in the conflict's first two days. US Central Command confirmed six. The ratio between claimed and confirmed — more than 100 to 1 — shows the strategy. Flood the zone. Make the truth one option among many.

It's not just Iran

The information war runs in every direction.

A Clemson University study published this week found IRGC-linked accounts flooding X, Instagram, and Bluesky with AI-generated videos targeting American audiences directly. Some featured deepfakes mocking President Trump styled after the Lego movies. They reached millions of viewers.

Meanwhile, South Korea's Chosun Ilbo reported that Iran's AI operations are receiving technical support from Russia and China — a claim that AP and Deadline's reporting echoes without directly confirming.

On the other side, the PRISONBREAK network documented by Citizen Lab at the University of Toronto shows Israeli-linked accounts running coordinated AI influence operations. English-language media has covered Iranian deepfakes far more than Israeli ones — a perception gap that shapes how audiences understand who's doing what.

The midterm spillover

The same tools are bleeding into US domestic politics.

Reuters reported this week that the National Republican Senatorial Committee created deepfake ads for the 2026 midterms. One featured a computer-generated version of Democratic Texas candidate James Talarico appearing to say things he never filmed — constructed from old social media posts and rendered by AI. "AI generated" appeared in small print in the corner.

There's no federal law restricting AI in political advertising. Meta and X have both scrapped professional fact-checking in favour of user-generated notes. A 2025 study in the Journal of Creative Communications found people struggle to identify deepfake videos, and their opinions shift after watching them.

The technology developed for wartime propaganda doesn't stay on the battlefield.

The digital fight outlasts the physical one

Experts told AP the cyber conflict will persist even after a ceasefire. Cyberattacks are cheaper than missiles. They don't require air superiority. They can spy, steal data, and generate fear without triggering a kinetic response.

U.S. Special Operations Command is adjusting. Forbes reported that SOCOM commander General Bryan Bradley has made the cyber domain one of three top priorities, noting that adversaries are using open-source information for surveillance and intelligence gathering at a scale traditional espionage can't match.

Russia's playbook provides context. Defence24 reported that Russian-linked groups like APT28 (Fancy Bear) have targeted government networks across Central and Eastern Europe with malware, social engineering, and attacks on electoral infrastructure. The tactics Iran is deploying — combining disinformation, hacking, and AI-generated content — mirror methods refined over a decade of Russian hybrid warfare.

What this means

The Iran conflict is the first war where cyber and physical attacks are operationally synchronised — spyware timed to missile impacts, propaganda calibrated to breaking news cycles, fake accounts pre-positioned before strikes begin.

The tools aren't secret. Deepfake generators are free. Bot networks are cheap. The spyware used in the bomb shelter operation didn't require nation-state resources to deploy — just nation-state coordination.

AP covers the spyware-missile link. Deadline covers the AI propaganda volume. Reuters covers the US midterm spillover. Defence24 covers the Russian template. Chosun Ilbo covers the Iran-Russia-China technical cooperation.

No single outlet connects all five threads. The war being fought across screens, apps, and feeds is larger than any one newsroom can frame.

Who sent the text you clicked during the last emergency alert? That question now has real consequences.