The operation centred on the Ministry of Justice and Legal Affairs, where attackers used a custom ASP. NET webshell to maintain access, issue commands and extract data. Exposed attacker infrastructure showed more than 26,000 DotNetNuke user records taken from ministry systems, including staff email addresses and credential material. Judicial judgments, case session attachments, committee decisions and expert certification records were also among the data sets targeted.
The breach came to light after a poorly secured command-and-control server hosted on a virtual private server in the United Arab Emirates exposed the attackers’ tools, logs, scripts and stolen files. The open directory gave researchers an unusually clear view of the intrusion chain, from reconnaissance and exploitation attempts to post-compromise data collection and persistence efforts.
Investigators found evidence of activity against 12 Omani government entities. Apart from the Ministry of Justice and Legal Affairs, the targets included the Royal Oman Police, Royal Fleet of Oman, Tax Authority, State Audit Institution, Royal Court Affairs, Authority for Public Services Regulation, Civil Aviation Authority, Information Technology Authority, Ministry of Finance, Ministry of Transport, Communications and Information Technology, and Office of Public Prosecution.
The attackers’ methods combined webshell access, database extraction, credential harvesting, SQL Server escalation and PowerShell-based command-and-control. Scripts recovered from the exposed server showed attempts to exploit Exchange servers, DotNetNuke flaws, Oracle APEX and ORDS backends, Spring Boot Actuator endpoints, Joomla installations, Fortinet appliances and national identity-related access weaknesses.
The technical evidence suggests a campaign designed for intelligence collection rather than financial crime. The focus on justice records, identity tables, ministry portals, registry hives and authentication infrastructure points to an effort to map government systems, gather sensitive personal information and obtain credentials that could support further access.
Command-and-control logs showed activity on April 10, 2026, beginning around 03:00 UTC, with traffic originating from the Ministry of Justice and Legal Affairs network. The attacker moved through host profiling, network enumeration, database schema mapping and data extraction before staging Windows registry hives in temporary system directories.
A PowerShell beacon used in the campaign polled for commands every 30 seconds and returned encoded results in small chunks. Its traffic attempted to imitate ordinary browser activity in some cases, while other requests used a native PowerShell identifier, leaving inconsistencies that helped expose the operation. A scheduled task named MicrosoftEdgeUpdate was also attempted as a persistence mechanism, but endpoint protection blocked it.
Attribution remains cautious. The operators’ infrastructure, tooling and target selection overlap with activity historically associated with Iranian state-nexus groups, including clusters linked to the Ministry of Intelligence and Security. A previous campaign in 2025 used a compromised Oman Ministry of Foreign Affairs mailbox in Paris to send spear-phishing emails to diplomatic and government targets around the world. The latest Oman-focused operation appears to reverse that pattern, using Omani government systems as the target rather than mainly as a platform for wider phishing.
The recovered infrastructure also showed links to a wider “dubai” server cluster, including domains registered under the same pattern and systems hosted on the same network range. Some related servers hosted pages mimicking Persian-language diaspora media or referencing censorship-circumvention tools, though the connection between those assets and the Oman intrusion has not been firmly established.
Oman’s strategic position makes its government networks attractive to regional intelligence services. The sultanate maintains diplomatic channels with Iran, Gulf states, Western governments and regional conflict actors, giving its ministries access to sensitive political, legal, identity and border-related data. A compromise of judicial or identity systems could therefore have value beyond the immediate victim agencies.
The incident also highlights a broader weakness in government-facing digital services across the region: exposed portals, ageing web frameworks, inconsistent patching and shared authentication systems can turn one ministry compromise into a wider institutional risk. The presence of scripts targeting multiple government domains suggests the attackers were testing several entry points while concentrating successful exploitation on the justice ministry environment.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
