Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit and 26,000 Citizen Records Exposed
An exposed command and control server on RouterHosting infrastructure revealed an active Iranian-nexus intrusion campaign targeting twelve Omani government ministries. The operation primarily focused on the Ministry of Justice and Legal Affairs, deploying custom webshells that provided persistent access through April 2026. Over 26,000 user records containing judicial case data, committee decisions, and registry hives were exfiltrated. The attacker utilized ProxyShell exploits, DotNetNuke vulnerabilities, and custom Python scripts targeting Exchange servers, SQL databases, and Oracle systems. Infrastructure analysis revealed connections to spoofed Iranian diaspora media and censorship circumvention tools, with tactical overlaps indicating MOIS-linked groups such as APT34 and MuddyWater. The campaign specifically targeted judicial records, immigration systems, and citizen identity data across multiple government entities.
AI Analysis
Technical Summary
This threat involves an active cyber espionage campaign attributed to Iranian-nexus actors targeting Omani government ministries. The attackers exploited known vulnerabilities including ProxyShell and DotNetNuke to gain persistent access via custom webshells. They deployed custom Python scripts to compromise Exchange servers, SQL databases, and Oracle systems, enabling exfiltration of over 26,000 sensitive records related to judicial cases, committee decisions, and citizen identity data. The campaign infrastructure shows ties to MOIS-linked groups such as APT34 and MuddyWater, with operational overlaps including use of censorship circumvention tools and spoofed media infrastructure. The campaign's persistence through April 2026 indicates a long-term targeted espionage effort against critical government sectors in Oman.
Potential Impact
The campaign resulted in the exfiltration of over 26,000 sensitive records from twelve Omani government ministries, including judicial case data, committee decisions, and citizen identity information. Persistent access was maintained through April 2026, indicating prolonged exposure and potential for ongoing espionage or data manipulation. The compromise of multiple critical systems such as Exchange servers, SQL databases, and Oracle systems increases the risk of further data loss or operational disruption. The targeting of judicial and immigration systems could have significant implications for national security and citizen privacy.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, organizations should prioritize identifying and remediating ProxyShell and DotNetNuke vulnerabilities in their environments. Monitoring for indicators of compromise related to custom webshells and unusual activity on Exchange, SQL, and Oracle systems is recommended. Given the attribution to known APT groups, enhanced threat detection and incident response readiness should be maintained. No cloud service remediation applies as this is on-premises infrastructure.
Affected Countries
Oman
Indicators of Compromise
- hash: ecc3611f7dcbaa53acf44e67de2f10d78a26e03b3c77ba28bbd3ee16b2e66437
- domain: brnettlix.com
- domain: brttfrixx.com
- domain: identificara.com
- domain: mjla.gov.om
- domain: realprimefix.com
- domain: regorixa.com
- domain: sailms.gov.om
- domain: suanefllix.com
- domain: vaermb.com
- domain: dubai-1.vaermb.com
- domain: dubai-10.vaermb.com
- domain: dubai-2.vaermb.com
- domain: dubai-3.vaermb.com
- domain: dubai-4.vaermb.com
- domain: dubai-5.vaermb.com
- domain: dubai-6.vaermb.com
- domain: dubai-7.vaermb.com
- domain: dubai-8.vaermb.com
- domain: dubai-9.vaermb.com
- domain: email.taxoman.gov.om
- domain: mail.rfo.gov.om
- domain: mersaltest.mjla.gov.om
- domain: myjitsi.exceptionnotfound.ir
- domain: myjitsi.mrnajafipour.ir
- domain: price.exceptionnotfound.ir
- domain: s5.sideliner.ir
- domain: shop.exceptionnotfound.ir
- domain: tools.exceptionnotfound.ir
Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit and 26,000 Citizen Records Exposed
Description
