Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: iran-apt (3 articles)Clear

Iranian intelligence (MOIS) behind LA Metro hack disguised as 'Ababil of Minab' hacktivists - hundreds of terabytes wiped

Israeli firm Gambit Security has forensically linked the late-March attack on the Los Angeles County Metropolitan Transportation Authority to Iran's Ministry of Intelligence and Security (MOIS), despite the attackers branding themselves as the pro-Iran hacktivist collective 'Ababil of Minab.' The group posted videos claiming it wiped hundreds of terabytes and stole over a terabyte of files. LA Metro confirmed the breach on April 2, 2026, and had to check hundreds of servers for compromise before bringing them back online. The case illustrates a recurring pattern of state operations wearing a hacktivist costume to provide deniability while targeting critical infrastructure.

Check
Critical-infrastructure and transit operators: treat 'hacktivist' claims of destructive attacks as possible state-operation cover. Hunt for wiper precursors and bulk-deletion activity. Validate offline backup integrity.
Affected
US critical infrastructure, especially transit authorities. Iran's MOIS uses fake-hacktivist fronts (here, Ababil of Minab) to claim destructive attacks while preserving deniability.
Fix
Maintain tested offline backups resilient to wipers. Segment OT/IT networks. Monitor for mass-deletion and destructive commands. Coordinate with CISA and ISACs on Iranian APT indicators.

MuddyWater (Seedworm) 'Operation Olalampo' espionage hits 9 countries with DLL sideloading via sentinelmemoryscanner.exe and ChromElevator browser theft

Symantec and Carbon Black, working with Huntress, have documented Operation Olalampo, a new MuddyWater (also tracked as Seedworm) espionage campaign that has hit at least nine countries. The Iran-linked actor uses DLL sideloading by abusing two trusted binaries - sentinelmemoryscanner.exe sideloads sentinelagentcore.dll - to deploy the open-source ChromElevator tool, which steals passwords, cookies, and payment-card data from Chromium browsers while bypassing App-Bound Encryption. The campaign also uses Node.js-based implants that drop PowerShell scripts for reconnaissance, SAM-hive theft, screenshot capture, and SOCKS5 reverse-proxy tunneling. Stolen data has been staged on the public file-transfer service sendit[.]sh.

Check
Hunt Windows endpoints for sentinelmemoryscanner.exe with a sideloaded sentinelagentcore.dll. Check outbound traffic to 157.20.182[.]49 and sendit[.]sh. Watch for Node.js execution on non-developer hosts.
Affected
Organizations in MuddyWater's typical target sectors (telecom, government, defense, energy) across nine countries. Symantec/Carbon Black/Huntress confirm at least one South Korean electronics manufacturer hit.
Fix
Block 157.20.182[.]49 and sendit[.]sh at egress. Apply Huntress and Symantec IoCs. Hunt for ChromElevator browser-credential theft. Restrict Node.js execution on non-developer endpoints.

Iran's Nimbus Manticore (UNC1549) accelerated wartime ops with AI-assisted MiniFast backdoor, trojanized Zoom installers, and SEO poisoning of SQL Developer

Check Point has documented Iranian APT Nimbus Manticore (also tracked as UNC1549) accelerating its operations during US Operation Epic Fury rather than going quiet. The campaign hits aviation, software, and defense organizations in the US, Europe, and the Middle East via three waves: career-themed phishing using AppDomain hijacking to deploy MiniJunk (February), a trojanized Zoom installer that hijacks legitimate scheduled tasks to deliver the new MiniFast backdoor (March), and the group's first SEO poisoning campaign distributing a weaponized Oracle SQL Developer installer via getsqldeveloper[.]com (April). MiniFast shows signs of AI-assisted development: defensive coding patterns, verbose error strings, and modular structure.

Check
Search EDR for AppDomain hijacking patterns spawning unsigned DLLs from Microsoft-signed executables. Hunt for trojanized Zoom installers and visits to getsqldeveloper[.]com via DNS logs.
Affected
Aviation, software, defense, and telecom organizations in the US, Europe, and Middle East. Nimbus Manticore targets employees via fake career offers, fake Zoom meetings, and SEO poisoning.
Fix
Apply Check Point IoCs. Block getsqldeveloper[.]com and known Nimbus Manticore C2 infrastructure. Train staff against unsolicited career or meeting-invitation downloads. Strengthen endpoint allowlisting against unsigned DLL sideloading.