Destructive Cyber Campaign “Ababil of Minab” Targets Critical IT and Backup Infrastructure
A sophisticated and highly destructive cyber campaign is currently sweeping through organizations in the Middle East and beyond. Unlike traditional ransomware operations that focus on encryption for profit, this campaign—dubbed “Ababil of Minab”—is designed for pure systemic erasure. The attackers are systematically wiping IT environments, virtual infrastructure, and, most critically, the very backup and recovery systems intended to mitigate such disasters.
Threat intelligence analysis suggests this operation is a rebranding of the long-standing Iranian threat group Black Shadow, an actor believed to operate under the auspices of Iran’s Ministry of Intelligence and Security. Forensic evidence, including shared infrastructure and tooling, links this new persona to previous Black Shadow operations, such as the 2025 influence-espionage campaign involving the nefeshhope[.]com fake mental health site. The campaign has already been claimed by the “Ababil of Minab” persona, which has published video evidence of live destructive operations against entities like the Los Angeles Metro.
Tactical Execution: Living off the Land and Targeted Erasure
What distinguishes this campaign is the attackers’ ability to blend in with legitimate administrative workflows. Rather than deploying custom, noisy malware that might trigger immediate EDR (Endpoint Detection and Response) alerts, the operators “live off the land.” They abuse standard management tools such as VMware vCenter, Windows Disk Management, SQL Server Management Studio, and even Windows Explorer to perform their destructive tasks.
The attackers exhibit a deep understanding of enterprise architecture, targeting every layer of the recovery stack:
- Virtualization & Storage: In one documented case involving the Saudi firm UNIMAC, attackers used Disk Management to format and delete Windows volumes, subsequently recreating a new volume named “Minab” to overwrite existing data.
- Backup Repositories: The operators have been observed pivoting to the Veeam Backup & Replication console, using the “Delete from disk” function to purge entire backup chains, effectively eliminating any hope of a point-in-time restoration.
- Database Destruction: Using a custom Python script (
main.py), the actors successfully iterated through multiple SQL Server instances, forcibly dropping all user databases while simultaneously deleting associated.bakfiles.
In a revealing turn, evidence suggests the actors utilized ChatGPT to refine their destruction scripts. This allowed them to fine-tune their logic to bypass critical system databases—ensuring the OS remained stable enough to complete the attack—while surgical precision was applied to wiping application data and core directories like Program Files and the IIS web root.
A detailed report by the Gambit team confirms that these destructive phases are almost always preceded by large-scale data exfiltration targeting sectors such as media, higher education, and insurance.
Exfiltration Methodology
The exfiltration process is equally methodical. To avoid detection during large data transfers, the actors often compress stolen data into multi-part RAR archives and stage them within the victim’s own public web root. They then retrieve these archives using the axel download accelerator, tunneled through proxychains to obfuscate the traffic. Furthermore, they have deployed a custom Flask-based receiver to collect encrypted file chunks via multiple endpoints. Notably, while they utilize AES-CBC encryption, they transmit the key and IV within the same request, rendering the encryption ineffective against intercepted traffic.
Indicators of Compromise (IoCs)
Defenders are advised to monitor for the following indicators. Note: IP addresses and domains are defanged to prevent accidental execution. Re-fang only within secure threat intelligence platforms like MISP or VirusTotal.
| Indicator | Type | Notes |
|---|---|---|
| 31.172.87.20 | IPv4 | Operator staging server; TLS for nefeshhope[.]com |
| 212.83.61.213 | IPv4 | FileFiend C2 (hardcoded in 81a2535) |
| 66.85.26.183 | IPv4 | FileFiend C2 (hardcoded in c8cc422, 33a6b49) |
| 195.20.17.129 | IPv4 | FileFiend C2 (hardcoded in d76a943) |
| 46.246.125.131 | IPv4 | Source IP of propaganda site |
| 146.70.233.83 | IPv4 | Served TLS for nefeshhope[.]com |
| 91.193.19.198 | IPv4 | Attacker-controlled exit node |
| 89.36.231.56 | IPv4 | Served TLS for feedback.nefeshhope[.]com |
| 84.200.89.52 | IPv4 | Served TLS for nefeshhope[.]com |
| 46.30.190.173 | IPv4 | Served TLS for members.nefeshhope[.]com |
| nefeshhope[.]com | Domain | Operator-controlled site |
| members.nefeshhope[.]com | Domain | Communicating with A.ExE Go tunneler |
| 81a25357d027d0f04a43139377d5d58384b8e9b0770e699cdcc37e600641cf90 | SHA-256 | FileFiend / Exchangedb.exe |
| c8cc4225d1e21324ef419adbb1c10dd0578fb034b5f5d7b8000f0aae1871c061 | SHA-256 | FileFiend / Exchangedb.exe |
| 33a6b4900c2fbfb3c2d816947871eade800d0c0e2a2680871700fd6e640e5f20 | SHA-256 | FileFiend / Exchangedb.exe |
| d76a94309240a7e2f11a89fab54a6853628e976a5ff19084b1b0894c89e6a742 | SHA-256 | FileFiend |
| f6db77be038980e9dbbf9f11e0f7ae7d2d4d3f1a53199958f1f55137dde5efd3 | SHA-256 | A.ExE Go tunneler (members.nefeshhope[.]com) |
| C:\Users\casio\Desktop\uploader v3\temp uploader v3\temp uploader v3.cpp | File Path | Developer source path in FileFiend |
| F:\OH~FileFiend(Uploader)\uploader v3\x64\Release\temp uploader v3.pdb | File Path | PDB path in FileFiend v4 |
| O=Acme Cloud Solutions Inc, CN=localhost | TLS Subject | Self-signed certificate on Flask receiver |