Behind Enemy Code: Iranian Cyber Spies Expose Themselves in Omani Government Hack

It was the kind of blunder most cybercriminals only fear in nightmares: a private server, left wide open, spilling the secrets of an ongoing digital espionage operation. In early April 2026, security researchers stumbled upon the operational heart of an Iranian-nexus hacker group as they targeted the Omani government. Not only was their target list exposed, but so too were their tools, notes, and even their failures-offering a rare inside look at how state-backed hackers wage digital war.

Inside the Operation

The breach began with classic tactics: password brute-forcing and vulnerability scanning against key Omani government portals. The attackers, traced back to Iranian interests, zeroed in on the Royal Oman Police’s eVisa system and the State Audit Institution’s training site, hammering away at login credentials and searching for exploitable cracks.

When brute force wasn’t enough, they unleashed targeted exploit scripts-most notably, attempts to leverage ProxyShell vulnerabilities against government email servers. Although these attempts largely failed, the attackers’ persistence paid off elsewhere: session cookies captured from the eVisa portal confirmed they had successfully bypassed authentication, opening the door to sensitive data.

The real revelation came when researchers discovered two open directories on the hackers’ staging server, hosted by RouterHosting in the UAE. One directory mapped out the reconnaissance and initial access phase; the other, a post-compromise environment, was a digital goldmine. Here, the hackers’ arsenal was on full display: custom webshells for persistent access, a bevy of Python scripts for exploiting everything from DotNetNuke SSRF bugs to SQL Server privilege escalation, and even multiple iterations of the GodPotato privilege escalation tool-each version tweaked in response to defensive roadblocks.

The attackers’ infrastructure was equally sophisticated. Their command-and-control (C2) network spanned multiple ports: standard web ports for stealthy reverse shells, port 7777 for encrypted Chisel tunnels, and the 8000 range for beacon signals and data exfiltration. Each move was documented in real-time, with failure notes and code revisions left in plain sight-evidence of a highly adaptive, if operationally careless, adversary.

This accidental transparency provides an unprecedented window into how state-aligned hackers refine their methods and adapt to evolving defenses. It also underscores a crucial lesson: even the most advanced threat actors are not immune to human error.

Conclusion

The Omani government breach is a stark reminder that the digital shadows where cyber spies operate can quickly turn into glass houses. While Iranian-linked hackers demonstrated technical prowess and adaptability, a single exposed server unraveled their secrets-offering defenders a rare opportunity to study the enemy’s playbook in detail. In cyberwar, as on any battlefield, complacency is the enemy’s ally and the investigator’s best friend.

WIKICROOK

• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• ProxyShell: ProxyShell is a set of serious security flaws in Microsoft Exchange servers that let attackers break in, steal data, or take control if unpatched.
• Webshell: A webshell is a hidden program uploaded by hackers to a compromised website, giving them remote control and unauthorized access like a secret backdoor.
• Privilege Escalation: Privilege escalation occurs when an attacker gains higher-level access, moving from a regular user account to administrator privileges on a system or network.
• Session Cookie: A session cookie is a temporary file in your browser that keeps you logged into a website; if stolen, it can let others access your account.