When hackers mess up, security researchers rejoice. And in early April 2026, threat actors with ties to Iran made a spectacular operational security error. An exposed staging server, hosted on a UAE-based virtual private network, revealed the entire playbook of an ongoing cyberespionage campaign targeting Oman. The server was sitting wide open, its directories filled with command-and-control infrastructure, exploit toolkits, and stolen data. No encryption, no password. Just a gift for anyone looking.
The primary victim? Oman’s Ministry of Justice and Legal Affairs. But this was never a one-off smash-and-grab. The attackers had their sights set on multiple government entities, aiming to swipe judicial records and citizen identity data. Think of it as a digital heist, but the robbers left their blueprints on the sidewalk.
How the Staging Server Betrayed Its Masters
Security researchers from Hunt.io stumbled onto the compromised server in early April. It was running on a RouterHosting VPS, and two open directories told a damning story. The first directory documented early reconnaissance and initial access attempts against a slew of Omani ministries. The attackers weren’t subtle. They launched persistent password brute-force attacks against the Royal Oman Police eVisa portal and the State Audit Institution’s training platform. Imagine someone trying every key on a keychain, methodically, until one clicks.
But they didn’t stop there. They also deployed specific exploit scripts targeting ProxyShell vulnerabilities on the mail servers of the Royal Fleet of Oman and the Tax Authority. ProxyShell is a known bug in Microsoft Exchange, and while those attacks appeared unsuccessful, recovered session cookies told a different story for the eVisa portal. The hackers managed to bypass authentication using credential-based methods. They got in. And they didn’t leave quietly.
A Custom Webshell and a Toolbox of Python Scripts
The second open directory was a goldmine for threat intelligence. It revealed a heavily structured post-compromise environment. A custom webshell, embedded deep within the Ministry of Justice network, gave the operators persistent access. It’s like leaving a backdoor unlocked after a house party, except this door was digital and the guests were stealing passports.
The operators used a suite of highly tailored Python scripts to exploit various ministry portals. They targeted vulnerabilities ranging from DotNetNuke server-side request forgery to SQL Server privilege escalation. Over fifty distinct scripts were cataloged on the server. That’s a versatile toolkit, one capable of bypassing web application firewalls and attacking enterprise appliances. The researchers noted something unusual: the hackers used an iterative coding process. They left their failure notes directly in the exposed files. Debugging in plain sight. Talk about lazy.
GodPotato, Reflective Loading, and the Art of Evasion
Take the Windows privilege escalation tool GodPotato. The attackers deployed multiple versions. When their initial execution method was blocked by security software, they quickly pivoted to a reflective loading technique. This executed the payload entirely in memory, leaving no trace on disk. It’s a classic cat-and-mouse game, but the mouse here had a PhD in cryptography.
The command-and-control setup was equally sophisticated. It operated across multiple network ports. Standard web ports handled reverse shells. Port 7777 was used for encrypted Chisel tunnels. Ports in the 8000 range handled beacon listening and data exfiltration. The attackers weren’t just stealing data; they had built a small digital empire to manage the flow.
Indicators of Compromise: A Roadmap for Defenders
The researchers released a full set of indicators of compromise. These include IP addresses and domains that security teams can use for detection. The main IPs were 172.86.76.127, 172.86.76.101, 172.86.76.94, and 172.86.76.108. These resolved to domains like dubai-10.vaermb.com and regorixa.com. All hosted on RouterHosting LLC in the UAE. If you see these in your logs, it’s time to raise the alarm.
This incident highlights a recurring pattern in Iranian-linked operations. The attackers invest heavily in custom tooling and infrastructure, but operational security often lags. It’s a paradox. They can bypass modern defenses, yet they leave a server exposed for weeks. For defenders, this is a rare opportunity to understand the adversary’s full toolkit. For the attackers, it’s a reminder that even the best code doesn’t save you from sloppy sysadmin work.
Looking ahead, agencies in the Gulf region should assume this campaign is not an isolated event. The stolen data, if any, could already be weaponized for future targeting. And the next server might not be left open. The window for gathering intelligence is closing.
