THREAT CLIMATE ASSESSMENT: IRAN’S AI-DRIVEN INFLUENCE AND CYBER OPERATIONS ARE EXPANDING THE BATTLESPACE INTO US PUBLIC PERCEPTION AND CRITICAL SYSTEMS

Cora Jordan, Bhavya Jain, Antonio De Rosa, Maxime de Crop, Giovanni Lamberti, Amelia Bell, Mackenzie LaCombe, Alexandra Valdez, Sasha Sánchez, Blaise Liess II, Insa Reblin, Ludovica Leccese CENTCOM Team

Elizabeth Fignar, Editor; Jennifer Radlinsky, Senior Editor; Jennifer Loy, Chief Editor

April 9, 2026 

  Anonymous User^[1]

BLUF

Iran is escalating its warfare strategy against the US from traditional military signaling and proxy activity toward a technologically integrated campaign^[2] that uses AI-enabled influence operations^[3] and coordinated cyber activity to directly target the American public and US critical infrastructure systems.^[4] In the past, Iranian influence and cyber activity directed at the US relied on centralized propaganda, crude or easily identifiable disinformation, restrictive domestic information controls, and relatively isolated cyber proxies.^[5] The threat climate will very likely escalate from a contained, state-centered model of confrontation toward a more adaptive, technologically enabled warfare strategy. Iran will very likely integrate AI-generated propaganda with decentralized social media networks and coordinated cyber capabilities, likely combining content generation, distribution, and cyber activity into a scalable and sophisticated approach to targeting US audiences and infrastructure. In the short term, Iran’s innovative use of AI tools for propaganda generation, proxy amplification, and coordinated cyber disruption will very likely increase the volume, speed, and ambiguity, complicating attribution, and stretching platform moderation capacities, likely increasing resource strain on US cyber defense efforts. In the long term, Iran’s strategy will likely improve its ability to sustain influence campaigns and create favorable conditions for higher-impact attacks against US critical infrastructure and public confidence. This shift toward a technologically layered warfare model will very likely enable Iran to shape US public discourse and increase the cyber risk to US government operational systems by amplifying coercive pressure through combined influence and infrastructure attacks.  

Introduction

In the wake of the US/Israel/Iran War, a pro-Iran group known as Akhbar Enfejari, also known as Explosive Media, posted several memes created with AI to spread propaganda against the US position on Iran, which has denied having ties with the Iranian regime.^[6] The representation of the memes uses the style of Lego^Ⓡ animated characters, predominantly mocking Trump and the Secretary of Defense Pete Hegseth.^[7] Some of the memes include depictions of Trump launching an airstrike after looking at the Epstein Files, right next to the Israeli Prime Minister Netanyahu and Satan, as well as an Iranian rap threatening how they will destroy every American base.^[8] Some news articles label this effort as slopaganda, a steadily growing practice in which AI generates images, texts, and all types of digital files, with the aim to display information that will ultimately shape belief, emotions, or memories to reach a political objective.^[9] In this context, Iran was able to effectively leverage pop culture before Western audiences with slopaganda, demonstrating a core understanding of Western pop culture, posing itself as the dominant figure not only in the region, but also internationally.^[10] 

Analysis

Technology

Iran is very likely shifting its external messaging from adversarial rhetoric to a targeted domestic influence strategy, relying on an expanding network of social-media channels. Iranian propaganda targeting the US was historically disseminated through centralized and state-linked channels, where coordinated activity was more easily detectable by platforms due to identifiable digital patterns and limited linguistic and cultural nuance. Current operations are very likely transitioning to an industrial-level model that uses generative AI to produce high-quality propaganda at a minimal expense. AI involvement will almost certainly enable the production of content that mimics authentic American political discourse, utilizing culturally resonant formats and a strategic communication style. The impersonation of local citizens using deceptive accounts to disseminate propaganda on frequently used channels will likely enable a pervasive presence across multiple social platforms. Iranian AI-enabled content will very likely aim to cause disinformation in the West, particularly in the US, as a part of its asymmetrical warfare seeking to create uncertainty, likely encouraging other cyber actors, such as online personas, to develop copycat efforts like political memes and deepfakes.

