CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 01, 2026

Iran-Linked Hackers Destroy IT, Backups, and Recovery Systems in Cyberattack targeting Middle East

Cybersecurity News Archived Jun 01, 2026 ✓ Full text saved

Iran-linked hackers have launched a sweeping campaign of digital destruction across the United States and the Middle East, wiping IT systems, erasing backups, and dismantling recovery infrastructure at multiple organizations. The attacks, carried out under a pro-Iranian persona called “Ababil of Minab,” went far beyond data theft, leaving victims with little ability to restore their […] The post Iran-Linked Hackers Destroy IT, Backups, and Recovery Systems in Cyberattack targeting Middle East ap

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Iran-Linked Hackers Destroy IT, Backups, and Recovery Systems in Cyberattack targeting Middle East By Tushar Subhra Dutta June 1, 2026 Iran-linked hackers have launched a sweeping campaign of digital destruction across the United States and the Middle East, wiping IT systems, erasing backups, and dismantling recovery infrastructure at multiple organizations. The attacks, carried out under a pro-Iranian persona called “Ababil of Minab,” went far beyond data theft, leaving victims with little ability to restore their systems. The campaign first surfaced in late March and early April 2026, when Ababil of Minab claimed responsibility for breaching the Los Angeles County Metropolitan Transportation Authority (LA Metro) and destroying its data. LA Metro confirmed the breach on April 2, 2026. Hours after attackers deleted virtual machines from inside the agency’s management console, the transit authority reported that riders could not load fare on the TAP Mobile App. Analysts at Gambit Security found that Ababil of Minab is not an independent hacktivist group as they claim. Forensic evidence links the operation to Black Shadow, an Iran-linked group attributed by the Israel National Cyber Directorate to Iran’s Ministry of Intelligence and Security. Gambit Security said in a report shared with Cyber Security News that attackers used scripted automation and hands-on keyboard techniques to destroy IT, virtualization, and backup infrastructure. Beyond LA Metro, the campaign hit the South Florida Regional Transportation Authority, a company called UNIMAC, and a consumer GPS tracking service named Vyncs. Investigators identified additional victims in Israel and Turkey across the media, higher education, and insurance sectors. The breadth of the operation signals a deliberate, coordinated effort rather than opportunistic hacking. Backup chain deletion (Source – Gambit) What makes this campaign stand out is how methodically the attackers eliminated any chance of recovery. They hunted down backup systems, dropped entire database chains, and deleted operating system files to prevent restoration. In one incident, the attacker used an AI chatbot to refine a custom destruction script, adding an unsettling dimension to state-linked cyber activity. Iran-Linked Hackers Destroy IT, Backups, and Recovery Systems The attackers relied on two core methods: automated scripts and direct, manual interaction with system tools. At LA Metro, they powered off and deleted virtual machines through the organization’s own virtualization platform. At UNIMAC, they wiped three storage volumes and renamed new partitions “Minab” as a calling card. At Vyncs, the group ran a custom Python script called main.py that iterated through 58 SQL Server targets and dropped every database. All 58 executions succeeded with zero failures. While the script ran, the attacker manually deleted 16 daily SQL backup files, then destroyed core Windows system folders through Windows Explorer, causing their own remote session to drop and confirming total destruction. At the South Florida Regional Transportation Authority, attackers gained access through a proxied remote desktop connection, took databases offline, and used a secure deletion tool to overwrite the web hosting directory, including a dedicated SQL backup folder. Scripted SQL Server database deletion via main.py (Source – Gambit) Every step showed an attacker who understood exactly where critical data lived and how to ensure it could never be recovered. Custom Tools and Attribution Evidence Alongside the destruction, investigators uncovered two custom data theft tools. The