Iran-Linked Hackers Destroy IT Systems in Backups Recovery
Iran-linked hackers have launched a sweeping campaign of digital destruction. This extensive operation has targeted multiple organizations across the United States and the Middle East, systematically...
Iran-linked hackers have launched a sweeping campaign of digital destruction. This extensive operation has targeted multiple organizations across the United States and the Middle East, systematically wiping IT systems, erasing critical backups, and dismantling recovery infrastructure.
The attacks, carried out under a pro-Iranian persona called “Ababil of Minab,” went far beyond data theft, leaving victims with little ability to restore their systems.
The campaign first surfaced in late March and early April 2026, when Ababil of Minab claimed responsibility for breaching the Los Angeles County Metropolitan Transportation Authority (LA Metro) and destroying its data.
LA Metro confirmed the breach on April 2, 2026. Hours after attackers deleted virtual machines from inside the agency’s management console, the transit authority reported that riders could not load fare on the TAP Mobile App.
Analysts at Gambit Security found that Ababil of Minab is not an independent hacktivist group as they claim.
Forensic evidence links the operation to Black Shadow, an Iran-linked group attributed by the Israel National Cyber Directorate to Iran’s Ministry of Intelligence and Security.
Gambit Security said in a report shared with Cyber Security News that attackers used scripted automation and hands-on keyboard techniques to destroy IT, virtualization, and backup infrastructure.
Beyond LA Metro, the campaign hit the South Florida Regional Transportation Authority, a company called UNIMAC, and a consumer GPS tracking service named Vyncs.
Investigators identified additional victims in Israel and Turkey across the media, higher education, and insurance sectors. The breadth of the operation signals a deliberate, coordinated effort rather than opportunistic hacking.
What makes this campaign stand out is how methodically the attackers eliminated any chance of recovery. They hunted down backup systems, dropped entire database chains, and deleted operating system files to prevent restoration.
In one incident, the attacker used an AI chatbot to refine a custom destruction script, adding an unsettling dimension to state-linked cyber activity.
Iran-Linked Hackers Destroy IT, Backups, and Recovery Systems
The attackers relied on two core methods: automated scripts and direct, manual interaction with system tools. At LA Metro, they powered off and deleted virtual machines through the organization’s own virtualization platform.
At UNIMAC, they wiped three storage volumes and renamed new partitions “Minab” as a calling card. At Vyncs, the group ran a custom Python script called main.py that iterated through 58 SQL Server targets and dropped every database.
All 58 executions succeeded with zero failures. While the script ran, the attacker manually deleted 16 daily SQL backup files, then destroyed core Windows system folders through Windows Explorer, causing their own remote session to drop and confirming total destruction.
At the South Florida Regional Transportation Authority, attackers gained access through a proxied remote desktop connection, took databases offline, and used a secure deletion tool to overwrite the web hosting directory, including a dedicated SQL backup folder.
Every step showed an attacker who understood exactly where critical data lived and how to ensure it could never be recovered.
Custom Tools and Attribution Evidence
Alongside the destruction, investigators uncovered two custom data theft tools. The first involved compressing stolen files and uploading them to the victim’s own public website, then pulling them back through an attacker-controlled server.
The second was a bespoke C++ tool called FileFiend, which scanned drives and network shares before sending stolen files to a hardcoded command-and-control server.
The attackers also built a Flask-based file receiver for accepting uploads from compromised environments. Although file transfers were encrypted, the key was sent in the same request as the data, making it readable to anyone monitoring traffic.
When visitors hit a nonexistent page on the attacker’s server, they were redirected to the FBI’s official website.
The strongest attribution link to Black Shadow came from a staging server that previously hosted a fake mental health support site targeting Israeli soldiers in August 2025.
That same server was found transferring stolen files into this campaign’s infrastructure. Organizations in critical infrastructure, transportation, and education should urgently review access controls, backup isolation practices, and incident response readiness.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IPv4 | 31.172.87.20 | Operator staging server; served TLS for nefeshhope[.]com |
| IPv4 | 212.83.61.213 | FileFiend C2, hardcoded in 81a2535 |
| IPv4 | 66.85.26.183 | FileFiend C2, hardcoded in c8cc422 and 33a6b49 |
| IPv4 | 195.20.17.129 | FileFiend C2, hardcoded in d76a943 |
| IPv4 | 46.246.125.131 | Source IP of propaganda site |
| IPv4 | 146.70.233.83 | Served TLS for nefeshhope[.]com |
| IPv4 | 91.193.19.198 | Attacker-controlled exit node |
| IPv4 | 89.36.231.56 | Served TLS for feedback.nefeshhope[.]com |
| IPv4 | 84.200.89.52 | Served TLS for nefeshhope[.]com |
| IPv4 | 46.30.190.173 | Served TLS for members.nefeshhope[.]com |
| Domain | nefeshhope[.]com | Operator-controlled site |
| Domain | members.nefeshhope[.]com | Observed communicating with A.ExE Go tunneler |
| Domain | banujcobaar[.]com | Redirected nefeshhope[.]com |
| SHA-256 | 81a25357d027d0f04a43139377d5d58384b8e9b0770e699cdcc37e600641cf90 | FileFiend / Exchangedb.exe |
| SHA-256 | c8cc4225d1e21324ef419adbb1c10dd0578fb034b5f5d7b8000f0aae1871c061 | FileFiend / Exchangedb.exe |
| SHA-256 | 33a6b4900c2fbfb3c2d816947871eade800d0c0e2a2680871700fd6e640e5f20 | FileFiend / Exchangedb.exe |
| SHA-256 | d76a94309240a7e2f11a89fab54a6853628e976a5ff19084b1b0894c89e6a742 | FileFiend |
| SHA-256 | f6db77be038980e9dbbf9f11e0f7ae7d2d4d3f1a53199958f1f55137dde5efd3 | A.ExE Go tunneler communicating with members.nefeshhope[.]com |
| SHA-256 | 1c699720034367ba9761a8d31c854fd444e8e3c8c31c520a39c543cf95286029 | Go tunneler; served from 45.150.108.61 |
| SHA-256 | 38965a60835a5ee3eaefd3d0bffa97c0e4f0c5cd74d31d8053bedeea14f536ee | Go tunneler; served from 45.150.108.61 |
| File Path | C:UserscasioDesktopuploader v3temp uploader v3temp uploader v3.cpp | Developer source path in FileFiend |
| File Path | F:OH~FileFiend(Uploader)uploader v3x64Releasetemp uploader v3.pdb | PDB path in FileFiend v4 |
| Filename | Exchangedb.exe | Decoy filename for FileFiend uploader |
| TLS Subject | O=Acme Cloud Solutions Inc, CN=localhost, [email protected] | Self-signed certificate on Flask receiver |
| Tool | proxychains | Used for proxied RDP and download tunneling |
| Tool | xfreerdp | Used for proxied RDP access |
| Tool | axel | Linux CLI download accelerator used in exfiltration |
| Tool | http.flask.py | Custom Flask receiver |
| Tool | WipeFile | Windows utility for secure file deletion |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.