Iran is very likely repositioning its external messaging from adversarial rhetoric to a targeted domestic influence strategy, using culturally sophisticated AI content. In the month preceding the ceasefire, Iran relied on messaging that emphasized its military capabilities, over-representing retaliatory destruction against US and Israeli facilities. Videos and rhetoric presenting inflated assessments of Iranian military capabilities participated in sustaining conflict escalation with the US and Israel. Iran circulated AI-generated and deepfake videos across social media platforms, depicting successful strikes that never occurred, such as missile strikes on a US warship, or explosions in Tel-Aviv. Pre-ceasefire disinformation campaigns aimed at saturating the digital space with disinformation portraying Iran as militarily dominant and resilient while conveying victory narratives to an international audience. Currently, Iran-backed actors have begun disseminating new forms of AI-generated propaganda videos, likely reflecting a strategic shift in the effects they aim to achieve. Recent AI-enabled, Lego^Ⓡ-style videos are now framing their messaging using a repertoire of contentious US political topics,  while leveraging pop culture and rap music as a delivery vector to likely maximize engagement among US audiences. This will very likely influence the younger audience’s perception on the importance of US political figures and likely impact societal views on the US fragility in this war. The use of AI will likely maximize Iranian propaganda receptiveness and foster domestic political pressure on the US administration/foster domestic tensions within the US. This signals Iran’s improved ability to exploit a wider range of potential topics and methods in influencing American decisions, likely further amplifying demands to diminish US military pressure in the medium to long term.

Cyber

Iran’s cyber operational strategy is very likely transitioning from reliance on independent hacktivist actors to an expanded coordination between Advanced Persistent Threats (APT) units under the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence (MOIS). In 2023, the pro-Iran hacktivists, like the CyberAv3ngers persona, had broken into water systems across the US, framing their activity as an independent, ideologically motivated effort to send across political and ideological messages as a cyber activist. This cyber effort worked on isolated hacktivist proxies in state actions without state attribution. Attacks committed by proxy hacktivists, such as CyberAv3ngers, allowed Iran to retain plausible deniability for the direct cyber attacks on critical US infrastructure while disrupting US government operations. Now, Iran’s coordinated cyber operations will likely benefit from the combination of the sophisticated APT33 and APT35 groups with the IRGC, APT34 (OilRig), and MuddyWater within the MOIS. This combined front will very likely expand the capabilities of opportunistic hacktivist groups, likely enabling them to conduct distributed denial-of-service (DDoS) attacks, doxxing campaigns, and website defacements. The Iranian cyber ecosystem will very likely expand its range of cyber tactics from a limited capability towards sophisticated command-and-control capability, likely enabling the fusion of the two tiers into a singular weapon system. The combined efforts of APT units will almost certainly increase the frequency and varied nature of cyber attacks targeting US industrial control systems (ICS) and operational technology (OT), very likely stretching US counter-threat resources. Iran’s integrated cyber operations will very likely combine low-tier noise DDoS attacks with high-tier signals of command and control operations to camouflage the deployment of destructive wiper malware, likely maximizing hacktivist groups’ strength to execute high-scale attacks against US critical infrastructure and operational technology.

Infrastructure

The increase in Iranian AI-generated disinformation campaigns likely reflects reduced reliance on internet blackouts in favor of civilian-facing online groups producing and distributing influence content. Iranian information control relied on restrictive measures such as nationwide internet blackouts, heavy censorship, and reliance on domestic networks through the National Information Network. Content production and dissemination were largely centralized, and only state-linked resources could produce high-quality outputs.  Iranian actors now appear to operate within a more selective digital environment, where high-bandwidth access is likely provided to aligned entities capable of producing AI-generated content. Civilian-facing accounts and media groups are likely used to both generate AI material and distribute this content, which is then routed through proxy networks and external platforms. Iranian civilian-facing social media accounts with no official government affiliation utilized in the dissemination of this messaging content very likely decreases the risk of shadowbanning on social media platforms, very likely increasing its international reach. The use of distributed accounts and proxy routing will likely make it more difficult for platforms and authorities to trace and remove coordinated content, allowing Iranian messaging to spread rapidly within digital landscapes. This structure enables content to circulate across multiple platforms without clear attribution to state actors, very likely allowing Iranian messaging to persist and maintain influence longer within US information spaces.

Recommendations 

• The Counterterrorism Group (CTG) recommends that the Cybersecurity and Infrastructure Security Agency (CISA) should start working with social media platforms such as X to implement strict content provenance standards to enforce accountability policies that counter fabricated or Iranian-backed transmitted messages.

