Platform
Arbis AI
Solutions
About
Book a Demo
Dropdown

Iranian-Nexus Intrusion Targeting Oman's Government

Red | Attack
Download Now
TA2026151 — Iranian-Nexus Intrusion Targeting Oman's Government | HiveForce Labs

01 — Summary

What happened

An active Iranian-aligned cyber espionage operation targeted twelve Omani government ministries, with the Ministry of Justice and Legal Affairs (MJLA) as the primary victim. The campaign was uncovered after the threat actor inadvertently left an attacker-controlled staging VPS (172.86.76[.]127, resolving to dubai-10.vaermb[.]com, UAE-hosted) publicly exposed — revealing the complete operator toolkit, command-and-control source code, session logs, and exfiltrated victim data in plaintext. Operator sessions were observed between April 8–10, 2026.

Initial access against MJLA most likely came through CVE-2025-32372, an SSRF flaw in DotNetNuke versions prior to 9.13.8. Secondary vectors included the ProxyShell chain (CVE-2021-34473 / 34523 / 31207) against Microsoft Exchange servers. The operator deployed a custom ASPX webshell, a Python C2 with PowerShell beacon, Chisel for encrypted tunneling, and GodPotato for privilege escalation, ultimately exfiltrating over 26,000 MJLA user records, judicial case data, citizen IDs, and SAM/SYSTEM registry hives. No definitive group-level attribution has been made, though TTPs strongly overlap with MOIS-linked clusters APT34 (OilRig) and MuddyWater (Mango Sandstorm).

02 — Vulnerability details

Exploited CVEs

Four vulnerabilities were exploited or leveraged across this intrusion campaign. All have available patches — prioritise immediate remediation.

CVE Name / description Affected product CISA KEV Patch
CVE-2021-34473 ProxyShell — Exchange Server Remote Code Execution Microsoft Exchange Server KEV ✓ Patch ✓
CVE-2021-34523 ProxyShell — Exchange Server Privilege Escalation Microsoft Exchange Server KEV ✓ Patch ✓
CVE-2021-31207 ProxyShell — Exchange Server Security Feature Bypass Microsoft Exchange Server KEV ✓ Patch ✓
CVE-2025-32372 DotNetNuke Server-Side Request Forgery (SSRF) DotNetNuke (DNN) Platform KEV — Patch ✓

03 — Attack details

How the intrusion unfolded

The operation reflects a deliberate, intelligence-driven campaign against Omani government infrastructure, underpinned by opportunistic OPSEC failures that exposed the full operator toolkit to researchers.

01
Discovery — exposed staging VPS reveals full operator toolkit

The campaign was uncovered after the threat actor left their attacker-controlled staging VPS (172.86.76[.]127, resolving to dubai-10.vaermb[.]com, UAE-hosted) publicly accessible. The exposed server contained the complete operator toolkit, C2 source code, session logs, and exfiltrated victim data in plaintext. Operator sessions were logged between April 8–10, 2026. The targeting builds on a 2025 incident attributed to the Homeland Justice persona (Void Manticore), in which Oman's Ministry of Foreign Affairs mailbox in Paris was hijacked to spear-phish embassies worldwide.

02
Initial access — CVE-2025-32372 SSRF and ProxyShell across 12 ministries

The operation targeted twelve Omani government bodies: MJLA, Royal Oman Police, Royal Fleet of Oman, Tax Authority of Oman, State Audit Institution, Royal Court Affairs, Authority for Public Services Regulation, Civil Aviation Authority, Information Technology Authority, Ministry of Finance, MTCIT, and the Office of Public Prosecution. Initial access against MJLA most likely came through CVE-2025-32372, an SSRF flaw in DotNetNuke versions prior to 9.13.8. Secondary vectors included the ProxyShell chain (CVE-2021-34473 / 34523 / 31207) against Exchange servers — tradecraft previously associated with MuddyWater in regional intrusions — alongside credential brute-force attempts against the eVisa portal and the State Audit Institution training platform.

03
Execution and persistence — ASPX webshell, Python C2, Chisel, GodPotato

The operator deployed a custom ASPX webshell (hc2.aspx, health_check_t.aspx) through the DotNetNuke /Portals/0/ directory, providing persistent remote command execution. A host-level persistence attempt using a scheduled task named MicrosoftEdgeUpdate was blocked by Microsoft Defender. The operator then deployed a Python HTTP C2 paired with a PowerShell beacon polling every 30 seconds, returning base64-encoded results in 1,500-character chunks. Chisel was staged on port 7777 for encrypted tunneling. GodPotato — later replaced by a reflective in-memory variant — abused SeImpersonatePrivilege for local privilege escalation, tradecraft consistent with APT34's documented Gulf-targeted kernel-level operations.

