A new report by Gambit Security Threat Intelligence, published in June 2026, links the Iran-backed Black Shadow group to a destructive cyber campaign that employs AI-refined scripts to systematically destroy databases and backup solutions. This operation targets organizations across the U.S., Israel, Saudi Arabia, and Turkey, leveraging automated precision with hands-on keyboard operations. The group, also associated with the pro-Iranian persona "Ababil of Minab," is confirmed to be exfiltrating data and deploying destructive payloads.
What Happened
A new report by Gambit Security Threat Intelligence, released in June 2026, connects the Iran-linked Black Shadow group to a highly destructive cyber campaign. This operation targets organizations across the U.S., Israel, Saudi Arabia, and Turkey, involving the pro-Iranian persona Ababil of Minab. Attacks are a dual threat, combining data exfiltration with significant destructive actions, as detailed by Industrial Cyber.
The group targets IT systems, virtualization platforms, databases, and backup solutions. The destructive operations use both scripted automation and hands-on keyboard activity. Forensic evidence gathered by Gambit Security links current activity to infrastructure and tactics previously associated with Black Shadow, a group the Israel National Cyber Directorate attributes to Iran's Ministry of Intelligence and Security.
A significant finding is the observed use of ChatGPT by the group to refine a database destruction script. Gambit Security researchers confirm this AI assistance focused on excluding protected system databases, ensuring attacks concentrated on user application databases. This shows attackers combining legitimate administrative tools, automation, scripting, and AI to accelerate destructive operations against enterprise and critical infrastructure environments.
Why It Matters
This is not a typical data breach; it is a targeted effort to wipe out critical systems and their recovery mechanisms. The Black Shadow campaign’s goal extends beyond data theft to operational disruption and destruction, directly impacting IT, application, virtualization, and backup infrastructure across multiple regions. For confirmed victims, the group claims the compromised data itself acts as a detailed operational map of their businesses, offering attackers deep insight for precise targeting; no organization has confirmed the scope of data exfiltration.
The explicit use of AI tools like ChatGPT to refine destructive scripts changes the attack dynamic. It allows for more precise attacks that can bypass system defenses designed for cruder, less refined methods. Instead of wholesale destruction, the group aims to surgically remove specific data sets while leaving critical system functions intact enough to hinder swift recovery. This precision, combined with the geopolitical motivations of a state-sponsored group like Black Shadow, means these campaigns are persistent, well-funded, and adaptable. Threat actors are actively enhancing their attack capabilities with public resources.
Affected Scope & Remediation
The campaign broadly targets organizations in the U.S., Israel, Saudi Arabia, and Turkey. Gambit Security researchers identified at least four publicly claimed incidents, with additional victim organizations found on the attacker's staging infrastructure, as reported by Industrial Cyber. While no specific CVEs are central to this report, the focus is on the group's tactics, techniques, and procedures (TTPs), meaning defense must be proactive and comprehensive.
Defense against such destructive campaigns starts with thorough incident response planning, aligning with NIST SP 800-53 IR-4 Incident Handling. Organizations need detailed playbooks for data exfiltration and, critically, for system destruction and recovery. Assume compromise.
Enforce strong access controls and adhere to AC-6 Least Privilege across all systems, especially those hosting sensitive data or managing backup solutions. Multi-factor authentication (MFA) is mandatory for all external and internal administrative access. Endpoint Detection and Response (EDR) solutions, like CrowdStrike Falcon or SentinelOne, are critical for monitoring hands-on keyboard activity and detecting unusual script execution. These tools can flag suspicious processes or database modifications that might indicate pre-destruction reconnaissance or the destructive phase itself.
Critical infrastructure operators must ensure their backup solutions are immutable, air-gapped, and regularly tested for restorability. Products like Veeam offer immutability features that can protect against attackers attempting to (T1490 Inhibit System Recovery) by destroying or encrypting backups. Strengthen network segmentation to contain potential breaches and limit lateral movement. Focus on auditing database activity and monitoring for anomalous queries or bulk deletions. The Gambit Security report was published in June 2026, with Industrial Cyber reporting on May 29, 2026; this campaign is ongoing, so immediate action is paramount.
Technical Breakdown
The Black Shadow campaign typically begins with an unspecified initial access vector, common for state-sponsored operations. Once initial access is established, attackers perform extensive reconnaissance and lateral movement, often using valid accounts (T1078 Valid Accounts) to map the network and identify high-value targets like critical databases, virtualization platforms, and backup servers. During this phase, they exfiltrate sensitive data (T1041 Exfiltration Over C2 Channel), creating a comprehensive operational map of the victim's business.
