Key Takeaways
- The pro‑Iranian persona “Ababil of Minab” conducted a coordinated campaign of data exfiltration and destructive attacks against IT, virtualization, database, and backup systems in the U.S., Israel, Saudi Arabia, and Turkey.
- Forensic evidence ties the activity to the Iran‑linked Black Shadow threat group, which the Israel National Cyber Directorate (INCD) has attributed to Iran’s Ministry of Intelligence and Security (MOIS).
- Victims span critical transportation operators (LA Metro, South Florida Regional Transportation Authority) and sectors such as media, insurance, education, and digital services.
- Attackers blended legitimate administrative tools (vCenter, Disk Management, IIS Manager, SQL Server Management Studio, Veeam console) with scripted automation and hands‑on‑keyboard actions to maximize damage.
- In several incidents, custom Python scripts were used to enumerate and delete databases, and the threat actor leveraged ChatGPT to refine those scripts, illustrating an emerging trend of AI‑assisted malware development.
- Beyond the four publicly disclosed destructive intrusions, researchers identified additional victim organizations on the attacker’s staging infrastructure that suffered only data exfiltration.
- The campaign’s infrastructure—including specific IP addresses and a customized Go tunneler—matches previously observed Black Shadow operations, reinforcing the attribution to Iranian state‑backed actors.
- The takedown of the attacker’s site by the INCD on August 28, 2025, and the subsequent advisory highlight the importance of timely threat‑intelligence sharing and proactive defense of virtualization and backup environments.
Overview of the Threat Campaign
Gambit Security Threat Intelligence released a detailed analysis of a threat campaign carried out by the persona “Ababil of Minab,” which targeted organizations across the United States, Israel, Saudi Arabia, and Turkey. The campaign combined data exfiltration with deliberate destructive actions against core IT infrastructure, including virtualization platforms, databases, and backup systems. Researchers concluded that the activity is not the work of an independent hacktivist group but is instead linked to established Iranian threat actors. By correlating infrastructure, tactics, and malware signatures, the report connects Ababil of Minab to the Black Shadow group, which the Israel National Cyber Directorate (INCD) has previously attributed to Iran’s Ministry of Intelligence and Security (MOIS). This attribution is reinforced by shared command‑and‑control (C2) servers, customized tunneling tools, and overlapping victimology.
Victims and Affected Sectors
The publicly disclosed victims include two major transportation operators: the Los Angeles County Metropolitan Transportation Authority (LA Metro) and the South Florida Regional Transportation Authority (SFRTA). Beyond transport, the campaign struck organizations in the media, insurance, education, and digital services sectors. For example, an Israeli media outlet, an Israeli higher‑education institution, a Turkish insurance brokerage, and numerous websites related to restaurants, culture, digital services, and news were identified on the attacker’s staging infrastructure. While the transportation victims suffered both data theft and destructive sabotage, the additional targets experienced only data exfiltration, indicating a dual‑objective strategy of intelligence gathering followed by selective disruption.
Destructive Tactics: Scripted Automation vs. Hands‑On‑Keyboard
The attackers employed two primary methods to destroy assets. In scripted automation mode, they launched a program that iterated through an inventory of targets (e.g., virtual machines, databases) and issued destructive commands against each entry automatically. In the interactive, hands‑on‑keyboard mode, the operator opened the same management consoles and OS tools that a legitimate administrator would use—such as vCenter, Disk Management, IIS Manager, or SQL Server Management Studio—and manually deleted resources by pointing and clicking. This hybrid approach allowed the threat actors to scale destruction quickly while retaining the flexibility to adapt to specific environments and evade detection by blending malicious actions with legitimate administrative activity.
LA Metro Intrusion: First Publicly Disclosed Attack
The earliest disclosed incident involved LA Metro, which confirmed the breach on April 2, 2026. Using an authenticated vCenter session within the LA Metro environment, the attacker selected a virtual machine, issued a Power Off command, and then executed a Delete from Disk operation. Both actions were logged in the vCenter Recent Tasks pane at 03/16/2026 11:52:38, resulting in the permanent removal of the virtual machine and its underlying disk files from the datastore. Hours later, at 03:37 a.m. on March 17, 2026, LA Metro posted on Twitter about a “technical issue” delaying service alerts and preventing fare loading on the TAP Mobile App. The attacker then pivoted to a Windows guest VM, opened Computer Management and Disk Management, enumerated available volumes, and deleted partitions via the Delete Volume function, acknowledging the associated OS warnings. This sequence demonstrated the attacker’s ability to move from virtualization layer disruption to direct OS‑level disk destruction.
