Iran Black Shadow Used ChatGPT to Wipe US, Mideast IT Systems
Abhishek Gautam11 min readQuick summary
Gambit Security links Iran MOIS group Black Shadow to June 2026 destructive campaign in US, Israel, Saudi Arabia, Turkey. Attackers used ChatGPT to refine wipe scripts.
Read next
- Vercel Breached via Context.ai OAuth Attack: 580 Records, $2M Ransom
- CVE-2026-42208: LiteLLM SQL Injection Leaks Upstream API Keys
Iran-linked group Black Shadow — behind the Ababil of Minab persona — ran a June 2026 destructive campaign across the US, Israel, Saudi Arabia, and Turkey, and researchers say operators used ChatGPT to refine deletion scripts that wiped VMs, databases, and backups while sparing protected system DBs to maximize damage.
Gambit Security ties the activity to infrastructure Israel's INCD previously attributed to Iran's Ministry of Intelligence and Security (MOIS) — not independent hacktivists.
What Did Gambit Security Find?
Gambit's June 2026 report expands beyond the LA Metro (LACMTA) claims from late March 2026:
| TTP | Detail |
|---|---|
| Exfiltration then destroy | Staging servers, bespoke tooling, multi-victim scope |
| Virtualization targets | Scripted VM/storage deletion + hands-on-keyboard DB wipes |
| Backup destruction | Backup copies removed to block recovery |
| AI-assisted scripting | ChatGPT used to optimize destructive SQL/scripts |
| Attribution | Ababil of Minab → Black Shadow → MOIS (INCD-aligned) |
At least four public incidents plus additional victims on attacker staging infra, per Industrial Cyber and CVEdaily summaries.
Why ChatGPT in a State-Aligned Wipe Campaign Matters
This is not "AI hacking" in a Hollywood sense — it is LLM-assisted operator tradecraft:
- Faster iteration on destructive payloads
- Tuning scripts to hit user application databases vs system catalogs
- Lowering skill floor for custom wipe logic
Defender implications:
- Immutable backups off-domain — Iran campaigns explicitly target backup tiers.
- Separate admin creds for hypervisor and backup consoles.
- Detect staging exfil before wipe phase — Gambit recovered custom exfil tools.
- Assume MOIS playbooks escalate with Hormuz/Iran news cycles.
Cross-read Ababil LA Metro March 2026, Kuwait Iran missiles June 2026, and Claude Mythos patch guide.
What Should Developers and SREs Do Now?
Runbook checks this week:
- Backup restore test from offline/immutable copy
- Hypervisor role MFA + break-glass account audit
- Kill shared admin between backup SaaS and production IAM
- Log review for large DELETE patterns on DB audit trails
For enterprise agent risk framing, see Trump AI cyber order and Will AI Replace Me only as career context — this incident is offensive LLM misuse, not Copilot in your IDE.
Key Takeaways
- June 2026 Gambit report: Black Shadow / Ababil destructive wave in US + Middle East
- ChatGPT used to refine wipe scripts — AI as operator accelerator, not autonomous APT
- Attribution: MOIS-linked Black Shadow, not standalone hacktivists
- Backups and VMs explicitly destroyed — recovery requires immutable copies
- For developers: test restores, segment backup admin, monitor exfil staging
Sources
FAQ
Frequently Asked Questions
Who is Black Shadow in the June 2026 cyber campaign?
Black Shadow is an Iran-linked threat group that Israel's National Cyber Directorate has associated with Iran's Ministry of Intelligence and Security. Gambit Security's June 2026 report links the pro-Iranian persona Ababil of Minab to Black Shadow infrastructure and tactics.
Did Iran-linked hackers use ChatGPT in cyberattacks?
Researchers reported that operators in the Black Shadow campaign used ChatGPT to refine destructive scripts, including database deletion logic tuned to maximize operational damage while avoiding certain protected system databases.
Which countries were targeted by the Black Shadow June 2026 campaign?
Gambit Security documented destructive activity affecting organizations in the United States, Israel, Saudi Arabia, and Turkey, including incidents tied to the Ababil of Minab persona that claimed the Los Angeles Metro attack.
What should developers do after Iran destructive cyber campaigns?
Teams should verify immutable offline backups, separate backup administrator credentials from production IAM, test restore procedures, and monitor for data exfiltration staging before destructive phases on virtualization and database platforms.
Free Weekly Briefing
The AI & Dev Briefing
One honest email a week — what actually matters in AI and software engineering. No noise, no sponsored content. Read by developers across 30+ countries.
No spam. Unsubscribe anytime.
More on Cybersecurity
All posts →Vercel Breached via Context.ai OAuth Attack: 580 Records, $2M Ransom
ShinyHunters breached Vercel via compromised Context.ai OAuth credentials. 580 employee records stolen. $2M ransom demand. Lumma Stealer origin. Crypto devs scrambling to rotate API keys.
CVE-2026-42208: LiteLLM SQL Injection Leaks Upstream API Keys
LiteLLM CVE-2026-42208 (CVSS 9.3): pre-auth SQL injection in the 45K-star AI gateway exploited 36 hours after disclosure. Upgrade to 1.83.7-stable. All upstream API keys at risk.
White House Blocked Anthropic Mythos Rollout: 1,726 CVEs, 6-Month Warning
The White House blocked Anthropic from expanding Mythos access to 120 organizations after the AI found 1,726 confirmed CVEs. Dario Amodei warns of a 6-12 month window before adversaries match it.
CrowdStrike 2026: AI Cuts Cyberattack Breakout Time to 29 Minutes
CrowdStrike's 2026 Global Threat Report puts a number on AI-powered attacks: 29-minute average breakout, 27-second record. What this means for developers running production infrastructure.
Written by
Software Engineer based in Delhi, India. Writes about AI models, semiconductor supply chains, and tech geopolitics — covering the intersection of infrastructure and global events. 795+ posts cited by ChatGPT, Perplexity, and Gemini. Read in 164 countries.