Destructive Cyber Campaign “Ababil of Minab” Targets Critical IT and Backup Infrastructure

A sophisticated and highly destructive cyber campaign is currently sweeping through organizations in the Middle East and beyond. Unlike traditional ransomware operations that focus on encryption for profit, this campaign—dubbed “Ababil of Minab”—is designed for pure systemic erasure. The attackers are systematically wiping IT environments, virtual infrastructure, and, most critically, the very backup and recovery systems intended to mitigate such disasters.

Threat intelligence analysis suggests this operation is a rebranding of the long-standing Iranian threat group Black Shadow, an actor believed to operate under the auspices of Iran’s Ministry of Intelligence and Security. Forensic evidence, including shared infrastructure and tooling, links this new persona to previous Black Shadow operations, such as the 2025 influence-espionage campaign involving the nefeshhope[.]com fake mental health site. The campaign has already been claimed by the “Ababil of Minab” persona, which has published video evidence of live destructive operations against entities like the Los Angeles Metro.

Tactical Execution: Living off the Land and Targeted Erasure

What distinguishes this campaign is the attackers’ ability to blend in with legitimate administrative workflows. Rather than deploying custom, noisy malware that might trigger immediate EDR (Endpoint Detection and Response) alerts, the operators “live off the land.” They abuse standard management tools such as VMware vCenter, Windows Disk Management, SQL Server Management Studio, and even Windows Explorer to perform their destructive tasks.

The attackers exhibit a deep understanding of enterprise architecture, targeting every layer of the recovery stack:

  • Virtualization & Storage: In one documented case involving the Saudi firm UNIMAC, attackers used Disk Management to format and delete Windows volumes, subsequently recreating a new volume named “Minab” to overwrite existing data.
  • Backup Repositories: The operators have been observed pivoting to the Veeam Backup & Replication console, using the “Delete from disk” function to purge entire backup chains, effectively eliminating any hope of a point-in-time restoration.
  • Database Destruction: Using a custom Python script (main.py), the actors successfully iterated through multiple SQL Server instances, forcibly dropping all user databases while simultaneously deleting associated .bak files.

In a revealing turn, evidence suggests the actors utilized ChatGPT to refine their destruction scripts. This allowed them to fine-tune their logic to bypass critical system databases—ensuring the OS remained stable enough to complete the attack—while surgical precision was applied to wiping application data and core directories like Program Files and the IIS web root.

A detailed report by the Gambit team confirms that these destructive phases are almost always preceded by large-scale data exfiltration targeting sectors such as media, higher education, and insurance.

Exfiltration Methodology

The exfiltration process is equally methodical. To avoid detection during large data transfers, the actors often compress stolen data into multi-part RAR archives and stage them within the victim’s own public web root. They then retrieve these archives using the axel download accelerator, tunneled through proxychains to obfuscate the traffic. Furthermore, they have deployed a custom Flask-based receiver to collect encrypted file chunks via multiple endpoints. Notably, while they utilize AES-CBC encryption, they transmit the key and IV within the same request, rendering the encryption ineffective against intercepted traffic.

Indicators of Compromise (IoCs)

Defenders are advised to monitor for the following indicators. Note: IP addresses and domains are defanged to prevent accidental execution. Re-fang only within secure threat intelligence platforms like MISP or VirusTotal.

Indicator Type Notes
31.172.87.20 IPv4 Operator staging server; TLS for nefeshhope[.]com
212.83.61.213 IPv4 FileFiend C2 (hardcoded in 81a2535)
66.85.26.183 IPv4 FileFiend C2 (hardcoded in c8cc422, 33a6b49)
195.20.17.129 IPv4 FileFiend C2 (hardcoded in d76a943)
46.246.125.131 IPv4 Source IP of propaganda site
146.70.233.83 IPv4 Served TLS for nefeshhope[.]com
91.193.19.198 IPv4 Attacker-controlled exit node
89.36.231.56 IPv4 Served TLS for feedback.nefeshhope[.]com
84.200.89.52 IPv4 Served TLS for nefeshhope[.]com
46.30.190.173 IPv4 Served TLS for members.nefeshhope[.]com
nefeshhope[.]com Domain Operator-controlled site
members.nefeshhope[.]com Domain Communicating with A.ExE Go tunneler
81a25357d027d0f04a43139377d5d58384b8e9b0770e699cdcc37e600641cf90 SHA-256 FileFiend / Exchangedb.exe
c8cc4225d1e21324ef419adbb1c10dd0578fb034b5f5d7b8000f0aae1871c061 SHA-256 FileFiend / Exchangedb.exe
33a6b4900c2fbfb3c2d816947871eade800d0c0e2a2680871700fd6e640e5f20 SHA-256 FileFiend / Exchangedb.exe
d76a94309240a7e2f11a89fab54a6853628e976a5ff19084b1b0894c89e6a742 SHA-256 FileFiend
f6db77be038980e9dbbf9f11e0f7ae7d2d4d3f1a53199958f1f55137dde5efd3 SHA-256 A.ExE Go tunneler (members.nefeshhope[.]com)
C:\Users\casio\Desktop\uploader v3\temp uploader v3\temp uploader v3.cpp File Path Developer source path in FileFiend
F:\OH~FileFiend(Uploader)\uploader v3\x64\Release\temp uploader v3.pdb File Path PDB path in FileFiend v4
O=Acme Cloud Solutions Inc, CN=localhost TLS Subject Self-signed certificate on Flask receiver

Related Articles

Back to top button