Iran-linked hackers have launched a destructive cyber campaign that wipes IT, backup, and recovery systems at multiple organizations in the Middle East and beyond, severely undermining victims’ ability to restore operations after an attack.
Evidence ties the operation to the long-running Iranian threat group Black Shadow, believed to work on behalf of Iran’s Ministry of Intelligence and Security.
Threat intelligence analysis shows the campaign, dubbed “Ababil of Minab,” targets organizations in the United States, Israel, Saudi Arabia, Turkey, and other Middle Eastern countries.
The operators combine large-scale data exfiltration with systematic destruction of virtual infrastructure, databases, operating systems, and backup repositories.
The activity surfaced publicly after a pro-Iran persona calling itself “Ababil of Minab” claimed responsibility for attacks on Los Angeles Metro and other entities, publishing videos of live destruction operations as proof.
Forensic links connect this persona’s infrastructure and tooling to previous Black Shadow operations, indicating it is likely a rebranding rather than a new independent crew.
The attackers deliberately targeted every layer needed for recovery: virtualization, storage, databases, application servers, and backup platforms.
In one Middle East–focused case at UNIMAC, a Saudi maintenance and contracting company, the operator wiped Windows volumes through Disk Management, formatting and then deleting partitions before recreating a new “Minab” volume to overwrite prior data.
They then pivoted to the Veeam Backup & Replication console. They used the “Delete from disk” action to erase entire backup chains from repository storage, eliminating recovery points that might have saved the environment.
Gambit team said in a report shared with GBhackers, investigated an intrusion campaign involving exfiltration and destruction targeting organizations in the United States,Israel, Saudi Arabia, and Turkey.
In another victim environment, they ran a custom Python script, main.py, which iterated through 58 SQL Server instances and executed commands to forcibly drop all user databases, achieving 58 of 58 successful destructive operations while manually deleting backup .bak files in parallel.
Iran-Linked Hackers Wipe IT
Rather than relying only on malware, the threat actor abused the same management tools defenders use every day, including VMware vCenter, Windows Disk Management, SQL Server Management Studio, and Windows Explorer, to blend in with legitimate administrator activity.
Videos show the operator deleting virtual machines directly from vCenter, taking databases offline and then deleting them, and permanently removing core folders such as Windows, Program Files, Users, and the IIS web root from critical servers, causing immediate loss of connectivity.
In a striking detail, the attackers briefly revealed that they were using ChatGPT to refine their destruction scripts, specifically tuning logic to avoid system databases and target only application data, which increased impact while keeping Windows and SQL infrastructure just functional enough to complete the attack.
Before wiping systems, Ababil of Minab exfiltrated large volumes of data from victims in Israel, Turkey, and other Middle Eastern sectors, including media, higher education, insurance, and online services.
In some cases, they compressed stolen files into multi-part RAR archives and uploaded them into the victim’s own public web root, then pulled them back out using the axel download accelerator tunneled through proxychains.
The group also operated a custom Flask-based exfiltration receiver that accepted encrypted file chunks via multiple endpoints and reassembled them server-side.
Although the client encrypted filenames and data with AES-CBC, the key and IV were transmitted in the same request, meaning the encryption provided no real protection against anyone monitoring the traffic path.
Infrastructure used in this campaign overlaps with a 2025 Iranian operation that deployed a fake mental health support site, nefeshhope.com, to target Israeli soldiers and reservists.
That influence-espionage campaign was previously associated with Black Shadow based on custom Go tunneler samples and command-and-control hosting.
The reuse of staging servers, TLS certificates, and tunneling tools between the fake support site and the new destructive and exfiltration activity provides strong continuity between these operations.
For defenders in the Middle East, this underscores that the same Iran-linked cluster now combines psychological operations, espionage, and outright destructive attacks against critical IT and recovery infrastructure.
Indicators of Compromise
| Indicator | Type | Notes |
|---|---|---|
| 31.172.87.20 | IPv4 | Operator staging server; served TLS for nefeshhope[.]com |
| 212.83.61.213 | IPv4 | FileFiend C2, hardcoded in 81a2535 |
| 66.85.26.183 | IPv4 | FileFiend C2, hardcoded in c8cc422 and 33a6b49 |
| 195.20.17.129 | IPv4 | FileFiend C2, hardcoded in d76a943 |
| 46.246.125.131 | IPv4 | Source IP of propaganda site |
| 146.70.233.83 | IPv4 | Served TLS for nefeshhope[.]com |
| 91.193.19.198 | IPv4 | Attacker-controlled exit node |
| 89.36.231.56 | IPv4 | Served TLS for feedback.nefeshhope[.]com |
| 84.200.89.52 | IPv4 | Served TLS for nefeshhope[.]com |
| 46.30.190.173 | IPv4 | Served TLS for members.nefeshhope[.]com |
| nefeshhope[.]com | Domain | Operator-controlled site |
| members.nefeshhope[.]com | Domain | Communicating with A.ExE Go tunneler |
| 81a25357d027d0f04a43139377d5d58384b8e9b0770e699cdcc37e600641cf90 | SHA-256 | FileFiend / Exchangedb.exe |
| c8cc4225d1e21324ef419adbb1c10dd0578fb034b5f5d7b8000f0aae1871c061 | SHA-256 | FileFiend / Exchangedb.exe |
| 33a6b4900c2fbfb3c2d816947871eade800d0c0e2a2680871700fd6e640e5f20 | SHA-256 | FileFiend / Exchangedb.exe |
| d76a94309240a7e2f11a89fab54a6853628e976a5ff19084b1b0894c89e6a742 | SHA-256 | FileFiend |
| f6db77be038980e9dbbf9f11e0f7ae7d2d4d3f1a53199958f1f55137dde5efd3 | SHA-256 | A.ExE Go tunneler communicating with members.nefeshhope[.]com |
| C:UserscasioDesktopuploader v3temp uploader v3temp uploader v3.cpp | File Path | Developer source path in FileFiend |
| F:OH~FileFiend(Uploader)uploader v3x64Releasetemp uploader v3.pdb | File Path | PDB path in FileFiend v4 |
| O=Acme Cloud Solutions Inc, CN=localhost | TLS Subject | Self-signed certificate on Flask receiver |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
