Ababil of Minab: How an Iran-Linked Crew Exfiltrated Data From Four Countries and Destroyed IT, Backups, and Recovery at a subset of victims
New forensic evidence links the persona to Iran's Ministry of Intelligence and Security, uncovers victim organizations not yet publicly named, and details the destructive playbook used against IT, applications, virtualization, and backups.
May 26, 2026
Gambit Security Threat Intelligence team investigated an intrusion campaign targeting organizations in the United States, Israel, Saudi Arabia, and Turkey: exfiltration across all of them, with destructive operations at a subset. The activity surfaced publicly in late March and early April 2026, after a pro-Iranian persona calling itself Ababil of Minab claimed to have compromised the Los Angeles County Metropolitan Transportation Authority (LACMTA / LA Metro), destroyed systems, and exfiltrated data.
Our investigation found that Ababil of Minab is unlikely to be a new, standalone hacktivist crew as they claim. Forensic evidence ties the current operation to infrastructure and activity associated with a previous Iran-linked campaign, including activity publicly attributed by the Israel National Cyber Directorate (INCD) to Iran’s Ministry of Intelligence and Security (MOIS). We also recovered custom exfiltration tooling used by the attackers and identified additional Israeli and Turkish victim organizations, beyond the ones the group chose to expose.
We analyze the destructive operations performed by the attackers across IT, applications, virtualization infrastructure, and backups: deleting virtual machines, databases, and storage volumes, both automatically via scripts and through hands-on-keyboard activity. Each technique introduces a different recovery challenge, requiring separate remediation and restoration processes, which complicates and prolongs recovery efforts.
What makes this campaign matter beyond the attribution is the velocity. Modern intrusion operators are moving from initial access straight into the recovery layer, virtualization, backups, storage volumes, to maximize destruction and deny remediation. The skill required to do that at scale is collapsing in parallel. As AI capabilities become widely available, any actor, skilled or not, will be able to execute this kind of campaign. The question every operator now needs to be asking isn’t only “can we keep them out,” it’s “when they get in, can we bring it back.” That’s a different security problem, and it requires a different security investment: one focused on recoverability and operational resilience, not perimeter alone. This is why Gambit was formed. Prevention alone is no longer sufficient. Whether the work is rebuilding compromised systems or making sure destroyed systems and data can truly be restored, proactive resilience management has to be a top priority for every security team.
The full report covers the attribution evidence, the custom exfiltration tooling we recovered, the additional Israeli, Saudi and Turkish victim organizations identified, and a complete breakdown of the destructive playbook the attackers used against IT, applications, virtualization, and backups.
You ask? We answer
Ababil of Minab is a pro-Iranian persona that surfaced publicly in late March and early April 2026, claiming responsibility for an intrusion at the Los Angeles County Metropolitan Transportation Authority (LACMTA / LA Metro) in which systems were destroyed and data was exfiltrated. They present themselves as a new, standalone hacktivist crew. A note on our scope: Gambit was not involved in the forensic investigations at the breached organizations themselves. Our findings draw from two distinct sources: what the persona has published on its own channels, and direct forensic access to the operator's staging infrastructure, which is how we identified the additional victim organizations the group did not publicly expose.
Forensic evidence ties the current campaign to infrastructure and activity associated with a previous Iran-linked cluster publicly known as Black Shadow, which Israel's National Cyber Directorate (INCD) has attributed to Iran's Ministry of Intelligence and Security (MOIS). The full report details the technical overlap.
Beyond the LACMTA intrusion publicly claimed by the persona, our investigation identified additional Israeli, and Turkish victim organizations that the group did not expose. The campaign targets organizations in four countries: the United States, Israel, Saudi Arabia, and Turkey.
Based on what the persona has published on its own channels, they obtained access to virtualization infrastructure, deleted storage volumes and machines, and specifically targeted backup infrastructure to undermine the organizations’ ability to recover. The attackers deliberately employed multiple destructive techniques. Each technique introduces a different recovery challenge: deleted virtual machines have to be rebuilt from images, deleted storage volumes restored from offsite copies, compromised backup infrastructure rebuilt from scratch before any data can be restored. Combining techniques is a recovery-denial strategy: it forces separate remediation processes to run in parallel, prolongs downtime, and raises the chance that at least one path fails.
This is our forward-looking view, not a finding from the report. The skill required to execute destructive attacks at this scale is going to collapse. As AI capabilities for offensive operations become more widely available, the same playbook becomes accessible to less skilled actors. The question every operator needs to be asking isn’t just “can we keep them out,” it’s “when they get in, can we bring it back.” It’s a different kind of security problem, and it requires a different kind of security investment: one focused on recoverability and operational resilience, not perimeter alone.
Tactically, this campaign reinforces the controls that matter against recovery-targeting attackers. Verify that backups are immutable and isolated from the primary environment, that virtualization and backup administration are protected by least-privilege and multi-factor authentication, and that recovery is continuously validated against adversarial scenarios, not just infrastructure failure.
