Ababil of Minab

Ababil of Minab is a pro-Iranian threat actor persona that surfaced in late March 2026 and claimed destructive intrusions against targets in the United States, Israel, Saudi Arabia, and Turkey. The group is most prominently associated with the March 2026 breach of the Los Angeles County Metropolitan Transportation Authority (LACMTA), for which it claimed responsibility on April 9, 2026, asserting that it stole and deleted data and publishing screenshots, video, and claims on Telegram and its website. Supporting reporting states that LACMTA confirmed a breach, and that the incident disrupted parts of the transit network, including some arrival screens and transit card funding functions, though rail and bus operations continued. Multiple cited reports, especially from Gambit Security, assess with high confidence that Ababil of Minab is not an independent hacktivist group but a front persona tied to Iran’s Ministry of Intelligence and Security (MOIS). The content explicitly states that Ababil of Minab, along with Handala Hack Team, is one of several front personas operated by MOIS. Gambit Security further linked the activity to the Iranian threat cluster tracked as Black Shadow, and some reporting also references overlap with activity tracked as MuddyWater and Static Kitten. Hunt.io reported exposed staging infrastructure and recovered victim data and tooling, but stated it did not independently verify Gambit’s attribution. The actor’s operations combined destructive actions with systematic exfiltration. Reported destructive techniques included SQL Server deletion, virtual machine deletion through vCenter, manual partition deletion through Disk Management, storage volume formatting, Veeam backup destruction, file system damage, and deletion of backup files. The content states the operators used both scripted automation and hands-on-keyboard activity. In the Vyncs intrusion, a custom Python script reportedly iterated through a hardcoded list of SQL Server instances and dropped user databases; the content also states the operators used ChatGPT to refine that script. Against LA Metro, published material and reporting indicate access to VMware vCenter, Microsoft IIS servers, and a rail yard management/train control display system. The group also used Telegram to publicize claims and threats. The content describes custom tooling associated with the campaign, including a Flask-based encrypted upload receiver and a bespoke C++ exfiltration tool named FileFiend. Hunt.io reported an exposed staging server containing exfiltrated data, shell history, TLS certificate files, and evidence of transfers from infrastructure previously linked to nefeshhope[.]com, an Iranian phishing operation targeting IDF soldiers in 2025. Beyond LACMTA, the content says Ababil of Minab claimed or was linked to attacks affecting South Florida’s Tri-Rail commuter transit system, vehicle tracking company Vyncs, and Saudi company UNIMAC. Additional victims identified in reporting included an Israeli media organization, an Israeli educational institution, a Turkish insurance brokerage, and other organizations in sectors including culture, digital services, restaurants, and news. In several of those additional cases, the content notes evidence of exfiltration without confirmed destructive activity. Known alias in the provided content: Ababil of Minab. Related MOIS-linked front persona mentioned in the content: Handala Hack Team. Related attributed cluster names mentioned in the content: Black Shadow, MuddyWater, Static Kitten.