Iran-linked hackers have launched a sweeping campaign of digital destruction across the United States and the Middle East, wiping IT systems, erasing backup infrastructure, and dismantling recovery capabilities at multiple organizations. Operating under the pro-Iranian persona Ababil of Minab, the group went far beyond data theft — their goal was to leave victims with no ability to restore their systems at all.
Investigators at Gambit Security have linked the campaign to Black Shadow, an Iran-linked threat actor attributed by the Israel National Cyber Directorate to Iran’s Ministry of Intelligence and Security (MOIS). The forensic evidence connecting the hacktivist-branded operation to a state intelligence apparatus represents one of the more significant attribution findings in recent months.
LA Metro: Where the Campaign Became Public
The campaign first surfaced in late March and early April 2026, when Ababil of Minab claimed responsibility for breaching the Los Angeles County Metropolitan Transportation Authority (LA Metro). LA Metro confirmed the breach on April 2, 2026, after riders began reporting they could not load fare on the TAP Mobile App. Investigation revealed that attackers had gained access to the agency’s virtualization management console and used it to power off and delete virtual machines — a direct, hands-on destruction of the agency’s core IT infrastructure.
Beyond LA Metro, the campaign struck the South Florida Regional Transportation Authority, a company called UNIMAC, and a consumer GPS tracking service named Vyncs. Additional victims were identified in Israel and Turkey across the media, higher education, and insurance sectors. The breadth and diversity of targets signals a deliberate, coordinated operation rather than opportunistic hacking driven by individual motivation.
Methodical Destruction: No Recovery Left Standing
What distinguishes this campaign is the systematic way attackers eliminated every layer of recovery capability:
- At LA Metro: Virtual machines powered off and deleted through the organization’s own virtualization platform console.
- At UNIMAC: Three storage volumes wiped and new partitions renamed “Minab” as an operational calling card.
- At Vyncs: A custom Python script named
main.pyiterated through 58 SQL Server targets and dropped every database. All 58 executions succeeded. While the script ran, the attacker manually deleted 16 daily SQL backup files, then destroyed core Windows system folders, causing their own remote session to drop — confirmation that the destruction was complete. - At the South Florida Regional Transportation Authority: Databases taken offline via proxied remote desktop, followed by use of a secure deletion tool to overwrite the web hosting directory including a dedicated SQL backup folder.
In at least one incident, Gambit Security found evidence that the attacker used an AI chatbot to refine a custom destruction script before deploying it — adding a new dimension to the state-linked threat. Every step demonstrated an attacker with detailed advance knowledge of where critical data lived and how to ensure it could never be recovered.
Custom Data Theft Tools: FileFiend and the Flask Receiver
Alongside the destruction, investigators uncovered two custom data theft tools that had been deployed before the wiper phase:
- A method of compressing stolen files and uploading them to the victim’s own public website, then pulling them back through an attacker-controlled server — using the victim’s infrastructure against itself.
- FileFiend, a bespoke C++ tool that scanned drives and network shares before sending stolen files to a hardcoded command-and-control server at multiple IP addresses identified by Gambit Security.
The attacker also built a Flask-based file receiver for accepting uploads from compromised environments. Although file transfers were encrypted, the encryption key was transmitted in the same request as the data — making it readable to anyone monitoring the network connection. A small operational security failure in an otherwise methodically planned campaign.
Investigators noted that when visitors accessed a non-existent page on the attacker’s server, they were redirected to the FBI’s official website — a deliberate provocation that has become a signature of Iran-linked hacktivist operations.
Attribution: Black Shadow and Iran’s MOIS
The strongest attribution link to Black Shadow came from a staging server that had previously hosted a fake mental health support site targeting Israeli soldiers in August 2025. That same server was found transferring stolen files into this campaign’s infrastructure. Combined with forensic overlaps in tools, tactics, and timing, Gambit Security assessed with confidence that Ababil of Minab is not an independent hacktivist group — it is a front for Black Shadow, operating under Iran’s Ministry of Intelligence and Security.
Defensive Recommendations
Organizations in critical infrastructure, transportation, education, and insurance sectors should take immediate action:
- Isolate backup infrastructure from production networks and management consoles. If an attacker with administrative access to your virtualization platform can also reach your backups, you have no recovery path.
- Implement immutable backups that cannot be deleted through normal administrative interfaces, even by accounts with high privileges.
- Monitor virtualization consoles for unusual bulk operations — mass VM power-offs or deletions are high-fidelity indicators of destructive attacks in progress.
- Restrict RDP and remote access through proxies and review authentication logs for connections originating from proxy networks or unusual geographic locations.
- Hunt for FileFiend indicators: the hardcoded C2 IP addresses and file paths documented by Gambit Security provide concrete starting points for retrospective threat hunting.
The Ababil of Minab campaign is a textbook example of state-sponsored destructive cyber operations conducted under a hacktivist cover. Its success against multiple U.S. transportation agencies underlines the urgent need for organizations to treat backup resilience as a frontline security control, not an afterthought.
Source: CyberSecurityNews.com