04
Exfiltration — 26,000+ MJLA records, judicial data, SAM/SYSTEM hives

On April 10, 2026 at 03:00 UTC, the operator exfiltrated over 26,000 MJLA user records — including staff emails and credentials — alongside judicial judgments, case session attachments, committee decisions, and queries against the eGov_Person table targeting national IDs, names, birthdates, and nationality data. SAM and SYSTEM registry hives were staged in C:\Windows\Temp for exfiltration via port 9002, effectively compromising all local-machine secrets and cached domain credentials in the MJLA environment.

05
Attribution — Iranian state-nexus overlap with APT34 and MuddyWater

No definitive group-level attribution has been made. However, TTPs strongly overlap with MOIS-linked clusters APT34 (OilRig) and MuddyWater (Mango Sandstorm). The activity continues a broader pattern of Iranian state-nexus targeting against GCC critical infrastructure, alongside the Handala destructive wiper campaign and MOIS-aligned dissident espionage operations targeting the region.

04 — Recommendations

What to do now

Six prioritised response actions for security and operations teams. Actions 4 and 5 are critical for any organisation sharing identity infrastructure with MJLA.

1
Patch Microsoft Exchange against the ProxyShell chain

Apply Microsoft Exchange Server security updates addressing CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Any internet-facing Exchange server that has not received the May 2021 cumulative update or later remains vulnerable to the full ProxyShell exploit chain demonstrated in this campaign.

2
Upgrade DotNetNuke to 9.13.8 or later

Update all DotNetNuke (DNN) Platform instances to version 9.13.8 or newer to remediate CVE-2025-32372. Pay particular attention to ministry and government portals that expose DNN as a public-facing CMS, including those sharing identity-provider infrastructure such as SimpleSAMLphp federation.

3
Audit and restrict the /Portals/0/ path on DotNetNuke

Inspect the DotNetNuke /Portals/0/ directory for unauthorized ASPX files matching webshell patterns such as health_check_t.aspx or hc2.aspx. Restrict write permissions to the path and configure the IIS handler mapping so that arbitrary ASPX files placed in content directories cannot be served as executable script.

4
Reset MJLA and DotNetNuke application credentials

For MJLA and any organisation sharing federation with MJLA's SimpleSAMLphp identity provider, force-reset all DotNetNuke application accounts — with priority to superuser and aspnet_Membership-backed accounts — invalidate active sessions, and rotate any service-account passwords accessible from compromised hosts.

5
Rotate domain credentials and re-secure SAM/SYSTEM material

Because both SAM and SYSTEM registry hives were extracted from the MJLA environment, treat all local-machine secrets, cached domain credentials, and machine-account secrets as compromised. Reset them, force a krbtgt double-rotation if Active Directory was reachable, and audit Kerberos ticket lifetimes for anomalies.

6
Adopt network segmentation between ministry portals

Because ITA and MTCIT portals share the /ITAPortal_AR/ URL structure and likely a common codebase, and because MJLA's SimpleSAMLphp identity provider could federate authentication across ministries, segment ministry portals from one another, isolate the identity provider in a dedicated security zone, and apply per-ministry boundary controls so that a single portal compromise cannot pivot horizontally.

05 — Indicators of compromise

IoCs — Iranian-nexus Oman intrusion

Block or monitor all indicators below across network controls, endpoint detection, and SIEM pipelines. All domains and IPs are defanged.

IPv4 addresses
  • 172[.]86[.]76[.]127
  • 172[.]86[.]76[.]101
  • 172[.]86[.]76[.]94
  • 172[.]86[.]76[.]108
  • 172[.]86[.]76[.]112
  • 172[.]86[.]76[.]120
  • 172[.]86[.]76[.]121
  • 172[.]86[.]76[.]124
  • 172[.]86[.]76[.]129
  • 172[.]86[.]76[.]130
  • 45[.]59[.]114[.]60
  • 104[.]21[.]27[.]95
  • 172[.]67[.]142[.]35
Domains
  • dubai-10.vaermb[.]com
  • dubai-1.vaermb[.]com
  • dubai-2.vaermb[.]com
  • dubai-3.vaermb[.]com
  • dubai-4.vaermb[.]com
  • dubai-5.vaermb[.]com
  • dubai-6.vaermb[.]com
  • dubai-7.vaermb[.]com
  • dubai-8.vaermb[.]com
  • dubai-9.vaermb[.]com
  • regorixa[.]com
  • myjitsi.exceptionnotfound[.]ir
  • shop.exceptionnotfound[.]ir
  • price.exceptionnotfound[.]ir
  • tools.exceptionnotfound[.]ir
  • myjitsi.mrnajafipour[.]ir
  • s5.sideliner[.]ir
  • suanefllix[.]com
  • brnettlix[.]com
  • brttfrixx[.]com
  • realprimefix[.]com
  • identificara[.]com
Filenames
  • hc2.aspx
  • health_check_t.aspx
  • proxyshell_01.sh
  • evisa_cookies.txt
  • c2_fixed.py
  • c2_fixed_v2.py
  • c2_json_v2.py
  • new_beacon.ps1
  • gp_v6_exec.py
File paths
  • /Portals/0/health_check_t.aspx
  • /opt/c2/loot/
  • /opt/c2/payloads/
  • C:\Windows\Temp (registry hive staging)
SHA-256
  • ECC3611F7DCBAA53ACF44E67DE2F10D78A26E03B3C77BA28BBD3EE16B2E66437
Ports
  • 8001 — C2 beacon listener
  • 7777 — Chisel host
  • 9002 — Registry hive exfiltration
  • 9003 — Reverse SOCKS5 listener

