#NSBCS.107 - Cyber as a Psychological Tool Amid Conflict in Iran

Cyber as a Psychological Tool Amid Conflict in Iran

As tensions between the United States (U.S) and Iran escalate amid widespread protests and government crackdowns, Washington's strategic options extend far beyond conventional military responses. The U.S has the ability to execute psychological warfare driven by cyber capabilities to disrupt key Iranian infrastructure and information networks. As a result, this means targeting communication systems, command structures, and state media to weaken Tehran's ability to control internal narratives and maintain cohesion among security forces.

Widespread protests across Iran have heightened concerns about whether internal unrest could escalate into a broader confrontation involving the U.S. While the demonstrations are driven primarily by domestic economic pressures, political repression, and public dissatisfaction with the Iranian government, external tensions add further risk. The U.S is closely observing developments, balancing pressure through sanctions, diplomatic messaging, and regional deterrence rather than direct military action. Any overt foreign intervention could significantly alter the situation by either weakening the Iranian leadership or reinforcing its narrative of external aggression, potentially shifting public sentiment.

Washington has previously shown a willingness to use offensive cyber capabilities against Tehran. In June 2019, after Iran shot down a U.S drone, the Trump administration launched a cyberattack against a Revolutionary Guard database used to plan attacks on shipping. A few months later, in the wake of Iran’s drone and missile attack on Saudi oil facilities, U.S Cyber Command carried out a covert strike that targeted hardware tied to Tehran’s propaganda operations.

In December 2025, Secretary of War Pete Hegseth directed that the military’s Military Information Support Operations revert to their traditional name, psychological operations (PSYOP). The memo argued that the PSYOP label better reflects the mission of shaping foreign audiences and reviving deterrence. Using cyber warfare as a psychological tool reflects a broader shift in modern conflict, especially when kinetic action risks rapid escalation. Cyber operations can be calibrated to degrade communications or limit information access for decision-makers while minimising civilian harm. Combined with influence operations that amplify dissenting voices and fracture state messaging, such tactics could undermine confidence in Iranian leadership and bolster domestic opposition movements.

As U.S officials weigh cyber and psychological means against Iran, they must contend with several risks. Such operations require a nuanced understanding of Iran’s information ecosystem. Misjudging the regime’s control over state media or the resilience of underground networks could render attacks ineffective or even strengthen narratives. The 2019 cyber strike targeting Iranian propaganda hardware emphasised how difficult it is to assess the immediate impact of cyber operations; results can take months to gauge and may encourage Tehran to retaliate in cyberspace. Secondly, cyber and PSYOP actions can harm civilian populations. Disrupting telecommunications may impede Iranian security forces, but it could also cut off emergency services or restrict protesters’ ability to document abuses.

The evolving U.S approach to the crisis in Iran underscores a broader shift in modern conflict. Information dominance, whether achieved by degrading an adversary’s communications, amplifying dissenting voices or restoring internet access through satellites now rivals control of territory. Washington’s planning can blend cyber operations with psychological campaigns, reflecting an understanding that the battle for hearts and minds often begins online. However, recent experience demonstrates that such tools are double‑edged. Offensive cyber actions can be calibrated to avoid casualties, yet they risk retaliation and escalation. Psychological operations can weaken an authoritarian regime’s narrative, but they can also erode trust in critical institutions or public health. Thus, any strategy that seeks to harness the power of cyber and cognitive warfare must therefore balance tactical gains against long‑term consequences and recognise that lasting change in Iran will ultimately depend on the decisions of Iranians themselves.

What we read this week

• January 2026 Patch Tuesday: Microsoft Addresses 114 CVEs Including Actively Exploited Zero-Day - Microsoft's January 2026 security update tackles 114 vulnerabilities, encompassing one actively exploited zero-day (CVE-2026-20805) in the Windows Desktop Window Manager that enables local attackers to disclose sensitive memory addresses, alongside two publicly disclosed flaws allowing privilege escalation and Secure Boot bypasses. Critical issues dominate in Microsoft Office and Windows components, with remote code execution risks via use-after-free bugs in Outlook and Word exploitable through email previews, and elevation of privilege in graphics handling that could facilitate virtual machine escapes. The patches emphasise elevation of privilege (50%), remote code execution (19%), and information disclosure (19%) as primary vectors, affecting Windows, Office, and related ecosystems. Organisations should prioritise immediate patching for exploited vulnerabilities, develop mitigation strategies for legacy systems, and leverage vulnerability management tools to assess exposure.

• AI Tool Poisoning Emerges as Threat to AI Agents in Business Environments - CrowdStrike details AI tool poisoning, a novel attack where adversaries embed hidden malicious instructions in tool descriptions or metadata to manipulate AI agents, leading to data exfiltration, unauthorised actions, or system compromise without altering core functionality. Exploiting protocols like Model Context Protocol, attackers can hide directives in benign tools, such as appending SSH keys to outputs or routing data to malicious APIs, targeting AI's reasoning layer for stealthy breaches. This threat undermines trust in AI-integrated operations, with risks amplified in high-stakes sectors through permissive schemas and misleading examples. Defences include runtime monitoring of AI behaviours, validation of tool descriptions, input sanitisation, and strict access controls to prevent exploitation at integration points.

• New VoidLink Framework Targets Linux Cloud Servers with Advanced Evasion - Security researchers have uncovered VoidLink, a sophisticated modular malware framework built in Zig, Go, and C, designed for post-exploitation in Linux cloud and container environments like Kubernetes and Docker. It profiles systems for security tools, calculates risk scores to adapt behaviours, and deploys plugins for reconnaissance, credential theft, lateral movement, persistence via cron jobs or services, and anti-forensics like log wiping. Communication uses encrypted channels mimicking legitimate traffic, with rootkits employing LD_PRELOAD, LKMs, or eBPF for hiding. Though no live infections are confirmed, its cloud-optimised features signal a shift in Linux threats. Cloud operators should enhance detection of custom traffic, monitor for rootkit variants, and review provided indicators of compromise for proactive defence.

• Ukraine's Defence Forces Hit by Charity-Themed Malware Campaign - A campaign attributed with medium confidence to the Russian-linked Void Blizzard group targeted Ukraine's military officials from October to December 2025 using fake charity lures via Signal and WhatsApp to deliver the PluggyApe backdoor. Disguised as document archives or direct executables with .pif extensions bundled via PyInstaller, the malware profiles systems, establishes registry-based persistence, and communicates over MQTT with dynamically fetched C2 servers for espionage-focused data theft. Exploiting mobile devices' weak monitoring, attackers use compromised local telecom accounts and tailored social engineering. Ukrainian CERT recommends heightened scrutiny of charity-related communications, improved mobile protections, and utilisation of detailed IoCs for detection and mitigation.

References

• https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-january-2026/

• https://www.crowdstrike.com/en-us/blog/ai-tool-poisoning/?referrer=grok.com

• https://www.bleepingcomputer.com/news/security/new-voidlink-malware-framework-targets-linux-cloud-servers/

• https://www.bleepingcomputer.com/news/security/ukraines-army-targeted-in-new-charity-themed-malware-campaign/