• CISA should fund and advocate for expanded implementation of tools like community notes and partnerships with third party fact checking entities that identify AI-generated content, synthetic imagery, and deepfakes used for propaganda and make the information known to platform users.            

• CISA’s Cybersecurity Division should secure network edge devices and work through the Enduring Security Framework to stop connecting operating technology systems directly to the public internet.

• CISA should expand enforcement of multifactor authentication across critical infrastructure systems, especially in operational technology environments through single sign-on (SSO) and identity federation services.

• CISA should utilize network segmentation to isolate sensitive data from containment breaches and prevent lateral movement of attackers within critical networks.

• The Chief AI Officer at CISA should work to deploy AI-powered detection platforms like Osavul to monitor and detect Iranian influence operations as they occur in real-time to provide the organization as a whole with current data on Iran’s cyber operations.

• CISA’s Mis-, Dis-, and Malinformation teams should disseminate short-form, platform-native content across major social media platforms, including through partnerships with trusted digital creators, to increase public awareness of influence techniques and reduce susceptibility to Iran-backed messaging campaigns.

• CISA should implement specialized tools to analyze social media accounts and posts for Coordinated Inauthentic Behavior to detect networks of messaging campaigns rather than individual posts.

• To mitigate the influence of AI-generated Iranian propaganda on politically sensitive debates, the DoW should employ AI-supported counternarratives that address contentious Iranian political themes to lower US vulnerability to adversarial messaging.

Threat Climate Assessment

Analysis indicates that there is a HIGH PROBABILITY that the threat climate shifts from kinetic operations to unofficial AI-generated Iranian influence campaigns, resulting in an escalation in US targeting tactics.  Leveraging divisive political topics will LIKELY decrease narrative-based power gaps LIKELY disrupting American military pressure. Increased coordination amongst Iranian Advanced Persistent Threat units will ALMOST CERTAINLY produce an increased diversification of attacks on US infrastructure LIKELY dividing US resources. The virality of civilian propaganda content within the information vacuum will LIKELY create a widened domestic media landscape, LIKELY saturating social media platforms with Iranian propaganda in the short term. If escalation thresholds are crossed through the continued dissemination of AI campaigns, the reliability of the information environment will LIKELY deteriorate in the long term, LIKELY reinforcing a permissive environment for targeted disinformation to spread. The increased integration of targeted cyber attacks as a tactical strategy will LIKELY establish a multi-front conflict, increasing threats to US digital operating infrastructures and LIKELY  prolonging the necessity of active peace efforts.

[1] Cyber, generated by a third party database

[2] Demystifying Iranian Cyber Operations in the U.S.-Iran Conflict, CSIS, March 2026,

https://www.csis.org/analysis/demystifying-iranian-cyber-operations-us-ira

[3] Impacts of Adversarial Use of Generative AI on Homeland Security, DHS, January 2025,  https://www.dhs.gov/sites/default/files/2025-01/25_0110_st_impacts_of_adversarial_generative_aI_on_homeland_security_0.pdf

[4] Pro-Iran groups have used AI to troll Trump and try to control the war narrative, AP, April 2026, https://apnews.com/article/ai-meme-war-iran-trump-6622aa77b833cbd470b53ed7d43be9bd 

[5] Ibid

[6] Pro-Iran groups have used AI to troll Trump and try to control the war narrative, AP, April 2026, https://apnews.com/article/ai-meme-war-iran-trump-6622aa77b833cbd470b53ed7d43be9bd 

[7] Pro-Iran groups deploy AI to troll Trump, influence the war narrative, PBS, April 2026, https://www.pbs.org/newshour/world/pro-iran-groups-deploy-ai-to-troll-trump-influence-the-war-narrative 

[8] Ibid

[9] Slopaganda wars: how (and why) the US and Iran are flooding the zone with viral AI‑generated noise, The Conversation, April 2026, https://theconversation.com/slopaganda-wars-how-and-why-the-us-and-iran-are-flooding-the-zone-with-viral-ai-generated-noise-280024 

[10] ​​We spoke to the man making viral Lego-style AI videos for Iran. Experts say it's powerful propaganda, BBC, April 2026,

https://www.bbc.com/news/articles/cjd8jrd1vnyo