A sophisticated Iranian-nexus threat actor has quietly compromised at least 12 Omani government ministries, deploying webshells, escalating through SQL servers, and exfiltrating tens of thousands of citizen records. The campaign was uncovered by analysts at Hunt.io after the operators left their staging server's directory wide open, exposing the entire toolkit, command and control code, session logs, and stolen data. The Ministry of Justice and Legal Affairs is the primary confirmed victim, with active compromise observed as recently as April 10, 2026.

What Happened

A VPS staging server hosted in the United Arab Emirates at 172.86.76[.]127 was discovered with open directory listing, exposing the operational infrastructure of an active intrusion campaign against Omani government networks. A README file on the machine labeled it "VPS C2," indicating it was just one node within a larger, still-unidentified infrastructure. The exposed contents included session logs, exfiltrated data, exploit scripts, and webshells used to maintain persistent access across at least 12 government entities, including the Ministry of Justice and Legal Affairs and the Royal Oman Police. Hunt.io analysts have linked the tradecraft to past operations associated with Iran's Ministry of Intelligence and Security, consistent with Iranian state-sponsored activity.

What Was Taken

The attackers exfiltrated more than 26,000 Ministry of Justice user records, along with sensitive judicial case data, committee decisions, and Windows registry hives containing internal credentials. The operation prioritized judicial records, immigration data, and citizen identity information, all of high counterintelligence and surveillance value. Stolen credential material from registry hives gives the threat actor durable access for follow-on operations even if the initial webshells are discovered and removed. The volume and type of data, combined with the focus on identity and judicial systems, suggests both intelligence collection and potential leverage operations.

Why It Matters

This campaign reflects a continuing Iranian intelligence focus on Gulf state government infrastructure, with Oman repeatedly targeted across distinct operations. In 2025, a separate Iranian-aligned group compromised a mailbox at Oman's Ministry of Foreign Affairs and used it to launch phishing campaigns against embassies worldwide, demonstrating that breaches of Omani government systems frequently become launchpads for downstream regional targeting. The exposure of judicial and identity records also creates risk for dissidents, opposition figures, and foreign nationals whose information passes through Oman's legal system. For defenders across the region, this is a reminder that exposed staging infrastructure remains one of the most reliable signals of active state-aligned campaigns.

The Attack Technique

Two webshells anchored the intrusion. The first, hc2.aspx, was recovered directly from the C2 server. The second, health_check_t.aspx, was hardcoded across every attack script targeting the Ministry of Justice network. Commands were passed through a simple HTTP parameter, executed via Windows command processes, and returned as plain text to the operator. A dedicated folder on the staging server contained 12 exploit scripts purpose-built for Omani targets, covering Exchange email password spraying, SQL server privilege escalation, and memory-based execution designed to avoid writing files to disk. The toolkit relied heavily on older but effective exploits, suggesting the operators were taking advantage of unpatched government infrastructure rather than burning novel zero-days.

What Organizations Should Do

1. Hunt for the indicators hc2.aspx and health_check_t.aspx, and audit web-facing IIS and Exchange directories for unauthorized .aspx files.
2. Block and alert on traffic to 172.86.76[.]127 and review historical proxy and firewall logs for prior connections to that IP.
3. Audit SQL Server accounts for unexpected privilege escalation, sysadmin role changes, and xp_cmdshell activity.
4. Rotate credentials extracted from Windows registry hives, including service accounts, cached domain credentials, and any local admin accounts on potentially compromised hosts.
5. Apply outstanding patches to internet-facing Exchange, IIS, and SQL Server systems, and disable legacy authentication paths vulnerable to password spraying.
6. Hunt for in-memory execution artifacts, suspicious child processes spawned by w3wp.exe and sqlservr.exe, and unexplained outbound connections from database hosts.

Sources: Iranian-Nexus Operation Targets Oman Ministries With Webshells, SQL Escalation, and Data Theft