An exposed command and control server on RouterHosting infrastructure revealed an active Iranian-nexus intrusion campaign targeting twelve Omani government ministries. The operation primarily focused on the Ministry of Justice and Legal Affairs, deploying custom webshells that provided persistent access through April 2026. Over 26,000 user records containing judicial case data, committee decisions, and registry hives were exfiltrated. The attacker utilized ProxyShell exploits, DotNetNuke vulnerabilities, and custom Python scripts targeting Exchange servers, SQL databases, and Oracle systems. Infrastructure analysis revealed connections to spoofed Iranian diaspora media and censorship circumvention tools, with tactical overlaps indicating MOIS-linked groups such as APT34 and MuddyWater. The campaign specifically targeted judicial records, immigration systems, and citizen identity data across multiple government entities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves an active cyber espionage campaign attributed to Iranian-nexus actors targeting Omani government ministries. The attackers exploited known vulnerabilities including ProxyShell and DotNetNuke to gain persistent access via custom webshells. They deployed custom Python scripts to compromise Exchange servers, SQL databases, and Oracle systems, enabling exfiltration of over 26,000 sensitive records related to judicial cases, committee decisions, and citizen identity data. The campaign infrastructure shows ties to MOIS-linked groups such as APT34 and MuddyWater, with operational overlaps including use of censorship circumvention tools and spoofed media infrastructure. The campaign's persistence through April 2026 indicates a long-term targeted espionage effort against critical government sectors in Oman.
Potential Impact
The campaign resulted in the exfiltration of over 26,000 sensitive records from twelve Omani government ministries, including judicial case data, committee decisions, and citizen identity information. Persistent access was maintained through April 2026, indicating prolonged exposure and potential for ongoing espionage or data manipulation. The compromise of multiple critical systems such as Exchange servers, SQL databases, and Oracle systems increases the risk of further data loss or operational disruption. The targeting of judicial and immigration systems could have significant implications for national security and citizen privacy.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, organizations should prioritize identifying and remediating ProxyShell and DotNetNuke vulnerabilities in their environments. Monitoring for indicators of compromise related to custom webshells and unusual activity on Exchange, SQL, and Oracle systems is recommended. Given the attribution to known APT groups, enhanced threat detection and incident response readiness should be maintained. No cloud service remediation applies as this is on-premises infrastructure.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://hunt.io/blog/iranian-nexus-oman-government-intrusion"]
- Adversary
- null
- Pulse Id
- 69fa3e5f84a20294f972fa64
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashecc3611f7dcbaa53acf44e67de2f10d78a26e03b3c77ba28bbd3ee16b2e66437 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbrnettlix.com | — | |
domainbrttfrixx.com | — | |
domainidentificara.com | — | |
domainmjla.gov.om | — | |
domainrealprimefix.com | — | |
domainregorixa.com | — | |
domainsailms.gov.om | — | |
domainsuanefllix.com | — | |
domainvaermb.com | — | |
domaindubai-1.vaermb.com | — | |
domaindubai-10.vaermb.com | — | |
domaindubai-2.vaermb.com | — | |
domaindubai-3.vaermb.com | — | |
domaindubai-4.vaermb.com | — | |
domaindubai-5.vaermb.com | — | |
domaindubai-6.vaermb.com | — | |
domaindubai-7.vaermb.com | — | |
domaindubai-8.vaermb.com | — | |
domaindubai-9.vaermb.com | — | |
domainemail.taxoman.gov.om | — | |
domainmail.rfo.gov.om | — | |
domainmersaltest.mjla.gov.om | — | |
domainmyjitsi.exceptionnotfound.ir | — | |
domainmyjitsi.mrnajafipour.ir | — | |
domainprice.exceptionnotfound.ir | — | |
domains5.sideliner.ir | — | |
domainshop.exceptionnotfound.ir | — | |
domaintools.exceptionnotfound.ir | — |
Threat ID: 69fb164ccbff5d8610cd0868
Added to database: 5/6/2026, 10:22:04 AM
Last enriched: 5/6/2026, 10:36:24 AM
Last updated: 5/7/2026, 8:20:20 AM
Views: 53
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.