SFRTA Attack: RDP Pivot, IIS Exploitation, and Database Wiping
For the South Florida Regional Transportation Authority, Gambit researchers analyzed screencasts posted by the threat actor that showed proxied RDP access into the SFRTA environment. The connection was established via proxychains with xfreerdp, relayed through the IP 91.193.19.198:8443. Once inside an IIS host, the attacker obtained local administrator privileges and gained access to IIS Manager, SQL Server Management Studio, the local file system, and an outbound FileZilla FTP client. Using SQL Server Management Studio, the attacker issued a Take Database Offline command against each database, opted to Drop All Active Connections, and then executed a Delete Object action, permanently removing the databases. To ensure data could not be recovered, the attacker employed WipeFile, a Windows secure deletion utility, to overwrite the hosting tree—including hosted sites and the SQLBackup directory—effectively erasing backups and file remnants.
UNIMAC Intrusion: Disk Management Manipulation and Veeam Backup Deletion
In the case of UNIMAC (United Maintenance and Contracting Company), the attacker operated from a Windows host and opened Disk Management to target three attached storage volumes. For each disk, the attacker formatted the existing volume, deleted the newly created partition using the Delete Volume function, and then created a new volume named “Minab” in its place, overwriting the original data. Following the disk destruction, the attacker accessed the Veeam Backup & Replication console and issued Delete from disk operations against the Veeam backup inventory. According to Veeam documentation, this action permanently removes backup data at the repository file level, deleting the entire backup chain from the backup repository. The combination of disk‑level wiping and backup‑repository eradication illustrated a thorough approach to eliminating both primary data and recovery mechanisms.
Vyncs Intrusion: AI‑Assisted Python Script for Database Destruction
The Vyncs incident highlighted the attackers’ use of custom automation augmented by artificial intelligence. Researchers observed a custom Python script that enumerated and deleted databases across 58 SQL Server targets while simultaneously removing associated backup files. Notably, forensic analysis revealed that the threat actor used ChatGPT to refine the script, specifically to exclude protected system databases and focus the destruction on user application databases. This leveraging of generative AI to improve the precision and efficiency of malicious code represents an emerging trend in cyber‑threat development, enabling adversaries to craft more sophisticated tools with lower technical barriers.
Additional Victims: Data Exfiltration Only
Beyond the four destructive intrusions that were publicly disclosed, Gambit’s analysis of the attacker’s staging infrastructure uncovered additional victim organizations that experienced only data exfiltration. These included an Israeli media sector organization, an Israeli higher‑education institution, a Turkish insurance brokerage, and several websites spanning the restaurant, culture, digital services, and news sectors. No destructive activity was observed against these targets, suggesting that the attackers first gathered intelligence and potentially reserved destructive capabilities for higher‑value or strategically significant targets. The presence of exfiltrated data on the staging server also provided a pivot point for further linking the campaign to known Iran‑linked operations.
Forensic Links to Black Shadow and MOIS‑Backed Infrastructure
During forensic examination of the operator’s staging server, investigators discovered that stolen files had been transferred from another server at 31.172.87.20 onto the staging infrastructure, tying the activity to previously observed Iran‑linked operations. Additional analysis shared by ClearSky Cyber Security and findings from security researcher Simon Kenin connected the infrastructure to the Black Shadow threat group. Specifically, the IP 46.30.190.173, to which the hostname members.nefeshhope[.]com resolved, served as a C2 server for a customized Go tunneler (A.ExE, hash f6db77b). Variants of this tunneler (hashes 1c69972 and 38965a6) were hosted on 45.150.108.61 and had been used by Black Shadow in earlier campaigns. The convergence of IP addresses, custom tools, TTPs, and victimology led the researchers to assert with high confidence that Ababil of Minab is an operational persona of the Iran‑state‑backed Black Shadow group acting on behalf of MOIS.
Conclusion and Implications for Defenders
The Gambit report underscores a growing trend in which threat actors blend legitimate administrative utilities, scripted automation, and AI‑assisted tooling to accelerate destructive operations against enterprise and critical‑infrastructure environments. By weaponizing tools that administrators trust—vCenter, Disk Management, IIS Manager, SQL Server Management Studio, Veeam consoles—attackers can evade detection that relies solely on malware signatures. The use of generative AI to refine malicious scripts further lowers the barrier to developing precise, effective destructive code. Organizations must therefore harden not only traditional endpoints but also management planes, enforce least‑privilege access, monitor for anomalous use of administrative consoles, and maintain immutable, offline backups. Timely sharing of threat intelligence, as demonstrated by the INCD’s takedown of the attacker’s site and subsequent advisory, remains crucial for disrupting such state‑sponsored campaigns before they can inflict widespread damage.