Iran-Linked Hackers Launch Destructive Cyber Attack
Recent reports have highlighted a significant cyber threat originating from Iranian-linked hackers who have initiated a destructive cyber campaign targeting multiple organizations across the Middle East and beyond. This campaign not only threatens critical IT infrastructures but also severely hinders the affected organizations’ ability to recover from such cyber-attacks.
The threat has been attributed to the notorious Iranian hacking group known as Black Shadow, a group that has a history of working in alignment with Iran’s Ministry of Intelligence and Security. This connection raises alarms for authorities and organizations alike, as they now face increased digital vulnerabilities.
This particular campaign, referred to as “Ababil of Minab,” has demonstrated a worrying focus on institutions in various countries, including the United States, Israel, Saudi Arabia, Turkey, and numerous nations within the Middle Eastern region. The attackers have employed a dual tactic that includes not only the extensive exfiltration of sensitive data but also the systematic erasure of crucial virtual infrastructure components, databases, operating systems, and backup repositories.
The operations first gained public attention when an individual identifying as “Ababil of Minab” took credit for targeting entities such as Los Angeles Metro. This pro-Iran persona even shared videos showcasing live destruction operations to substantiate their claims. The forensic investigation into this activity has connected this new campaign to previous operations by the Black Shadow group, suggesting that “Ababil of Minab” may merely be a rebranding of this longstanding threat rather than a separate entity.
Targets have not been chosen randomly; attackers meticulously focused on crippling every necessary layer required for effective recovery. This included dismantling virtualization, storage, databases, application servers, and backup platforms. A notable example was the assault on UNIMAC, a Saudi maintenance and contracting firm, where attackers effectively wiped Windows volumes using Disk Management tools. They proceeded to format and delete partitions before creating a new “Minab” volume to overwrite prior data, rendering recovery almost impossible.
Additionally, the operators made use of the Veeam Backup & Replication console to obliterate entire backup chains from repository storage, erasing recovery points that might have been critical for environmental restoration. A report shared by the Gambit team elaborates on this intrusion campaign, revealing a complex web of exfiltration and destructive actions aimed at organizations throughout key regions.
The complexity of the attacks doesn’t end with mere data destruction. The operators utilized widely recognized management tools including VMware vCenter, Windows Disk Management, SQL Server Management Studio, and Windows Explorer. By integrating these tools into their methodology, the hackers masked their malevolent activities in a veil of legitimate administrative actions, thereby exacerbating the challenges defenders face.
Videos released by the attackers depict them deleting virtual machines directly from vCenter, taking databases offline, and permanently removing essential folders, including Windows, Program Files, Users, and the IIS web root from crucial servers. The repercussions of such actions lead to immediate and severe connectivity losses.
In a particularly striking moment during their operations, the attackers disclosed that they employed the generative AI tool, ChatGPT, to refine their destruction scripts. They tailored their logic specifically to circumvent system databases and zero in on application data, maximizing their impact while maintaining just enough system functionality to complete their malicious objectives.
Before executing the destruction of systems, the group exfiltrated extensive amounts of data from victims in Israel, Turkey, and other sectors situated in the Middle East, including media outlets, educational institutions, and online services. Stolen files were sometimes compressed into multi-part RAR archives and uploaded to the victims’ own public web roots, only to be retrieved using sophisticated techniques including tunneling through proxychains.
Moreover, the attackers implemented a custom Flask-based exfiltration receiver that handled encrypted file chunks through multiple endpoints. Although they employed encryption methods such as AES-CBC for filenames and data during transmission, the key and IV were exposed within the same request, leaving the encryption ineffective against eavesdroppers.
The infrastructure utilized in this campaign shows striking overlap with a previous Iranian operation from 2025, which targeted Israeli soldiers through a deceptive mental health support site. This connection underscores a pattern of continuity, with tools and techniques being reused across operations, thus solidifying the link to the Black Shadow group.
For those tasked with defending their organizations against such sophisticated cyber tactics, this situation indicates a widening scope of Iranian-linked operations that now intricately blend psychological warfare, espionage, and distinctly destructive attacks aimed at undermining critical IT and recovery infrastructures. As the cyber landscape evolves, vigilance and adaptive strategies are more crucial than ever for organizations in the targeted regions.