The destructive phase is where the campaign gets its precision. Instead of simply wiping entire drives, Black Shadow uses automated scripts, frequently PowerShell (T1059.001 PowerShell), that have been refined with AI tools like ChatGPT. Imagine a demolition expert tasked with taking down specific floors of a building while leaving the structural integrity of the rest of the complex intact. Rather than setting charges indiscriminately, the expert uses precise calculations to target only specific support beams. Similarly, ChatGPT was used to adjust destruction scripts, ensuring they avoid protected system databases and focus exclusively on user application data. This refined targeting minimizes collateral damage that might alert defenders prematurely or hinder subsequent operations, while maximizing data loss where it counts.
Crucially, the campaign includes a focus on inhibiting system recovery. This means actively targeting and compromising backup solutions (T1490 Inhibit System Recovery), either by encrypting, deleting, or otherwise corrupting backup data. This TTP is designed to prevent quick recovery, prolonging the victim's downtime and magnifying the operational impact. Effective defense against such multi-stage, human-assisted automated attacks requires kernel-level telemetry and AU-6 Audit Record Review Analysis and Reporting to detect unusual activity patterns, from initial reconnaissance to the destructive payload execution.
Historical Context
The Black Shadow group has a documented history of targeting organizations with destructive and data-leaking campaigns. A notable incident occurred in late 2021, when the group launched a series of attacks against various Israeli entities. These attacks resulted in the public leak of sensitive user data from several high-profile Israeli websites, including an LGBTQ dating site, a travel booking platform, and a health insurance provider, causing significant disruption and privacy concerns. The group claimed to have exposed sensitive user data; the total number of affected individuals has not been independently confirmed by any of the victim organizations.
The 2021 attacks share similarities with the current campaign in their use of data exfiltration and the intent to cause significant harm and disruption. However, a key difference in the current 2026 campaign is the explicit, observed integration of AI tools like ChatGPT to refine destructive operations. The earlier attacks primarily focused on data exposure and public shaming, while the current activities demonstrate a clear evolution towards more surgical data obliteration and direct targeting of critical infrastructure's recovery capabilities, reflecting a more sophisticated and damaging approach.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Threat Actor Attribution | Iran's Ministry of Intelligence and Security | Gambit Security |
| Targeted Countries | 4 countries | Industrial Cyber |
| Publicly Claimed Incidents | 4 incidents | Industrial Cyber |
| Year of Previous Campaign | 2021 | BleepingComputer |
| AI Tool Used for Script Refinement | ChatGPT | SecurityWeek |
Our Take
We're beyond the point where AI is just a theoretical threat multiplier. The Black Shadow campaign demonstrates that general-purpose AI, even something like ChatGPT, is actively being used by state-sponsored actors to enhance precision in destructive cyber operations. This means less noisy attacks, more focused impacts, and quicker execution for adversaries. Defensive teams need to adjust their monitoring to detect these subtle, AI-refined script anomalies, pushing for more aggressive automation in threat detection and response to keep pace.
The CVEDaily Take
This campaign by Black Shadow isn't just about data loss; it's about denying critical infrastructure the ability to function and recover, a significant escalation in hybrid warfare. The shift to AI-assisted precision in database destruction means traditional backup strategies need rigorous validation against targeted data obliteration. Has your team audited your database access logs for AI-refined script anomalies since this report dropped?
FAQ
Q1: Who is Black Shadow?
A1: Black Shadow is a pro-Iranian threat group that the Israel National Cyber Directorate attributes to Iran's Ministry of Intelligence and Security. They are known for politically motivated cyber campaigns, often involving data exfiltration and destructive actions against organizations, particularly in Israel and now more broadly across the U.S. and the Middle East.
Q2: What's the role of AI like ChatGPT in this campaign?
A2: Threat actors are using ChatGPT to refine destructive database scripts. Instead of indiscriminately wiping all databases, the AI helps them modify scripts to specifically exclude protected system databases and focus their destructive efforts on user application databases. This makes their attacks more precise, targeted, and potentially harder to detect and recover from, as core system functions might remain operational while critical data is lost.
Q3: How can organizations defend against these types of destructive campaigns?
A3: Defense requires a multi-layered approach: strong access controls and MFA enforcement, effective endpoint detection and response (EDR) to identify hands-on keyboard activity and unusual script execution, immutable and air-gapped backups that are regularly tested, and comprehensive incident response plans. Network segmentation, continuous monitoring for database anomalies, and a focus on least privilege are also critical for containing and mitigating such sophisticated, destructive attacks.
