Omani Government Targeted in Blatant Iranian-Nexus Cyberespionage

A recent discovery by Hunt Intelligence has revealed an uncharacteristic lapse by a sophisticated threat actor. An open directory on a VPS in the United Arab Emirates has exposed an active, large-scale intrusion campaign targeting the Omani government.

The staging server, left completely unprotected, surfaced a treasure trove of evidence: the attacker’s toolkit, C2 (Command and Control) code, real-time session logs, and a massive cache of exfiltrated data.

The heart of the attack focused on the Ministry of Justice and Legal Affairs (MJLA) of Oman. While Omani institutions have historically been used as launchpads for other attacks, this campaign marks a shift toward deeper, institutional infiltration.

According to the Hunt Intelligence report, “The campaign documented below points in a similar direction… with a sharper focus on judicial records, immigration systems, and citizen identity data”.

The scale of the data theft is:

• Over 26,000 Ministry of Justice user records were exfiltrated.
• The cache includes sensitive judicial case data, committee decisions, and internal legal records.
• Attackers managed to pull both SAM and SYSTEM registry hives, potentially allowing for further credential cracking and lateral movement.

The intrusion relied on a custom webshell deployed on a test server (mersaltest.mjla.gov.om), which provided the attackers with persistent access to the ministry’s internal network. Logs confirm that operator sessions were active as recently as April 10, 2026.

While Hunt Intelligence stopped short of a definitive group-level attribution, they noted that the activity sits squarely within the Iranian state-nexus space. The tactics, techniques, and procedures (TTPs) strongly overlap with known actors like APT34 (OilRig) and MuddyWater. Both groups have a documented history of targeting government infrastructure in the Middle East using PowerShell-heavy tooling and proxy shells.

The staging server was hosted by RouterHosting in the UAE. Interestingly, a neighboring cluster of infrastructure on the same ASN was found hosting spoofed Iranian diaspora media and several .ir domains.

This cluster also hosted Psiphon—a censorship circumvention tool frequently used in Iran during periods of internet shutdowns. As the report suggests, “The shared hosting provider, ASN, subnet, and same-day registration are consistent with individual or group infrastructure procurement and management… Diaspora media, censorship circumvention tooling, and network intrusion of neighboring countries are all consistent with past Iranian state-sponsored operations”.