Iran-nexus actors using AI to enhance cyber playbook

Iran-nexus actors using AI to enhance cyber playbook

Iran-nexus actors using AI to enhance cyber playbook

https://www.cybersecuritydive.com/news/iran-nexus-actors-ai-cyber-ChatGPT-malware/825415/

Publish Date: 2026-07-16 12:00:00

Source Domain: www.cybersecuritydive.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

Threat actors linked to Iran are using artificial intelligence to enhance their cyber and information warfare capabilities, putting the U.S. and its allies at higher risk of asymmetric attack, according to a report released Thursday by Recorded Future. 
Iran-nexus actors have used generative AI and large language models in a range of activities, including the development of malware, conducting research on industrial control systems, exploiting software vulnerabilities and other uses. 
There are no indications yet that Iran has developed fully autonomous models, but the country is clearly using AI to accelerate its existing capabilities. 

“AI has not transformed Iran into a fundamentally different cyber power, but it has compressed the distance between intent and action,” Alexander Leslie, senior advisor at Recorded Future, told Cybersecurity Dive. 
Industrial targets
Iran-linked groups have used LLMs to map out industrial control systems, to research exploitation techniques and sustain phishing conversations in languages the human operators might not speak fluently, Leslie said. 
For example, the threat actor tracked as MuddyWater used AI in a campaign known as Operation Olalampo, according to a report released in February by Group IB. The hackers used AI to develop four malware variants through malicious Office documents in a January campaign targeting organizations and people in the Middle East and North Africa.
An Iran-nexus threat group tracked as Ababil of Minab used ChatGPT in an April attack against Vyncs, a U.S.-based firm that provides GPS technology to track vehicles. According to research from Check Point Software, the threat group used the technology to refine the script used to enumerate and drop databases during the attack. 
The same threat group has claimed credit for an attack on the Los Angeles public transit system. 
In 2024, OpenAI disclosed efforts by CyberAv3ngers to use ChatGPT to conduct reconnaissance activity on programmable PLC controllers. OpenA shut down a number of state-linked accounts related to a range of threat activity, including Iran’s Charming Kitten. 
Iran has worked closely with Russia and China to enhance its AI capabilities, according to analysts. The country has internal limitations on what it can develop, in part due to the destruction of its infrastructure. 

Ari Ben Am, an adjunct fellow at the Foundation for Defense of Democracy’s Center on Cyber and Technology Innovation, said Iran could seek additional help from China, which has been developing its own frontier AI models. 
“Another possibility is that they’ll begin using Chinese models in leading harnesses such as Claude Code, as we’ve seen Chinese cyber operators do,” Ben Am said.