New data from the Gambit Security Threat Intelligence detailed threat campaign linked to the pro-Iranian persona ‘Ababil of Minab’ targeting organizations across the U.S., Israel, Saudi Arabia, and Turkey using a mix of data exfiltration and destructive attacks against IT, virtualization, database, and backup infrastructure. Researchers said forensic evidence connects the activity to infrastructure and tactics associated with Black Shadow, a group previously attributed by the Israel National Cyber Directorate to Iran’s Ministry of Intelligence and Security.
Victims included transportation operators such as the Los Angeles County Metropolitan Transportation Authority and the South Florida Regional Transportation Authority, along with organizations in the media, insurance, education, and digital services sectors.
“Our investigation found that Ababil of Minab is unlikely to be a new, standalone hacktivist crew, as they claim. Forensic evidence ties the operation to infrastructure and activity associated with Black Shadow, an Iran-linked group, which was attributed by the Israel National Cyber Directorate to Iran’s Ministry of Intelligence and Security,” Eyal Sela, director of threat intelligence at Gambit and Nir Varon, cyber threat researcher at Gambit, wrote in a report published this week.
The report analyzes the destructive operations the attackers carried out against the victim’s IT, application, virtualization, and backup infrastructure, executed both through scripted automation and through hands-on keyboard activity. “We also expose custom exfiltration tooling used by the attackers and identify additional Israeli and Turkish victim organizations, beyond the ones the group chose to expose.”
Detailing that the hacker carried out destruction using two methods, Sela and Varon mentioned the use of scripted automation and hands-on keyboard. In the scripted mode, the operator runs a program that iterates through an inventory and issues the destructive command against each entry. In the interactive mode, the operator opens the management consoles and operating system tools a legitimate administrator would use and deletes resources by pointing and clicking through them.
The first intrusion publicly disclosed by the attacker involved LA Metro, which confirmed the breach on April 2, 2026. Operating through an authenticated vCenter session within the LA Metro environment, the attacker selected a virtual machine and executed a Power Off command followed by Delete from Disk. Both actions were submitted through the vCenter task queue and logged in the Recent Tasks pane at 03/16/2026 11:52:38. The action deleted the virtual machine along with its underlying disk files from the datastore.
Hours later, at 3:37 a.m. on March 17, 2026, LA Metro posted on Twitter that ‘Due to a technical issue, service alerts will be delayed and riders are unable to load fare on the TAP Mobile App.’ The attacker then accessed a Windows guest VM and opened Computer Management, followed by Disk Management. After enumerating available volumes, the attacker deleted partitions using the ‘Delete Volume’ function and acknowledged the associated operating system warnings.
In the case of the South Florida Regional Transportation Authority (SFRTA), Gambit researchers reported that screencasts published by the threat actor showed proxied RDP access into the SFRTA environment. The recorded command used proxychains with xfreerdp, relayed through 91.193.19.198:8443. From an interactive session on an IIS host, the attacker obtained local administrator privileges and access to IIS Manager, SQL Server Management Studio, the local file system, and an outbound FileZilla FTP client.
Using SQL Server Management Studio, the attacker issued a ‘Take Database Offline’ command against each database and approved the ‘Drop All Active Connections’ option, forcibly terminating client sessions and placing the databases offline. The attacker then executed a ‘Delete Object’ action on each database. The attacker also used WipeFile, a Windows secure file deletion utility, overwriting the hosting tree, including hosted sites and the SQLBackup directory.
In the case of UNIMAC (United Maintenance and Contracting Company), Gambit detailed that the attacker operated within a Windows host environment and opened Disk Management to target three attached storage volumes. The destruction sequence on each disk involved formatting the existing volume, deleting the formatted partition using the ‘Delete Volume’ function, and then creating a new volume named ‘Minab’ in place of the deleted partition.
The attacker subsequently accessed the Veeam Backup & Replication console and issued ‘Delete from disk’ operations against the Veeam backup inventory. According to Veeam documentation, the ‘Delete from disk’ action permanently removes backup data at the repository file level, deleting the entire backup chain from the backup repository.
Sela and Varon mentioned that in the Vyncs intrusion, attackers used custom Python scripts to enumerate and delete databases across 58 SQL Server targets while simultaneously removing backup files. Researchers additionally observed evidence that the threat actor used ChatGPT to refine the database destruction script, specifically to exclude protected system databases and focus attacks on user application databases.
The findings demonstrate how hackers are increasingly combining legitimate administrative tools, automation, scripting, and AI assistance to accelerate destructive operations across enterprise and critical infrastructure environments.
“Beyond the four incidents the operator published, we identified additional victim organizations on the attacker’s staging infrastructure,” Sela and Varon wrote in their report. “We are not aware of destructive activity against these additional victims, only data exfiltration. The victims include an Israeli organization in the media sector, an Israeli higher education institution, a Turkish insurance brokerage, and several additional websites across the restaurant, culture, digital services, and news sectors.”
During forensic analysis of the operator’s staging server, investigators found that the attacker had transferred stolen files from another server, 31.172.87.20, onto the staging infrastructure, further linking the activity to previously observed Iran-linked operations.
In conclusion, the researchers wrote that the INCD took down the site on Aug. 28, 2025, and issued an advisory describing the incident as an attempted attack carried out by a known Iranian threat group, though no specific APT attribution was publicly identified at the time.
“Additional analysis shared with us by ClearSky Cyber Security, as well as findings by security researcher Simon Kenin, link the activity to the Black Shadow threat group, an Iranian attack group operating on behalf of MOIS,” according to Sela and Varon. “Specifically, the IP 46.30.190.173, to which the hostname members.nefeshhope[.]com resolved, was used as a C2 for A.ExE (f6db77b), a customized version of a public Go tunneler. Additional samples of the customized tunneler (1c69972, 38965a6) were served from 45.150.108.61 while it was used by Black Shadow.”
