Targeted Surveillance Surges in Iran: Spyware and Phishing Campaigns Hit Women, Minorities, and Civil Society

• What happened: Cyber threats and digital repression in Iran increased amid wartime conditions.
• Mercenary espionage: A new cybersecurity report highlights the emergence of mercenary spyware activities.
• Why it matters: Phishing campaigns backed by social engineering mainly target civil society, women, and ethnic minorities.

Escalating wartime cyber repression and the emergence of mercenary spyware attacks have Iran at their center in 2025, as new findings reveal a profound shift in cyber threats. 

The Miaan Group has unveiled a report highlighting changes marked by advanced digital surveillance and intensified repression during conflicts like the recent Iran-Israel war.

Key Findings of the Miaan Report  

For the first time, mercenary spyware attacks targeting Iranian users have been documented. These attacks use commercial-grade surveillance tools, akin to Pegasus, to spy on civil society figures both within Iran and abroad. 

In May 2025, three targeted cyberattacks using mercenary spyware against two Iranian citizens in Iran and one in Europe, some involved in political activism, were seen by Miaan.

Notable escalations include the targeting of women—who now constitute 46% of digital security cases—and ethnic minorities, especially Turkic groups in Azerbaijan. Artists were also targeted via phishing Instagram pages.

Recently, cybersecurity experts warned that Iran’s Internet filtering may be fueling espionage risks.

The Director of Digital Rights and Security at Miaan Group commented on this surge in mercenary spyware attacks, stating that “this security incident is a clear sign that the government has moved from general surveillance to a phase of targeted and aggressive espionage.” 

The conflict significantly worsened cyber threats, with authorities exploiting wartime conditions to enforce stringent controls through various phishing themes, impersonation, and social engineering. Digital repression spread from Tehran to underserved provinces like Qom and Hormozgan. 

Furthermore, surveillance extended to Iranian activists living in countries like the U.K., Germany, France, and Slovenia, signaling an alarming global reach.  

Global and Local Implications  

These developments showcase the sophistication of Iran's cyber threats, which now incorporate tools designed to monitor political opponents, suppress dissent, and enforce social norms. The Miaan Group has called for enhanced protective measures, including faster digital threat alerts and wider access to cybersecurity services.  

Meanwhile, European Parliament member Hannah Neumann was targeted in an Iranian APT42-linked hacking campaign in April.