Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Linux and Ubiquiti Flaws, Accenture Breach, Android Exploit
July 12, 2026
Microsoft Teams macOS Bug Exposes Screen Sharing Content
July 12, 2026
Apple Sues OpenAI and Ex-Staff Over Alleged Trade Secret Theft
July 12, 2026
Home/Threats/Iranian Hackers Target Oman Ministries with Webshells and Data Theft
Threats

Iranian Hackers Target Oman Ministries with Webshells and Data Theft

Key Takeaways An Iranian-linked threat actor has compromised at least 12 Omani government ministries. The attackers used webshells, SQL server escalation, and credential brute-forcing to steal tens...

Sarah simpson
Sarah simpson
May 6, 2026 5 Min Read
54 0

Key Takeaways

  • An Iranian-linked threat actor has compromised at least 12 Omani government ministries.
  • The attackers used webshells, SQL server escalation, and credential brute-forcing to steal tens of thousands of citizen records and establish persistent access.
  • The intrusion was discovered due to an exposed staging server that inadvertently revealed the attackers’ toolkit, logs, and stolen data.
  • The campaign, active as recently as April 2026, focuses on judicial, immigration, and citizen identity information.

Iranian-Linked Hackers Breach Omani Ministries, Steal Citizen Data

A sophisticated cyberespionage campaign, attributed to an Iranian-nexus threat actor, has successfully infiltrated a minimum of 12 government ministries in Oman. This clandestine operation led to the exfiltration of tens of thousands of citizen records and the deployment of persistent backdoors within the compromised networks. The attackers leveraged webshells, SQL server escalation techniques, and well-known exploits to navigate and maintain access within the government infrastructure. The discovery of this extensive intrusion was not the result of a tip-off or breach notification, but rather an operational error by the attackers themselves.

Table Of Content

  • Key Takeaways
  • Iranian-Linked Hackers Breach Omani Ministries, Steal Citizen Data
  • Webshells, SQL Escalation, and a Wide Target Scope
  • Command Infrastructure and Iranian Nexus Ties
  • Indicators of Compromise (IoCs)
  • What You Should Do

The full scope of the attack came to light when a staging server, located at 172.86.76[.]127 and hosted on a Virtual Private Server (VPS) in the United Arab Emirates, was found to have an openly accessible directory. This misconfiguration exposed the entire arsenal of the attackers’ tools, command and control (C2) code, detailed session logs, and the stolen data. Evidence indicated that the Ministry of Justice and Legal Affairs was a primary target, showing active compromise as recently as April 10, 2026.

Analysts at Hunt.io identified the vulnerable server and subsequently documented the complete details of the operation, including the specific tools utilized, the targeted entities, and the categories of data exfiltrated. Their investigation strongly suggests that the campaign aligns with patterns of Iranian state-sponsored cyber activity, exhibiting tactical and technical overlaps with previous operations linked to Iran’s Ministry of Intelligence and Security.

This incident is not the first time Omani entities have been targeted by Iranian-aligned hackers. In 2025, a separate group compromised an email account at Oman’s Ministry of Foreign Affairs, using it to launch phishing attacks against embassies worldwide. The current campaign demonstrates a similar strategic direction but with a heightened focus on sensitive judicial records, immigration data, and citizen identity information.

Over 26,000 user records from the Ministry of Justice were extracted, alongside judicial case files, committee decisions, and Windows registry hives containing critical internal credentials. A README file discovered on the exposed server, labeled “VPS C2,” suggests that this particular machine was just one component within a broader, yet-to-be-fully-mapped command and control infrastructure.

Webshells, SQL Escalation, and a Wide Target Scope

Two distinct webshells played a crucial role in this attack. The webshell named hc2.aspx was directly recovered from the C2 server, while health_check_t.aspx appeared to be hardcoded into every attack script specifically aimed at the Ministry of Justice network. These webshells facilitated the execution of commands via standard Windows command processes, with outputs transmitted back to the attackers in plain text.

The compromised server contained a dedicated folder housing 12 exploit scripts tailored for Omani government targets. These scripts enabled various attack vectors, including Exchange email spraying, SQL server privilege escalation, and memory-based execution designed to minimize forensic artifacts by avoiding disk writes. The extensive list of targeted entities encompassed a dozen government organizations, such as the Royal Oman Police, the Tax Authority, the Civil Aviation Authority, the Ministry of Finance, and the Office of Public Prosecution. Attack methodologies ranged from exploiting ProxyShell vulnerabilities to brute-forcing credentials. Once inside the network, the attackers also deployed GodPotato, a known Windows privilege escalation tool, to elevate their access privileges.

