Malpulse CTI

🇮🇷 𝗔𝗯𝗮𝗯𝗶𝗹 𝗼𝗳 𝗠𝗶𝗻𝗮𝗯 𝗘𝘅𝗽𝗼𝘀𝗲𝗱: 𝗟𝗔 𝗠𝗲𝘁𝗿𝗼 𝗦𝗖𝗔𝗗𝗔 𝗕𝗮𝗰𝗸𝘂𝗽𝘀 𝗮𝗻𝗱 𝗜𝘀𝗿𝗮𝗲𝗹𝗶 𝗩𝗶𝗰𝘁𝗶𝗺 𝗗𝗮𝘁𝗮 𝗟𝗲𝗳𝘁 𝗢𝗽𝗲𝗻 𝗼𝗻 𝗮𝗻 𝗜𝗿𝗮𝗻𝗶𝗮𝗻 𝗦𝘁𝗮𝗴𝗶𝗻𝗴 𝗦𝗲𝗿𝘃𝗲𝗿 A pro-Iranian group called Ababil of Minab claimed destructive intrusions against targets in the US, Israel, Saudi Arabia, and Turkey, including a breach LA Metro confirmed in April. A later public report described the campaign but held back the rest of the victims. We found the operator's staging server sitting wide open and read the list ourselves. What AttackCapture captured at 5.255.127[.]55:8020: → 2,238 files across 545 subdirectories, around 5 GB of exfiltrated data → Over 1 GB of LA Metro SQL Server backups covering transit ops, personnel records, SCADA configs, and yard management → Named victims the public report withheld: Ruppin Academic Center, bac(.)org(.)il, adabroker(.)com(.)tr, courier(.)co(.)il, Ifat Media Group → The custom Flask receiver, the operator's bash history, plaintext Chrome password dumps, VPN credentials, and switch configs → A 404 handler that quietly redirected to fbi(.)gov to look harmless The server stayed up for at least four weeks, into late May, after the public report dropped and after the group went quiet on Telegram. That mistake handed us the full picture. Full research here 👇: https://t.co/nUqelBq8M1