Iranian-Linked Espionage Campaign Targets Omani Government Infrastructure

A sophisticated and wide-reaching espionage campaign has been identified targeting multiple ministries within the Sultanate of Oman. Threat actors, displaying hallmarks of Iranian-aligned operations, successfully breached several high-value government networks by leveraging a combination of exposed webshells, SQL injection-based escalation, and an improperly secured Command and Control (C2) infrastructure. The primary objective appears to be the large-scale exfiltration of judicial records and sensitive national identity data.

While definitive group-level attribution remains challenging due to the lack of unique, non-overlapping forensic artifacts, the operational footprint strongly suggests a nexus with the Ministry of Intelligence and Security (MOIS). Specifically, an attacker-managed open directory contained evidence of a compromised mailbox, a tactic consistent with previous MOIS-linked activities involving Omani MFA mailboxes used for global spear-phishing operations.

The backbone of this intrusion was an exposed RouterHosting VPS located in the UAE (IP: 172.86.76[.]127). This single node served as a centralized repository for the entire offensive toolkit, housing Python-based exploit scripts, C2 orchestration code, webshells, and—most critically—staged exfiltration logs and stolen data.

Hunt.io IP profile for 172.86.76[.]127 on RouterHosting showing open ports 22, 80, 443 (Source : Hunt.io).
Hunt.io IP profile for 172.86.76[.]127 on RouterHosting, displaying active listener ports 22 (SSH), 80 (HTTP), and 443 (HTTPS). (Source: Hunt.io)

Although the Ministry of Justice and Legal Affairs (MJLA) was the most heavily impacted victim, forensic analysis reveals the breach extended to at least 11 distinct government entities, including the Royal Oman Police, the Tax Authority, and various civil aviation and state audit portals.

Technical Analysis: The Intrusion Lifecycle

The campaign’s progression moved from broad reconnaissance to highly targeted exploitation. Initial scans on April 8, 2026, identified exposed directories on port 8000, which revealed early-stage attempts to probe various gov[.]om services. The attackers utilized ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to target Microsoft Exchange servers belonging to the Royal Fleet of Oman and the Tax Authority.

Target Domain Entity Observed TTPs
evisa.rop.gov[.]om Royal Oman Police (eVisa Portal) Credential brute-forcing; successful session hijacking.
mail.rfo.gov[.]om Royal Fleet of Oman (VIP Transport) ProxyShell exploitation (Exchange Server).
email.taxoman.gov[.]om Oman Tax Authority ProxyShell exploitation (Exchange Server).
sailms.gov[.]om State Audit Institution (SAI) Brute-force attacks against training platforms.

By April 10, the operational maturity increased significantly. A second directory on port 8002 contained a structured workspace with 211 files, including custom Python tooling tailored for specific Omani ministries. The attackers deployed two primary webshells for persistence and execution: hc2.aspx and health_check_t.aspx. The latter was strategically placed within the /Portals/0/ path of DotNetNuke (DNN) CMS installations to blend in with legitimate traffic.

Data Exfiltration and Lateral Movement

Once inside the MJLA environment, the operators engaged in deep database enumeration. They targeted the aspnet_Membership tables within the DNN schema to harvest superuser credentials. Using these elevated privileges, they pivoted to the MOLADB database, specifically querying the eGov_Person table. This allowed for the mass extraction of sensitive citizen data, including full names (Arabic and English), dates of birth, and nationality identifiers.

C2 logs confirm a systematic exfiltration workflow: host profiling, network discovery, and database mapping, followed by the staged theft of judicial case files, committee decisions, and expert certifications. In a single high-volume session, the attackers successfully exfiltrated 26,596 DotNetNuke user records, alongside Windows SAM and SYSTEM registry hives, which were staged in C:\Windows\Temp prior to removal.

C2 Infrastructure and Persistence Mechanisms

The C2 architecture utilized a Python-based HTTP stack and a custom PowerShell beacon (new_beacon.ps1). This beacon maintained a heartbeat by polling for JSON-formatted tasks every 30 seconds over port 8001, receiving instructions and returning data in base64-encoded chunks. The infrastructure also supported Chisel for tunneling and SOCKS5 proxies to facilitate lateral movement.

Webpage at myjitsi.mrnajafipour[.]ir mimicking Radio Zamaneh (Source : Hunt.io).
A compromised site (myjitsi.mrnajafipour[.]ir) was observed mimicking the layout of Radio Zamaneh, a Persian-language media outlet, likely to facilitate information operations. (Source: Hunt.io)

Persistence attempts included the creation of a scheduled task masquerading as MicrosoftEdgeUpdate. While this was successfully intercepted by Windows Defender, the attackers demonstrated advanced capability by experimenting with GodPotato for privilege escalation and reflective loading techniques to evade traditional signature-based detection.

Indicators of Compromise (IoCs)

The following table outlines the observed infrastructure used during this campaign. Note: All domains and IPs have been defanged for safety.

Type Indicator Resolving Domain(s) Hosting Provider
IP 172.86.76[.]101 dubai-1.vaermb[.]com, regorixa[.]com RouterHosting LLC, UAE
IP 172.86.76[.]124 dubai-7.vaermb[.]com, suanefllix[.]com, identificara[.]com RouterHosting LLC, UAE
IP 45.59.114[.]60 shop.exceptionnotfound[.]ir, myjitsi.mrnajafipour[.]ir RouterHosting LLC, CH
IP 104.21.27[.]95 tools.exceptionnotfound[.]ir Cloudflare

Security Advisory: Organizations are urged to re-fang these indicators within controlled environments such as a SIEM, MISP, or VirusTotal for active threat hunting. Immediate patching of Exchange Server vulnerabilities and auditing of DotNetNuke installations is highly recommended.

fVdpjzxJgx L b xCabyzgCBS

Related Articles

Back to top button