Iran War's Cyber Front: Spyware in Bomb Shelters

Iranian hackers sent spyware disguised as bomb shelter apps to Israeli Android users during live missile strikes in March 2026. Check Point Research confirmed the operation. The Associated Press reported it. It's the first documented case of cyberattacks synchronised to the exact minute of incoming missiles. DigiCert has tracked nearly 5,800 cyberattacks from about 50 Iran-linked groups hitting US, Israeli, and Gulf state networks in one month. The Iran war's information front isn't a sideshow. It's fused with the physical one.

The text arrived while sirens wailed. Israelis running to shelters saw a link promising real-time shelter locations. It looked helpful. It was a trap.

The link installed spyware that grabbed the phone's camera, GPS, and all stored data. Gil Messing at Check Point Research told AP the timing was deliberate. "This was sent to people while they were running to shelters to defend themselves. The fact it's synced and at the same minute... is a first."

New template. Physical strikes provide cover for digital ones. Panic makes people click.

5,800 attacks in 30 days

The spyware operation isn't an outlier. It's the tip of a much larger campaign.

DigiCert tracked nearly 5,800 cyberattacks from roughly 50 Iran-linked groups since February 28. Most targeted US or Israeli companies. DigiCert also found attacks on networks in Bahrain, Kuwait, Qatar, and other Gulf states.

Most are low-sophistication — DDoS floods, ransomware, known vulnerability exploits. Current patches can stop them. But volume matters. Even failed attacks eat defensive resources.

"There are a lot more attacks happening that aren't being reported," DigiCert's Michael Smith told AP.

A pro-Iranian group also claimed it infiltrated FBI Director Kash Patel's personal email. Unverified — but it follows the pattern: target institutions, generate headlines, create doubt.

The AI propaganda flood

Cyberattacks are half the digital war. Content's the other half.

Cyabra documented a pro-Iran campaign that hit 145 million views within days. Tens of thousands of fake accounts spread AI-generated deepfakes showing Iran as victorious. A fake video of an Iranian missile destroying a US fighter jet — traced by BBC Verify to a flight simulator — got 70 million views in one weekend.

The NYT identified over 110 AI-generated images and videos in two weeks. NewsGuard tracked 50 false claims in 25 days — two per day, sophistication climbing.

IRGC spokesman Ali Mohammad Naini claimed 650 American troops were killed or wounded in two days. CENTCOM confirmed six. The ratio — over 100 to 1 — shows the strategy. Flood the zone. Make truth one option among many.

It's not just Iran

The information war runs every direction.

A Clemson University study found IRGC-linked accounts flooding X, Instagram, and Bluesky with AI-generated videos targeting American audiences. Some featured deepfakes mocking Trump styled after Lego movies. They reached millions.

South Korea's Chosun Ilbo reported Iran's AI operations are getting technical support from Russia and China — a claim AP and Deadline echo without confirming directly.

On the other side, Citizen Lab's PRISONBREAK network documents Israeli-linked accounts running coordinated AI influence operations. English-language media covers Iranian deepfakes far more than Israeli ones — a perception gap that shapes how audiences understand who's doing what.

The midterm spillover

The same tools are bleeding into US domestic politics.

Reuters reported the NRSC created deepfake ads for the 2026 midterms. One featured an AI-generated version of Democratic Texas candidate James Talarico appearing to say things he never said — built from old social media posts. "AI generated" appeared in small print in the corner.

No federal law restricts AI in political ads. Meta and X have both scrapped professional fact-checking for user-generated notes. A 2025 Journal of Creative Communications study found people struggle to spot deepfake videos — and their opinions shift after watching them.

Tech built for wartime propaganda doesn't stay on the battlefield.

The digital fight outlasts the physical one

Experts told AP the cyber conflict will outlast any ceasefire. Cyberattacks are cheaper than missiles. They don't need air superiority. They spy, steal data, and generate fear without triggering a kinetic response.

SOCOM is adjusting. Forbes reported that commander General Bryan Bradley has made the cyber domain one of three top priorities, noting adversaries use open-source information for surveillance at a scale traditional espionage can't match.

Russia's playbook provides context. Defence24 reported APT28 (Fancy Bear) has targeted government networks across Central and Eastern Europe with malware, social engineering, and electoral infrastructure attacks. Iran's tactics — combining disinformation, hacking, and AI content — mirror methods refined over a decade of Russian hybrid warfare.

What this means

The Iran conflict is the first war where cyber and physical attacks are operationally synchronised — spyware timed to missile impacts, propaganda calibrated to breaking news cycles, fake accounts pre-positioned before strikes begin.

The tools aren't secret. Deepfake generators are free. Bot networks are cheap. The bomb shelter spyware didn't need nation-state resources — just nation-state coordination.

AP covers the spyware-missile link. Deadline covers AI propaganda volume. Reuters covers midterm spillover. Defence24 covers the Russian template. Chosun Ilbo covers Iran-Russia-China technical cooperation.

No single outlet connects all five threads. The war fought across screens, apps, and feeds is larger than any one newsroom can frame.

Who sent the text you clicked during the last emergency alert? That question has real consequences now.