Regime-backed spyware, phishing campaigns, and advanced surveillance networks target activists at home and abroad
The Iranian regime’s digital repression has grown into a transnational threat, targeting not only dissidents inside Iran but also political opponents, journalists, and academics across borders. Employing sophisticated surveillance tools and offensive cyber tactics, the regime is waging a digital war on free expression, privacy, and dissent.
From Domestic Control to Global Reach
While internet filtering, bandwidth throttling, and social media blackouts have long been part of Tehran’s digital arsenal, recent developments reveal a more targeted, covert, and far-reaching cyber strategy. Spyware such as Pegasus, and localized variants reportedly developed or deployed by regime-linked security agencies, have enabled the regime to gain near-total control over victims’ smartphones — accessing photos, messages, location data, and even activating microphones and cameras without user interaction.
Unlike broader techniques such as distributed denial-of-service (DDoS) attacks or content filtering, these advanced tools rely on zero-click exploits — requiring no user input — and allow for highly targeted, persistent surveillance. Victims are often unaware their devices have been compromised, giving regime intelligence units a potent weapon to suppress activism.
Phishing: A Growing Tactic of Political Warfare
In addition to spyware, phishing has become one of the regime’s most commonly used tactics to infiltrate the private communications of political activists. Platforms like Telegram, WhatsApp, and email are frequent targets, where attackers impersonate trusted contacts or institutions to trick victims into clicking fake links or entering credentials into fraudulent login pages.
Check Point Research’s 2025 report highlights the activities of Educated Manticore, a cyber-espionage group linked to the Islamic Revolutionary Guard Corps (IRGC). The group has launched highly targeted phishing campaigns, especially after the Iran-Israel war, aiming at Israeli journalists, cybersecurity professionals, and academics. Attackers pose as research assistants or executives and use platforms like WhatsApp and email to direct victims to fake Gmail or Google Meet pages. These React-based phishing kits closely mimic legitimate interfaces, allowing attackers to harvest passwords and two-factor authentication codes with alarming precision.
“In some campaigns, Israeli technology and cybersecurity professionals were approached by attackers posing as fictitious assistants or researchers. Victims were directed to phishing pages where entered credentials were immediately sent to attackers,” the report stated.
Check Point continues to monitor the growing network of infrastructure supporting Educated Manticore’s cyber operations.
Domestic Crackdown Intensifies Post-War
The regime’s digital repression spiked after the 12-day Iran-Israel war, with authorities enacting near-total internet shutdowns and shifting traffic to the National Information Network — Iran’s heavily censored, government-controlled intranet. These measures effectively severed activists’ communication with the outside world, crippling coordination efforts and media outreach.
According to digital rights groups, individual requests for digital security assistance surged by 720 percent in the first half of 2025, signaling that ordinary citizens — not just high-profile targets — are increasingly affected.
Social media platforms such as WhatsApp, Telegram, and Instagram have become primary battlegrounds. Phishing attacks on these platforms are no longer isolated incidents but part of a systematic campaign of intimidation and surveillance.
A State-Backed Cyber Apparatus
Iran’s digital crackdown is not limited to intelligence agencies. Institutions like the Supreme Council of Cyberspace, as well as private-sector collaborators, are deeply involved in expanding and maintaining the surveillance infrastructure. Technologies such as Deep Packet Inspection (DPI), national firewalls, and centralized access control systems are used to monitor and censor online traffic with military-grade precision.
This digital dragnet forms a cornerstone of the regime’s broader authoritarian strategy — using the internet not as a tool of progress but as an extension of state control.
The Global Footprint of Repression
While the primary targets remain Iranians, Tehran’s digital reach increasingly threatens freedom beyond its borders. Activists and diaspora communities in the United Kingdom, France, Germany, and elsewhere have reported cyber harassment, phishing attempts, and surveillance by regime-linked actors.
The growing sophistication of these operations — combining spyware, artificial intelligence-generated messages, and cloned authentication portals — underscores the urgency of international action. As authoritarian regimes like Tehran refine their digital playbooks, the global community faces a new frontier of repression — one that operates in silence, crosses borders, and threatens the very infrastructure of digital freedom.