Command Infrastructure and Iranian Nexus Ties

The C2 system operated on a Python HTTP server, working in conjunction with a PowerShell beacon installed on the compromised victim machines. This beacon communicated with the C2 server every 30 seconds, transmitting the victim’s domain, username, and hostname at the initiation of each session. Stolen data was segmented into small, encoded chunks during exfiltration to circumvent potential URL length restrictions. Logs from April 10, 2026, confirm an active session commenced at 03:00 UTC, with all traffic originating from the Ministry of Justice network.

Snippet of the C2 logs showing 26,596 MJLA user records extracted from the compromised system (Source - Hunt.io)
Snippet of the C2 logs showing 26,596 MJLA user records extracted from the compromised system (Source – Hunt.io)

Further analysis of the hosting network revealed a cluster of neighboring domains, including a mirrored Persian-language diaspora media site and pages associated with censorship circumvention tools. These patterns are consistent with infrastructure previously linked to Iranian state operations. Furthermore, the observed tooling exhibited overlaps with known Iranian-nexus groups such as APT34 and MuddyWater, both of which have a history of targeting Middle Eastern governments using similar tactics. While Hunt.io refrained from formal group attribution, they confidently placed this activity within the broader Iranian state-nexus threat landscape.

The discovery of this exposed infrastructure underscores the critical importance of continuous monitoring of attacker setup and cleanup phases. Such vigilance can offer a valuable window into active intrusions, potentially preventing the exfiltration of sensitive data before it reaches the hands of adversaries.

Indicators of Compromise (IoCs)

IP Address Resolving Domain(s) Hosting Provider
172.86.76[.]101 dubai-1.vaermb[.]com, regorixa[.]com RouterHosting LLC, UAE
172.86.76[.]94 dubai-2.vaermb[.]com RouterHosting LLC, UAE
172.86.76[.]108 dubai-3.vaermb[.]com, myjitsi.exceptionnotfound[.]ir RouterHosting LLC, UAE
172.86.76[.]112 dubai-4.vaermb[.]com, s5.sideliner[.]ir RouterHosting LLC, UAE
172.86.76[.]120 dubai-5.vaermb[.]com RouterHosting LLC, UAE
172.86.76[.]121 dubai-6.vaermb[.]com RouterHosting LLC, UAE
172.86.76[.]124 dubai-7.vaermb[.]com, suanefllix[.]com, brnettlix[.]com, brttfrixx[.]com, realprimefix[.]com, identificara[.]com RouterHosting LLC, UAE
172.86.76[.]127 dubai-10.vaermb[.]com RouterHosting LLC, UAE
172.86.76[.]129 dubai-8.vaermb[.]com RouterHosting LLC, UAE
172.86.76[.]130 dubai-9.vaermb[.]com RouterHosting LLC, UAE
45.59.114[.]60 shop.exceptionnotfound[.]ir, price.exceptionnotfound[.]ir, myjitsi.mrnajafipour[.]ir RouterHosting LLC, CH
104.21.27[.]95 tools.exceptionnotfound[.]ir Cloudflare
172.67.142[.]35 tools.exceptionnotfound[.]ir Cloudflare

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

What You Should Do

  • Review Network Logs: Scrutinize network traffic logs for connections to the IoCs provided, particularly for outbound connections from internal systems.
  • Hunt for Webshells: Implement regular scans for webshells (e.g., hc2.aspx, health_check_t.aspx) and other unauthorized files on web servers and critical systems.
  • Patch and Update: Ensure all public-facing applications and operating systems, especially Microsoft Exchange servers, are fully patched against known vulnerabilities, including ProxyShell.
  • Implement Least Privilege: Enforce the principle of least privilege across all user accounts and services to limit the impact of credential compromise.
  • Monitor for Privilege Escalation Tools: Deploy endpoint detection and response (EDR) solutions to detect the presence and execution of known privilege escalation tools like GodPotato.
  • Strengthen Access Controls: Implement multi-factor authentication (MFA) for all administrative accounts and critical systems, and regularly audit user permissions.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitHackerphishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Remus Infostealer Targets Browsers with Lumma-Style Key Theft

Next Post

Critical OpenClaw DeepSeek AI Skill Exploits Agentic Workflows to Deliver RAT and Stealer

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
CISA Report Details Lessons Learned From AWS GovCloud Credential Leak
July 11, 2026
281 Android VPN Apps Leak Sensitive Data, Transfer Data Unencrypted
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us