Iranian Hackers Target Oman Ministries with Webshells and Data Theft
Key Takeaways An Iranian-linked threat actor has compromised at least 12 Omani government ministries. The attackers used webshells, SQL server escalation, and credential brute-forcing to steal tens...
Key Takeaways
- An Iranian-linked threat actor has compromised at least 12 Omani government ministries.
- The attackers used webshells, SQL server escalation, and credential brute-forcing to steal tens of thousands of citizen records and establish persistent access.
- The intrusion was discovered due to an exposed staging server that inadvertently revealed the attackers’ toolkit, logs, and stolen data.
- The campaign, active as recently as April 2026, focuses on judicial, immigration, and citizen identity information.
Iranian-Linked Hackers Breach Omani Ministries, Steal Citizen Data
A sophisticated cyberespionage campaign, attributed to an Iranian-nexus threat actor, has successfully infiltrated a minimum of 12 government ministries in Oman. This clandestine operation led to the exfiltration of tens of thousands of citizen records and the deployment of persistent backdoors within the compromised networks. The attackers leveraged webshells, SQL server escalation techniques, and well-known exploits to navigate and maintain access within the government infrastructure. The discovery of this extensive intrusion was not the result of a tip-off or breach notification, but rather an operational error by the attackers themselves.
Table Of Content
The full scope of the attack came to light when a staging server, located at 172.86.76[.]127 and hosted on a Virtual Private Server (VPS) in the United Arab Emirates, was found to have an openly accessible directory. This misconfiguration exposed the entire arsenal of the attackers’ tools, command and control (C2) code, detailed session logs, and the stolen data. Evidence indicated that the Ministry of Justice and Legal Affairs was a primary target, showing active compromise as recently as April 10, 2026.
Analysts at Hunt.io identified the vulnerable server and subsequently documented the complete details of the operation, including the specific tools utilized, the targeted entities, and the categories of data exfiltrated. Their investigation strongly suggests that the campaign aligns with patterns of Iranian state-sponsored cyber activity, exhibiting tactical and technical overlaps with previous operations linked to Iran’s Ministry of Intelligence and Security.
This incident is not the first time Omani entities have been targeted by Iranian-aligned hackers. In 2025, a separate group compromised an email account at Oman’s Ministry of Foreign Affairs, using it to launch phishing attacks against embassies worldwide. The current campaign demonstrates a similar strategic direction but with a heightened focus on sensitive judicial records, immigration data, and citizen identity information.
Over 26,000 user records from the Ministry of Justice were extracted, alongside judicial case files, committee decisions, and Windows registry hives containing critical internal credentials. A README file discovered on the exposed server, labeled “VPS C2,” suggests that this particular machine was just one component within a broader, yet-to-be-fully-mapped command and control infrastructure.
Webshells, SQL Escalation, and a Wide Target Scope
Two distinct webshells played a crucial role in this attack. The webshell named hc2.aspx was directly recovered from the C2 server, while health_check_t.aspx appeared to be hardcoded into every attack script specifically aimed at the Ministry of Justice network. These webshells facilitated the execution of commands via standard Windows command processes, with outputs transmitted back to the attackers in plain text.
The compromised server contained a dedicated folder housing 12 exploit scripts tailored for Omani government targets. These scripts enabled various attack vectors, including Exchange email spraying, SQL server privilege escalation, and memory-based execution designed to minimize forensic artifacts by avoiding disk writes. The extensive list of targeted entities encompassed a dozen government organizations, such as the Royal Oman Police, the Tax Authority, the Civil Aviation Authority, the Ministry of Finance, and the Office of Public Prosecution. Attack methodologies ranged from exploiting ProxyShell vulnerabilities to brute-forcing credentials. Once inside the network, the attackers also deployed GodPotato, a known Windows privilege escalation tool, to elevate their access privileges.
Command Infrastructure and Iranian Nexus Ties
The C2 system operated on a Python HTTP server, working in conjunction with a PowerShell beacon installed on the compromised victim machines. This beacon communicated with the C2 server every 30 seconds, transmitting the victim’s domain, username, and hostname at the initiation of each session. Stolen data was segmented into small, encoded chunks during exfiltration to circumvent potential URL length restrictions. Logs from April 10, 2026, confirm an active session commenced at 03:00 UTC, with all traffic originating from the Ministry of Justice network.

Further analysis of the hosting network revealed a cluster of neighboring domains, including a mirrored Persian-language diaspora media site and pages associated with censorship circumvention tools. These patterns are consistent with infrastructure previously linked to Iranian state operations. Furthermore, the observed tooling exhibited overlaps with known Iranian-nexus groups such as APT34 and MuddyWater, both of which have a history of targeting Middle Eastern governments using similar tactics. While Hunt.io refrained from formal group attribution, they confidently placed this activity within the broader Iranian state-nexus threat landscape.
The discovery of this exposed infrastructure underscores the critical importance of continuous monitoring of attacker setup and cleanup phases. Such vigilance can offer a valuable window into active intrusions, potentially preventing the exfiltration of sensitive data before it reaches the hands of adversaries.
Indicators of Compromise (IoCs)
| IP Address | Resolving Domain(s) | Hosting Provider |
|---|---|---|
| 172.86.76[.]101 | dubai-1.vaermb[.]com, regorixa[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]94 | dubai-2.vaermb[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]108 | dubai-3.vaermb[.]com, myjitsi.exceptionnotfound[.]ir | RouterHosting LLC, UAE |
| 172.86.76[.]112 | dubai-4.vaermb[.]com, s5.sideliner[.]ir | RouterHosting LLC, UAE |
| 172.86.76[.]120 | dubai-5.vaermb[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]121 | dubai-6.vaermb[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]124 | dubai-7.vaermb[.]com, suanefllix[.]com, brnettlix[.]com, brttfrixx[.]com, realprimefix[.]com, identificara[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]127 | dubai-10.vaermb[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]129 | dubai-8.vaermb[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]130 | dubai-9.vaermb[.]com | RouterHosting LLC, UAE |
| 45.59.114[.]60 | shop.exceptionnotfound[.]ir, price.exceptionnotfound[.]ir, myjitsi.mrnajafipour[.]ir | RouterHosting LLC, CH |
| 104.21.27[.]95 | tools.exceptionnotfound[.]ir | Cloudflare |
| 172.67.142[.]35 | tools.exceptionnotfound[.]ir | Cloudflare |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
What You Should Do
- Review Network Logs: Scrutinize network traffic logs for connections to the IoCs provided, particularly for outbound connections from internal systems.
- Hunt for Webshells: Implement regular scans for webshells (e.g.,
hc2.aspx,health_check_t.aspx) and other unauthorized files on web servers and critical systems. - Patch and Update: Ensure all public-facing applications and operating systems, especially Microsoft Exchange servers, are fully patched against known vulnerabilities, including ProxyShell.
- Implement Least Privilege: Enforce the principle of least privilege across all user accounts and services to limit the impact of credential compromise.
- Monitor for Privilege Escalation Tools: Deploy endpoint detection and response (EDR) solutions to detect the presence and execution of known privilege escalation tools like GodPotato.
- Strengthen Access Controls: Implement multi-factor authentication (MFA) for all administrative accounts and critical systems, and regularly audit user permissions.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.