first involved compressing stolen files and uploading them to the victim’s own public website, then pulling them back through an attacker-controlled server. The second was a bespoke C++ tool called FileFiend, which scanned drives and network shares before sending stolen files to a hardcoded command-and-control server. The attackers also built a Flask-based file receiver for accepting uploads from compromised environments. Although file transfers were encrypted, the key was sent in the same request as the data, making it readable to anyone monitoring traffic. When visitors hit a nonexistent page on the attacker’s server, they were redirected to the FBI’s official website. The strongest attribution link to Black Shadow came from a staging server that previously hosted a fake mental health support site targeting Israeli soldiers in August 2025. That same server was found transferring stolen files into this campaign’s infrastructure. Organizations in critical infrastructure, transportation, and education should urgently review access controls, backup isolation practices, and incident response readiness. Indicators of Compromise (IoCs):- Type Indicator Description IPv4 31.172.87.20 Operator staging server; served TLS for nefeshhope[.]com IPv4 212.83.61.213 FileFiend C2, hardcoded in 81a2535 IPv4 66.85.26.183 FileFiend C2, hardcoded in c8cc422 and 33a6b49 IPv4 195.20.17.129 FileFiend C2, hardcoded in d76a943 IPv4 46.246.125.131 Source IP of propaganda site IPv4 146.70.233.83 Served TLS for nefeshhope[.]com IPv4 91.193.19.198 Attacker-controlled exit node IPv4 89.36.231.56 Served TLS for feedback.nefeshhope[.]com IPv4 84.200.89.52 Served TLS for nefeshhope[.]com IPv4 46.30.190.173 Served TLS for members.nefeshhope[.]com Domain nefeshhope[.]com Operator-controlled site Domain members.nefeshhope[.]com Observed communicating with A.ExE Go tunneler Domain banujcobaar[.]com Redirected nefeshhope[.]com SHA-256 81a25357d027d0f04a43139377d5d58384b8e9b0770e699cdcc37e600641cf90 FileFiend / Exchangedb.exe SHA-256 c8cc4225d1e21324ef419adbb1c10dd0578fb034b5f5d7b8000f0aae1871c061 FileFiend / Exchangedb.exe SHA-256 33a6b4900c2fbfb3c2d816947871eade800d0c0e2a2680871700fd6e640e5f20 FileFiend / Exchangedb.exe SHA-256 d76a94309240a7e2f11a89fab54a6853628e976a5ff19084b1b0894c89e6a742 FileFiend SHA-256 f6db77be038980e9dbbf9f11e0f7ae7d2d4d3f1a53199958f1f55137dde5efd3 A.ExE Go tunneler communicating with members.nefeshhope[.]com SHA-256 1c699720034367ba9761a8d31c854fd444e8e3c8c31c520a39c543cf95286029 Go tunneler; served from 45.150.108.61 SHA-256 38965a60835a5ee3eaefd3d0bffa97c0e4f0c5cd74d31d8053bedeea14f536ee Go tunneler; served from 45.150.108.61 File Path C:\Users\casio\Desktop\uploader v3\temp uploader v3\temp uploader v3.cpp Developer source path in FileFiend File Path F:\OH~FileFiend(Uploader)\uploader v3\x64\Release\temp uploader v3.pdb PDB path in FileFiend v4 Filename Exchangedb.exe Decoy filename for FileFiend uploader TLS Subject O=Acme Cloud Solutions Inc, CN=localhost, emailAddress=admin@acmecloud.example Self-signed certificate on Flask receiver Tool proxychains Used for proxied RDP and download tunneling Tool xfreerdp Used for proxied RDP access Tool axel Linux CLI download accelerator used in exfiltration Tool http.flask.py Custom Flask receiver Tool WipeFile Windows utility for secure file deletion Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Iranian APT Uses SEO Poisoning to Deliver Fake SQL Developer Malware Installer Phishing Services Use RCS and iMessage to Bypass Traditional SMS Security Filters Hackers Abuse Trusted Google Domains to Hide Phishing Links From Email Gateways Windows Server 2016 Domain Controller May Fail with 15-Character Hostname Apache CXF LDAP Injection Vulnerability Let Attacker Retrieve Arbitrary Certificates Latest News Cyber Security Microsoft Investigates MFA Setup Failure and MySigns-In Portal Outage Cyber Security News Microsoft Tightens Entra ID Password Resets With New Authentication Change Cyber Security News Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package Cyber Security News Hackers Attacking Signal Users to Steal Backups in New Wave of Attacks Cyber Security News Microsoft Clarifies It Won’t Sue Security Researchers Amid Nightmare-Eclipse Controversy
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 01, 2026
    Archived
    Jun 01, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