Iranian Cyber Threats Target Omani Ministries
In a recently uncovered cyber operation, a threat actor linked to Iran has infiltrated at least 12 ministries within the Omani government. This breach resulted in the theft of tens of thousands of citizen records, with attackers leaving behind persistent backdoors. The operation utilized webshells and SQL server escalation, exploiting known vulnerabilities to navigate the targeted networks.
Discovery Through Oversight
The breach was discovered when a staging server, located at 172.86.76[.]127 and hosted on a VPS in the United Arab Emirates, was found exposed. The server’s open directory revealed the entire toolkit, command code, session logs, and stolen data. The Ministry of Justice and Legal Affairs was the primary confirmed target, with evidence of compromise as recent as April 10, 2026.
Tools and Methods Used in the Attack
Analysts from Hunt.io exposed the full scope of this operation, detailing the tools and methods employed. The campaign aligns with previous state-sponsored activities linked to Iran’s Ministry of Intelligence and Security. In 2025, a similar group targeted Oman’s Ministry of Foreign Affairs, emphasizing a pattern of Iranian-aligned cyber attacks on Oman.
Attack Techniques and Implications
Exploitation of Webshells and SQL Servers
Central to the attack were two webshells, hc2.aspx and health_check_t.aspx, used in scripts targeting the Ministry of Justice. Commands were executed through Windows processes, with outputs returned as plain text. The attackers deployed 12 exploit scripts tailored for Omani targets, which included Exchange email spraying and SQL server escalation.
Scope of the Breach
The breach affected entities such as the Royal Oman Police and the Ministry of Finance. Attack techniques included ProxyShell exploits and credential brute-forcing. An elevation tool, GodPotato, was used to escalate privileges within the network, demonstrating the attackers’ sophisticated methodologies.
Command Infrastructure and Iranian Links
Command and Control Setup
The attack’s command infrastructure utilized a Python HTTP server and a PowerShell beacon on victim machines. This setup allowed the attackers to receive information every 30 seconds, capturing domain, username, and hostname data. Stolen information was transmitted in small, encoded packets to bypass URL length restrictions.
Evidence of Iranian State-Sponsored Activity
The operation’s infrastructure was linked to known Iranian-nexus groups such as APT34 and MuddyWater, known for targeting Middle Eastern governments. Researchers noted similarities with prior operations, though formal attribution to a specific group was avoided.
Future Cybersecurity Measures
Enhanced Monitoring and Detection
Monitoring exposed infrastructure for vulnerabilities remains crucial for early detection of cyber intrusions. This case highlights the importance of proactive cyber defense strategies to prevent data exfiltration and mitigate the impact of state-sponsored attacks.
Conclusion
The discovery of this breach underscores the ongoing cybersecurity threats facing Oman and the region. As cyber attacks become more sophisticated, robust defense mechanisms are essential to safeguard sensitive government data and maintain national security.
