March 25, 2026

Information Operations & Foreign Influence

Iran's AI-driven disinformation campaign continues to escalate. Tehran's state-affiliated channels and allied networks remain the highest-volume producer of fabricated imagery tied to the ongoing U.S.-Israel-Iran conflict. PolitiFact reported that Iran has released AI-generated content through state channels and deployed inauthentic social media accounts to spread favorable messaging, including fabricated proof of military victories that did not occur. The most prominent false claim — that Iranian missiles sank the USS Abraham Lincoln — continues to circulate despite no credible evidence. These narratives are amplified through Russian and Chinese information ecosystems.

Small Wars Journal published an analysis of the 2026 Worldwide Threats Hearing held before the House Permanent Select Committee on Intelligence. The hearing analysis noted that the administration shuttered key counter-influence infrastructure, including the FBI's Foreign Malign Influence Task Force, the State Department's Global Engagement Center, and the DNI's Foreign Malign Influence Center, leaving no designated official for election threat response. The 2026 Annual Threat Assessment, released by ODNI, for the first time elevated AI as a cross-cutting threat shaping operations by China, Russia, Iran, and North Korea rather than treating it as a standalone capability.

Cyber Operations

Iran-linked hackers targeted a second U.S. medical institution. Axios reported on March 24 that an Iran-aligned group struck another healthcare target, following the earlier crippling cyberattack on medical device giant Stryker. The Stryker attack — claimed by Handala Hack, a persona tied to Iran's Ministry of Intelligence and Security (MOIS) — disrupted the company's Lifenet system, which emergency responders use to transmit patient data, rendering electrocardiogram transmissions non-functional across parts of Maryland.

DOJ seized four domains tied to Iranian cyber-psychological operations. The Justice Department announced the court-authorized seizure of domains used by MOIS to claim credit for hacking, post stolen data, and issue death threats against journalists and dissidents. The FBI's investigation revealed the domains shared Iranian IP ranges and a common operational playbook combining destructive cyberattacks with "faketivist" psychological operations. Handala had also posted PII of approximately 190 individuals linked to the IDF and solicited cartel "partners" to carry out violence against its targets.

China-linked group deploys new malware toolkit against telecom providers. CySecurity News reported that a Chinese cyber-espionage group designated UAT-9244 has been targeting South American telecoms using three previously undocumented malware families: TernDoor (a Windows backdoor), PeerTime (a Linux backdoor using the BitTorrent protocol to obscure command infrastructure), and BruteEntry (a credential brute-forcing tool). Separately, Salt Typhoon's global campaign against telecom infrastructure continues, with activity confirmed in Canada, Brazil, Myanmar, South Africa, and across Southeast Asian universities.

Espionage

U.S.-origin iPhone exploit kit proliferating to adversary services. Research published by Google and iVerify confirmed that an exploit kit dubbed "Coruna" — likely built by U.S. military contractor L3Harris — has escaped controlled channels and is now in the hands of Russian espionage operators and Chinese cybercriminals. The toolkit contains five exploit chains leveraging more than 20 iOS vulnerabilities and has likely infected tens of thousands of phones. Russia's UNC6353 used the related DarkSword framework in watering-hole campaigns against Ukrainian users, extracting passwords, messages, and browser history with minimal victim interaction before self-deleting.

Russia's APT28 revives advanced malware for Ukraine espionage. Recorded Future reported that APT28's advanced development team has reemerged with renewed tooling built around two implants — BeardShell and Covenant — deployed together in espionage campaigns. The group compromised a Ukrainian maritime agency through a phishing campaign exploiting a Zimbra webmail vulnerability, continuing its systematic targeting of Ukrainian government communications infrastructure.