06 — MITRE ATT&CK TTPs

Tactics, techniques & sub-techniques

Full MITRE ATT&CK mapping for the Iranian-nexus Oman government intrusion campaign.

ID Tactic Technique / sub-technique
T1595.002 Reconnaissance Active scanning — vulnerability scanning
T1583.003 Resource dev. Acquire infrastructure — virtual private server
T1588.002 Resource dev. Obtain capabilities — tool
T1190 Initial access Exploit public-facing application (CVE-2025-32372, ProxyShell)
T1110.001 Initial access Brute force — password guessing
T1059.001 Execution Command and scripting interpreter — PowerShell
T1059.003 Execution Command and scripting interpreter — Windows command shell
T1059.006 Execution Command and scripting interpreter — Python
T1505.003 Persistence Server software component — web shell
T1053.005 Persistence Scheduled task/job — scheduled task (MicrosoftEdgeUpdate)
T1134.001 Priv. escalation Access token manipulation — token impersonation/theft (GodPotato / SeImpersonatePrivilege)
T1562.001 Defense evasion Impair defenses — disable or modify tools
T1620 Defense evasion Reflective code loading (in-memory GodPotato variant)
T1027 Defense evasion Obfuscated files or information (base64-encoded C2 results)
T1036.004 Defense evasion Masquerading — masquerade task or service
T1036.005 Defense evasion Masquerading — match legitimate name or location
T1003.002 Credential access OS credential dumping — Security Account Manager (SAM)
T1110.002 Credential access Brute force — password cracking
T1555 Credential access Credentials from password stores
T1539 Credential access Steal web session cookie
T1082 Discovery System information discovery
T1016 Discovery System network configuration discovery
T1033 Discovery System owner/user discovery
T1083 Discovery File and directory discovery
T1046 Discovery Network service discovery
T1005 Collection Data from local system
T1213 Collection Data from information repositories (eGov_Person table)
T1560 Collection Archive collected data
T1071.001 C2 Application layer protocol — web protocols (Python HTTP C2)
T1090 C2 Proxy
T1572 C2 Protocol tunneling (Chisel on port 7777)
T1132.001 C2 Data encoding — standard encoding (base64)
T1041 Exfiltration Exfiltration over C2 channel

07 — Patch links & references

Sources

[1] msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-34473
[2] msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-34523
[3] msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-31207
[4] github.com/dnnsoftware/Dnn.Platform/releases/
[5] hunt.io/blog/iranian-nexus-oman-government-intrusion
[6] hivepro.com/threat-advisory/void-manticore-irans-evolving-cyber-warfare-model/
[7] hivepro.com/threat-advisory/muddywater-is-taking-advantage-of-old-vulnerabilities/
[8] hivepro.com/threat-advisory/apt34-tightens-cyber-espionage-grip-on-gulf-with-kernel-exploitation/
[9] hivepro.com/threat-advisory/prolonged-pursuit-of-oilrig-apt-targeting-middle-east-government/
[10] hivepro.com/threat-advisory/muddywater-irans-adaptive-cyber-espionage-machine/
[11] hivepro.com/threat-advisory/handala-claims-destructive-wiper-attack-on-gcc-nations-critical-infrastructure/
[12] hivepro.com/threat-advisory/iranian-mois-leverages-telegram-based-c2-in-espionage-campaign-targeting-dissidents/
hive pro logo
Agentic AI for Exposure Management. Security operations that think, prioritize, and act autonomously.
twitterLinkdeinYoutubeEmail
© 2026
Hive Pro.
All rights reserved.
Privacy Policy