Published on June 1, 2026
Iran-Linked Hackers Destroy IT, Backups, and Recovery Systems in Cyberattack targeting Middle East
Severity
High
Detail
A destructive cyber campaign attributed to an Iran-linked threat actor operating under the persona “Ababil of Minab” has targeted organizations across the United States, Israel, Turkey, and the Middle East. Unlike traditional ransomware or espionage operations focused on data theft, this campaign prioritized the deliberate destruction of IT infrastructure, backup systems, and recovery capabilities. The campaign first gained public attention following the compromise of the Los Angeles County Metropolitan Transportation Authority (LA Metro) between March and April 2026. Investigators later identified additional victims including the South Florida Regional TransportationAuthority, UNIMAC, Vyncs, and organizations in the media, education, and insurance sectors.
Forensic analysis by Gambit Security linked the operation to Black Shadow, a threat group previously associated with Iran’s Ministry of Intelligence and Security (MOIS). The attackers combined automated scripts with hands-on-keyboard activity to systematically erase virtual machines, databases, operating system files, storage volumes, and backup infrastructure.
How?
The threat actors gained access to victim environments and conducted destructive actions using a combination of automated scripts, remote administration tools, and hands-on-keyboard techniques. They deleted virtual machines through management consoles, dropped SQL Server databases using automated Python scripts, removed backup files and backup chains, securely wiped web hosting directories, and destroyed operating system files to prevent recovery.
Investigators also observed the use of custom data exfiltration tools such as FileFiend to steal information before destruction occurred. In one case, the attackers reportedly used an AI chatbot to improve a custom destruction script, demonstrating how emerging technologies may be leveraged to enhance offensive cyber operations.
Indicator of Compromises (IoCs)
Organizations should monitor for the following indicators associated with the campaign:
| Type | Indicator | Description |
| IPv4 | 31.172.87.20 | Operator staging server; served TLS for nefeshhope[.]com |
| IPv4 | 212.83.61.213 | FileFiend C2, hardcoded in 81a2535 |
| IPv4 | 66.85.26.183 | FileFiend C2, hardcoded in c8cc422 and 33a6b49 |
| IPv4 | 195.20.17.129 | FileFiend C2, hardcoded in d76a943 |
| IPv4 | 46.246.125.131 | Source IP of propaganda site |
| IPv4 | 146.70.233.83 | Served TLS for nefeshhope[.]com |
| IPv4 | 91.193.19.198 | Attacker-controlled exit node |
| IPv4 | 89.36.231.56 | Served TLS for feedback[.]nefeshhope[.]com |
| IPv4 | 84.200.89.52 | Served TLS for nefeshhope[.]com |
| IPv4 | 46.30.190.173 | Served TLS for members[.]nefeshhope[.]com |
| Domain | nefeshhope[.]com | Operator-controlled site |
| Domain | Members[.]nefeshhope[.]com | Observed communicating with A[.]ExE Go tunneler |
| Domain | banujcobaar[.]com | Redirected nefeshhope[.]com |
| SHA-256 | 81a25357d027d0f04a43139377d5d58384b8e9b0770e699cdcc37e600641cf90 | FileFiend / Exchangedb[.]exe |
| SHA-256 | f6db77be038980e9dbbf9f11e0f7ae7d2d4d3f1a53199958f1f55137dde5efd3 | A.ExE Go tunneler communicating with members.nefeshhope[.]com |
| SHA-256 | 1c699720034367ba9761a8d31c854fd444e8e3c8c31c520a39c543cf95286029 | Go tunneler; served from 45.150.108.61 |
Conclusion
This campaign demonstrates the increasing use of destructive cyberattacks by state-linked threat actors to disrupt operations and maximize organizational impact. By specifically targeting backup systems, virtualization platforms, and recovery infrastructure, the attackers significantly reduced victims’ ability to restore affected environments. Organizations, particularly those operating critical infrastructure and public services, should strengthen backup isolation practices, implement strict access controls, monitor privileged account activity, and regularly test incident response and disaster recovery procedures. The campaign serves as a reminder that modern cyber threats may aim not only to steal data but also to permanently impair an organization’s ability to recover from an intrusion.
Source
https://cybersecuritynews.com/iran-linked-hackers-destroy-it-backups-and-recovery-systems/