EXECUTIVE SUMMARY
The report explained an intrusion campaign linked to an Iranian-nexus operation that targeted government systems in Oman. Researchers found an exposed server used by the attackers to manage their activities and store stolen information. The campaign reportedly affected several government ministries and exposed thousands of citizen records connected to legal and ministry systems. The collected data included documents, login-related files, registry data, and other sensitive information. Researchers also found signs that the attackers had been active in the environment for a long time and used different tools to keep access to compromised systems. The infrastructure used in the campaign showed links to earlier activity connected with Iranian-aligned operations. The attackers mainly focused on intelligence gathering and long-term access instead of destructive attacks. The report showed how government organizations in the Middle East continue to face threats from groups carrying out spying and data theft activities through exposed internet-facing systems and weak security controls.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The report explained an intrusion campaign linked to an Iranian-nexus operation that targeted government systems in Oman. Researchers found an exposed server used by the attackers to manage their activities and store stolen information. The campaign reportedly affected several government ministries and exposed thousands of citizen records connected to legal and ministry systems. The collected data included documents, login-related files, registry data, and other sensitive information. Researchers also found signs that the attackers had been active in the environment for a long time and used different tools to keep access to compromised systems. The infrastructure used in the campaign showed links to earlier activity connected with Iranian-aligned operations. The attackers mainly focused on intelligence gathering and long-term access instead of destructive attacks. The report showed how government organizations in the Middle East continue to face threats from groups carrying out spying and data theft activities through exposed internet-facing systems and weak security controls.[emaillocker id="1283"]
The attackers used several scripts, webshells, PowerShell tools, and Python-based malware during the intrusion. Researchers discovered more than fifty tools on the exposed server that were used for scanning, exploitation, persistence, and data collection. The attackers targeted weak or exposed web applications and government systems to gain access. After entering the environment, they used tunneling and proxy tools to move through networks and communicate with attacker-controlled servers without raising suspicion. The attackers also collected registry hive files and authentication-related data from Windows systems to help steal credentials and maintain access. Researchers identified reused infrastructure, similar domain setups, and hosting overlaps that helped connect the activity to a larger campaign. The report also noted that the attackers regularly updated their tools and changed infrastructure to continue operations and reduce the chances of detection during the intrusion process.
The conclusion highlighted that exposed attacker infrastructure can help researchers understand how intrusion campaigns are planned and carried out. By analyzing servers, domains, certificates, and malware activity, researchers were able to track additional systems connected to the campaign and identify attacker behavior patterns. The report stressed the importance of threat hunting, monitoring internet-facing systems, and tracking suspicious infrastructure activity to identify attacks early. Researchers also noted that attackers often change servers and domains after exposure, making fast detection important for limiting damage. The intrusion showed that government organizations remain key targets for espionage and data theft campaigns in the region. It also demonstrated how attackers continue using common tools, stolen credentials, and hidden communication methods to maintain long-term access inside compromised networks while collecting sensitive information from targeted systems.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Reconnaissance | T1133 | External Remote Services | — |
| Initial Access | T1566 | Phishing | — |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1204 | User Execution | — |
| Execution | T1059 | Command and Scripting Interpreter | — |
| Execution | T1106 | Native API | — |
| Execution | T1569 | System Services | — |
| Execution | T1047 | Windows Management Instrumentation | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1070 | Indicator Removal | — |
| Defense Evasion | T1112 | Modify Registry | — |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | — |
| Defense Evasion | T1036 | Masquerading | — |
| Defense Evasion | T1218 | System Binary Proxy Execution | — |
| Defense Evasion | T1564 | Hide Artifacts | — |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion | — |
| Defense Evasion | T1553 | Subvert Trust Controls | — |
| Defense Evasion | T1014 | Rootkit | — |
| Credential Access | T1003 | OS Credential Dumping | — |
| Credential Access | T1555 | Credentials from Password Stores | — |
| Credential Access | T1552 | Unsecured Credentials | — |
| Credential Access | T1558 | Steal or Forge Kerberos Tickets | — |
| Credential Access | T1056 | Input Capture | — |
| Lateral Movement | T1021 | Remote Services | — |
| Lateral Movement | T1570 | Lateral Tool Transfer | — |
| Collection | T1005 | Data from Local System | — |
| Collection | T1039 | Data from Network Shared Drive | — |
| Collection | T1560 | Archive Collected Data | — |
| Collection | T1113 | Screen Capture | — |
| Collection | T1114 | Email Collection | — |
| Collection | T1115 | Clipboard Data | — |
| Command and Control | T1071 | Application Layer Protocol | — |
| Command and Control | T1573 | Encrypted Channel | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Command and Control | T1090 | Proxy | — |
| Command and Control | T1102 | Web Service | — |
| Command and Control | T1132 | Data Encoding | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol | — |
| Exfiltration | T1567 | Exfiltration Over Web Service | — |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/iranian-nexus-operation-targets-oman-ministries-with-webshells/
https://hunt.io/blog/iranian-nexus-oman-government-intrusion