Digital Scorched-Earth: The Destructive Campaign of Ababil of Minab

Theoretical Origin and Campaign Overview

The Iranian cyber collective known as Ababil of Minab recently claimed responsibility for a series of devastating cyberattacks. Specifically, these targeted incursions crippled transportation enterprises and commercial businesses across the United States and the Middle East. Furthermore, the actors did not merely exfiltrate sensitive corporate data. Instead, they deliberately annihilated virtual machines, relational databases, and primary backup repositories. Consequently, these scorched-earth tactics left the victim organizations completely unable to swiftly reconstruct their operational infrastructures.

Subsequently, cybersecurity specialists at Gambit Security traced this hostile campaign back to the notorious Black Shadow threat group. Importantly, Israeli authorities previously identified Black Shadow as an operational arm of the Iranian Ministry of Intelligence. Therefore, the authors of the investigative report conclude that Ababil of Minab is not an autonomous newcomer. Rather, the group functions as a rebranded entity despite its public declarations of independence.

Dissecting the Transportation Sector Compromises

The LA Metro Intrusion

One of the inaugural casualties of this offensive was the Los Angeles metropolitan transit service, LA Metro. Initially, the adversaries secured administrative ingress into the core VMware vCenter virtual infrastructure management console. Then, the threat actors deleted numerous virtual machines alongside their underlying physical disk files. Consequently, within hours of the initial breach, LA Metro publicly reported widespread outages across its mobile fare systems. Shortly thereafter, the attackers pivoted to a guest Windows terminal to delete storage volumes via native disk utilities.

Subversion of the South Florida Regional Transportation Authority

Similarly, the South Florida Regional Transportation Authority fell victim to the destructive campaign. According to leaked video recordings published by the actors, the adversaries leveraged the Remote Desktop Protocol. Subsequently, they successfully escalated their privileges to secure local administrative rights on a core IIS web server. Following this, the operators utilized Microsoft SQL Server Management Studio to systematically detach and purge critical database assets. Finally, they executed the WipeFile utility to permanently erase web server directories and backup repositories.

Automated Destruction Frameworks and OpenAI Subversion

The UNIMAC and Vyncs Operations

Meanwhile, inside the corporate networks of the infrastructure firm UNIMAC, the adversaries executed aggressive disk formatting routines. Specifically, they wiped storage partitions, terminated active volumes, and created empty replacements mockingly labeled “Minab.” Afterward, the threat actors completely shattered the organization’s recovery pipelines by wiping data within Veeam Backup software.

Concurrently, during an assault on the Vyncs GPS tracking ecosystem, the actors deployed a custom Python script. Remarkably, this malware automatically authenticated against 58 independent Microsoft SQL Servers to drop user databases. Simultaneously, the operators manually expunged auxiliary backups and foundational Windows system directories. As a result, the network connection to the host server abruptly terminated, confirming total system destruction.

Algorithmic Assuredness via ChatGPT

Furthermore, the investigative team uncovered a fascinating and highly sophisticated tactical detail within the forensic artifacts. According to captured video logs, the threat actors actively utilized ChatGPT to refine their database scripts. Evidently, the generative model assisted the operators by excluding critical system databases from the deletion array. Thus, this precision engineering ensured the script targeted user-generated data tables exclusively, preventing premature engine crashes.

Intelligence Gathering and Legacy Infrastructure Connections

Espionage and Custom Exfiltration Tools

In addition to these destructive campaigns, researchers discovered that the actors systematically targeted entities for espionage. Specifically, they exfiltrated sensitive data from academic institutions, media outlets, insurance providers, and hospitality enterprises. To achieve this, the hackers routed stolen files through compromised web infrastructure and proprietary payloads. Notably, this toolkit featured FileFiend, a specialized C++ utility engineered to harvest files from local and networked storage disks.

The Nefeshhope Historical Matrix

Ultimately, forensic tracking of the campaign’s command infrastructure led specialists back to a known domain, nefeshhope[.]com. Historically, threat actors weaponized this domain in 2025 to host a fraudulent psychological counseling platform. During that deployment, the interface harvested sensitive personal identifiable information and distributed auxiliary malware strains. At the time, the Israel National Cyber Directorate definitively attributed the operation to state-sponsored Iranian espionage cells.