Black Shadow

Black Shadow is an Iranian threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS). Supporting content links Black Shadow to multiple operations against Israeli and other regional targets, and later reporting ties infrastructure associated with the 2026 Ababil of Minab campaign to Black Shadow with high confidence, although Hunt.io stated it did not independently verify that attribution. ClearSky Cyber Security, researcher Simon Kenin, and prior attribution referenced by the Israeli National Cyber Directorate also linked related infrastructure to Black Shadow. The group is associated with destructive and extortion-linked activity as well as espionage-oriented intrusions and phishing. In October 2021, Black Shadow was identified as the group that breached and ransomed the Israeli hosting provider CyberServe and then publicly leaked substantial volumes of customer data. Affected organizations included the Atraf dating site and the Machon Mor medical institute, with leaked data including relationship information, medical data, email addresses, and plaintext passwords. Content also places Black Shadow among Iranian groups involved in large-scale phishing and social-engineering campaigns targeting Israel’s public and private sectors. INCD reported at least 15 campaigns from Iranian groups including Black Shadow and MuddyWater, using tailored lures such as fake Rafael job offers on LinkedIn, spoofed INCD security-update emails, cash-offer scams, and academic conference invitations with malicious links. INCD assessed these campaigns as initial-access operations intended to gain footholds in organizations and support damage, espionage, information gathering, and influence activity. In 2026, Gambit Security attributed the Ababil of Minab activity with high confidence to Black Shadow. That campaign involved destructive intrusions and data theft affecting organizations in the United States, Israel, Saudi Arabia, and Turkey, including the Los Angeles County Metropolitan Transportation Authority, the South Florida Regional Transportation Authority, UNIMAC, Vyncs, Ruppin Academic Center, Ifat Media Group, courier.co.il, bac.org.il, and adabroker.com.tr. Reported tactics included SQL Server deletion, virtual machine deletion, partition wiping, backup destruction, file-system damage, and systematic exfiltration. Supporting reporting described use of a custom Flask-based encrypted upload receiver, a bespoke exfiltration tool called FileFiend, SCP and multi-part archive staging, and infrastructure overlap with nefeshhope[.]com, a fake trauma-support portal previously used to target IDF soldiers. Known alias in the provided content: black_shadow.