Operation Iron Mirror

On August 12, 2025, the Unified National Log Correlation Platform detects coordinated activities from a single Moroccan IP: 41.137.84.72. Coordinated scanning of 47 government systems, SQL injection attempts, SMB brute-force, payload staging. The IP belongs to TransMaghreb Logistics, a legitimate logistics company in Casablanca. The company denies all malicious activity. Initial assessment: infrastructure compromised and weaponized as a relay node. 21 missions across 7 operational phases - from log correlation to web exploitation, OpenWRT router to SMB lateral movement, via FTP and SNMP, to identifying the SCARAB-7 group and recovering ransomware encryption keys from a KeePass vault.