Use Case · Iran & Adversarial AI
Iranian cyber operations are often described as less sophisticated than Russian or Chinese counterparts. That framing misses the point. Iran has built a highly effective asymmetric capability — not despite its resource constraints, but because of them. And AI is the force multiplier that changes the equation.
Author's note: Understanding Iranian threat actors requires more than reading English-language reports. The doctrine, institutional relationships, and cultural context that shape operational decisions are visible in Persian-language sources most analysts cannot access directly. This analysis draws on direct access to primary-source regional reporting, military intelligence experience, and work as Lead SME for Iran Cyber Threat Intelligence at a global consulting firm.
Iran's cyber program is built around two distinct institutions with different missions and deliberately overlapping operations. The IRGC Cyber-Electronic Command (IRGC-CEC) prioritizes offensive operations, disruption, and sabotage aligned to military objectives. The Ministry of Intelligence and Security (MOIS) operates with greater independence, focusing on long-dwell espionage and sustained access. What spans both — and is not owned by either — is the information warfare and hacktivist proxy layer. Both IRGC and MOIS leverage these shared capabilities depending on the objective.
The attribution challenge: Iranian threat actors are specifically designed to confuse attribution. CyberAv3ngers presents as hacktivist. Treasury confirmed IRGC direction. The proxy layer is doctrine, not incompetence — and analysts who cannot see through it are making defensive decisions based on incomplete intelligence.
In October 2024, OpenAI confirmed CyberAv3ngers accounts used ChatGPT to conduct ICS reconnaissance — Shodan queries, default credential identification, OT protocol research. In February 2024, Crimson Sandstorm used ChatGPT to generate phishing content impersonating an international development agency. STORM-2035 used AI to draft election disinformation and scale coordinated inauthentic behavior in English and Spanish simultaneously. Microsoft's October 2025 threat intelligence report confirmed Iranian AI use for cyberattacks is steadily increasing across impersonation, intrusion, and disinformation operations.
The pattern is consistent with Iran's doctrinal approach: use available tools to compress the gap between resource constraints and operational objectives. AI does not give Iranian actors new capabilities — it makes existing capabilities faster, more scalable, and harder to detect.