Iran-Linked Hackers Wipe IT Systems, Backups, and Recovery Infrastructure in Multi-Victim Campaign
Iran-linked hackers operating as 'Ababil of Minab' have destroyed IT systems, backups, and recovery infrastructure at multiple US and Middle East organizations, including LA Metro.
Iran-linked hackers have launched a sweeping campaign of digital destruction across the United States and the Middle East, wiping IT systems, erasing backups, and dismantling recovery infrastructure at multiple organizations. The attacks, carried out under a pro-Iranian persona called "Ababil of Minab," went far beyond data theft, leaving victims with little ability to restore their systems.
The campaign first surfaced in late March and early April 2026, when Ababil of Minab claimed responsibility for breaching the Los Angeles County Metropolitan Transportation Authority (LA Metro) and destroying its data. LA Metro confirmed the breach on April 2, 2026. Hours after attackers deleted virtual machines from inside the agency's management console, the transit authority reported that riders could not load fare on the TAP Mobile App.
Analysts at Gambit Security found that Ababil of Minab is not an independent hacktivist group as they claim. Forensic evidence links the operation to Black Shadow, an Iran-linked group attributed by the Israel National Cyber Directorate to Iran's Ministry of Intelligence and Security. Gambit Security said in a report shared with Cyber Security News that attackers used scripted automation and hands-on keyboard techniques to destroy IT, virtualization, and backup infrastructure.
Beyond LA Metro, the campaign hit the South Florida Regional Transportation Authority, a company called UNIMAC, and a consumer GPS tracking service named Vyncs. Investigators identified additional victims in Israel and Turkey across the media, higher education, and insurance sectors. The breadth of the operation signals a deliberate, coordinated effort rather than opportunistic hacking.
What makes this campaign stand out is how methodically the attackers eliminated any chance of recovery. They hunted down backup systems, dropped entire database chains, and deleted operating system files to prevent restoration. In one incident, the attacker used an AI chatbot to refine a custom destruction script, adding an unsettling dimension to state-linked cyber activity.
The attackers relied on two core methods: automated scripts and direct, manual interaction with system tools. At LA Metro, they powered off and deleted virtual machines through the organization's own virtualization platform. At UNIMAC, they wiped three storage volumes and renamed new partitions "Minab" as a calling card. At Vyncs, the group ran a custom Python script called main.py that iterated through 58 SQL Server targets and dropped every database. All 58 executions succeeded with zero failures.
While the script ran, the attacker manually deleted 16 daily SQL backup files, then destroyed core Windows system folders through Windows Explorer, causing their own remote session to drop and confirming total destruction. At the South Florida Regional Transportation Authority, attackers gained access through a proxied remote desktop connection, took databases offline, and used a secure deletion tool to overwrite the web hosting directory, including a dedicated SQL backup folder.
Alongside the destruction, investigators uncovered two custom data theft tools. The first involved compressing stolen files and uploading them to the victim's own public website, then pulling them back through an attacker-controlled server. The second was a bespoke C++ tool called FileFiend, which scanned drives and network shares before sending stolen files to a hardcoded command-and-control server. The attackers also built a Flask-based file receiver for accepting uploads from compromised environments.
The strongest attribution link to Black Shadow came from a staging server that previously hosted a fake mental health support site targeting Israeli soldiers in August 2025. That same server was found transferring stolen files into this campaign's infrastructure. Organizations in critical infrastructure, transportation, and education should urgently review access controls, backup isolation practices, and incident response readiness.