Iran-Linked Hackers Launch Destructive Cyber Campaign Targeting U.S. and Middle East Organizations
In a coordinated campaign of digital sabotage, Iran-linked hackers operating under the persona "Ababil of Minab" have executed a series of destructive attacks across the U.S. and Middle East, wiping IT systems, erasing backups, and crippling recovery infrastructure. The operation, active since late March and early April 2026, marks a shift from data theft to outright destruction, leaving victims with little means to restore operations.
The group first gained attention after breaching the Los Angeles County Metropolitan Transportation Authority (LA Metro), where attackers deleted virtual machines and disrupted the TAP Mobile App, preventing riders from loading fares. LA Metro confirmed the breach on April 2, 2026, hours after the attack. Additional victims include the South Florida Regional Transportation Authority, UNIMAC, and Vyncs, a consumer GPS tracking service. Targets also extended to Israel and Turkey, spanning media, higher education, and insurance sectors.
Forensic analysis by Gambit Security links the campaign to Black Shadow, a group previously attributed to Iran’s Ministry of Intelligence and Security by the Israel National Cyber Directorate. Unlike typical hacktivist claims, this operation was highly methodical, combining automated scripts with hands-on keyboard techniques to ensure irreversible damage.
Attackers employed custom destruction tools, including a Python script (main.py) that systematically dropped 58 SQL Server databases at Vyncs with zero failures. At UNIMAC, they wiped three storage volumes and left a calling card by renaming partitions "Minab." At the South Florida Regional Transportation Authority, they used secure deletion tools to overwrite web hosting directories, including SQL backups. In one case, an AI chatbot was used to refine a destruction script, adding a new layer of sophistication to state-backed cyber operations.
Beyond destruction, the group deployed two custom data theft tools:
- A Flask-based file receiver that exfiltrated stolen data via victims’ own public websites.
- FileFiend, a C++ tool that scanned drives and network shares, sending files to hardcoded command-and-control servers. While transfers were encrypted, the decryption key was transmitted alongside the data, exposing it to interception.
Attribution to Black Shadow was strengthened by a staging server previously used in a 2025 fake mental health support site targeting Israeli soldiers. The same infrastructure was repurposed for this campaign. Investigators also identified proxied RDP connections, secure deletion utilities (WipeFile), and Go-based tunnelers as part of the attackers’ toolkit.
The campaign’s indicators of compromise (IoCs) include multiple IP addresses (e.g., 31.172.87.20, 212.83.61.213), domains (nefeshhope[.]com, banujcobaar[.]com), and malware hashes (FileFiend/Exchangedb.exe). The attackers also used self-signed TLS certificates and redirected visitors to the FBI’s website when accessing non-existent pages on their servers.
This operation underscores a deliberate, state-backed effort to inflict maximum disruption, with attackers demonstrating deep knowledge of victims’ infrastructure to ensure permanent data loss.
Source: https://cybersecuritynews.com/iran-linked-hackers-destroy-it-backups-and-recovery-systems/
UniMac® cybersecurity rating report: https://www.rankiteo.com/company/unimacofficial
Vyncs cybersecurity rating report: https://www.rankiteo.com/company/vyncs
"id": "UNIVYN1780316844",
"linkid": "unimacofficial, vyncs",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Riders unable to load fares via '
'TAP Mobile App',
'industry': 'Public Transportation',
'location': 'Los Angeles, USA',
'name': 'Los Angeles County Metropolitan '
'Transportation Authority (LA Metro)',
'type': 'Government/Transportation'},
{'industry': 'Public Transportation',
'location': 'South Florida, USA',
'name': 'South Florida Regional Transportation '
'Authority',
'type': 'Government/Transportation'},
{'name': 'UNIMAC', 'type': 'Private'},
{'industry': 'Consumer GPS Tracking',
'name': 'Vyncs',
'type': 'Private'},
{'industry': 'Media',
'location': 'Israel/Turkey',
'type': 'Media'},
{'industry': 'Education',
'location': 'Israel/Turkey',
'type': 'Higher Education'},
{'industry': 'Insurance',
'location': 'Israel/Turkey',
'type': 'Insurance'}],
'attack_vector': ['Automated scripts',
'Hands-on keyboard techniques',
'Proxied RDP connections',
'Secure deletion utilities'],
'data_breach': {'data_encryption': 'Yes (but decryption key transmitted '
'alongside data)',
'data_exfiltration': 'Yes',
'type_of_data_compromised': ['SQL databases',
'Files from drives and network '
'shares']},
'date_detected': '2026-03-01',
'date_publicly_disclosed': '2026-04-02',
'description': 'In a coordinated campaign of digital sabotage, Iran-linked '
"hackers operating under the persona 'Ababil of Minab' "
'executed a series of destructive attacks across the U.S. and '
'Middle East, wiping IT systems, erasing backups, and '
'crippling recovery infrastructure. The operation marks a '
'shift from data theft to outright destruction, leaving '
'victims with little means to restore operations.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Yes',
'operational_impact': 'Crippled recovery infrastructure, prevented '
'fare loading, disrupted services',
'systems_affected': ['Virtual machines',
'TAP Mobile App',
'Web hosting directories',
'SQL backups',
'Storage volumes']},
'investigation_status': 'Ongoing',
'motivation': 'State-backed digital sabotage, disruption of critical '
'infrastructure',
'post_incident_analysis': {'root_causes': 'State-backed cyber sabotage, use '
'of custom destruction tools, '
'exploitation of infrastructure '
'knowledge'},
'ransomware': {'data_encryption': 'Yes (destructive, not ransomware)',
'data_exfiltration': 'Yes'},
'references': [{'source': 'Gambit Security Forensic Analysis'},
{'source': 'Israel National Cyber Directorate'}],
'response': {'third_party_assistance': 'Gambit Security'},
'threat_actor': 'Black Shadow (Ababil of Minab)',
'title': 'Iran-Linked Hackers Launch Destructive Cyber Campaign Targeting '
'U.S. and Middle East Organizations',
'type': 'Destructive Cyber Attack'}