Regions Targeted: US, Israel, UAE, Saudi Arabia, Western Europe, Middle East, Africa
Related Threat Actors: Nimbus Manticore
Related Families: MiniJunk, MiniFast
Key Takeaways
Background
Nimbus Manticore, also tracked as UNC1549, is an Iranian IRGC-affiliated threat actor known for targeting aviation, telecommunications, software, and defense organizations through socially engineered phishing operations. The group previously relied on the MiniJunk malware framework in campaigns targeting organizations throughout Western Europe and the Middle East.
During Operation Epic Fury, the US military campaign against Iran launched on February 28, 2026, researchers observed Nimbus Manticore rapidly evolving its malware ecosystem and operational techniques. The campaign demonstrated the actor’s ability to maintain infrastructure, develop new tooling, and deploy updated infection chains despite heightened geopolitical tensions and wartime operational pressures. The activity occurred across three primary campaign waves spanning February through April 2026. Each successive wave introduced additional stealth capabilities, expanded targeting, and increasingly sophisticated malware deployment mechanisms. Check Point Research reported on this activity.
In the first observed campaign wave during February 2026, Nimbus Manticore began leveraging AppDomain Hijacking to execute malicious code through trusted .NET applications. The technique abuses legitimate configuration files to force the .NET runtime to load attacker-controlled DLLs during application startup.
Victims, primarily within aviation and software organizations in Saudi Arabia and Australia, received phishing lures masquerading as job opportunities hosted on the OnlyOffice platform. Downloaded ZIP archives contained Microsoft-signed executables, malicious configuration files, and loader DLLs designed to deploy the next-stage payload.
After execution, the malware extracted additional payloads into user package directories and deployed a new variant of the MiniJunk backdoor. The loader validated that it was specifically executed by the intended process and displayed a fake error message stating “Couldn't connect to survey server” to reduce user suspicion and mimic legitimate application failures.
Unlike traditional DLL sideloading, AppDomain Hijacking enables malware to execute entirely within trusted application contexts, complicating behavioral detection and reducing the likelihood of suspicious child process generation.
During Operation Epic Fury, Nimbus Manticore expanded its phishing activity using fake airline-themed lures and Trojanized Zoom installers distributed through likely meeting invitation campaigns. Researchers noted that the malicious installer closely replicated legitimate Zoom installation behavior, indicating extensive research into the application’s execution flow.
The infection chain began with a compressed archive containing multiple components, including Microsoft-signed binaries, malicious configuration files, loader DLLs, and the final MiniFast payload.
Upon execution, the first-stage loader launched the legitimate Zoom installer while simultaneously displaying a fake installation progress window to preserve the appearance of normal software installation activity. The malware then monitored the system for creation of the legitimate Zoom scheduled task:
ZoomUpdateTaskUser-<current user SID>. Once created, the malware hijacked the task to execute the next-stage payload rather than creating its own suspicious persistence mechanism.
The second-stage loader copied files into the Zoom update directory and again leveraged AppDomain Hijacking to load malicious code through trusted processes. Researchers also identified anti-analysis logic that restricted execution unless the malware was launched specifically by update.exe with svchost.exe as the parent process. The campaign additionally abused valid SSL.com-issued code-signing certificates associated with Gray Matter Software S.R.L. and Kirubel Kerie Negeya, continuing the actor’s documented use of trusted signing infrastructure to reduce detection rates.
Evidence Suggests AI-Assisted Malware Development
Researchers identified multiple coding characteristics within both the loaders and MiniFast backdoor that suggest the use of AI-assisted development tools. These indicators included verbose error handling around otherwise simple API calls, modular code organization, descriptive function naming conventions, and extensive debug-style messaging embedded throughout the codebase.
Check Point Research analysts assessed that AI-assisted tooling likely enabled Nimbus Manticore to accelerate malware development cycles, rapidly modify operational tooling, and sustain development velocity during active military conflict. While AI-assisted malware development does not necessarily increase sophistication independently, it can substantially reduce development timelines and lower operational overhead for threat actors maintaining large-scale campaigns.
MiniFast Introduces Expanded Remote Access Capabilities
The most significant technical development in the campaign was the introduction of MiniFast, a previously undocumented 64-bit Windows DLL backdoor designed for long-term persistence and remote command execution. MiniFast communicates with command-and-control infrastructure using structured HTTP endpoints and JSON-formatted communications while impersonating legitimate Chrome browser traffic through hardcoded User-Agent strings. The malware performs host reconnaissance prior to entering its tasking loop, collecting information including usernames, domain details, and hostnames before registering infected systems with the C2 infrastructure.
The backdoor supports a broad range of remote administration functionality, including:
Researchers observed that the malware remains under active development, with multiple samples demonstrating ongoing refinement and capability expansion.
SEO Poisoning Marks Expansion Beyond Traditional Phishing
In April 2026, Nimbus Manticore introduced SEO poisoning into its delivery operations through a fake SQL Developer download site identified as getsqldeveloper[.]com. Users searching for legitimate SQL Developer software instead received weaponized installers containing the MiniFast payload. The actor reportedly registered dozens of supporting domains designed to improve search engine visibility through link-based reputation signals. Researchers observed the malicious domain ranking highly on search engines including Bing and DuckDuckGo for SQL Developer-related queries. This shift represents a notable operational evolution for Nimbus Manticore, which historically relied heavily on targeted phishing campaigns rather than search engine manipulation techniques.
Victimology
Nimbus Manticore primarily targets organizations across Europe, the Middle East, and Africa, with significant focus on Israel and the United Arab Emirates. The latest campaign additionally demonstrated expansion toward aviation-sector targets within the United States. Researchers noted that phishing lures often directly aligned with targeted industries. Fraudulent aviation recruitment portals targeted airline-sector personnel, while fake software download portals targeted technical users and developers. The targeting profile aligns closely with broader Iranian intelligence collection priorities involving transportation, defense, telecommunications, and software development sectors.
Who is Nimbus Manticore?
Nimbus Manticore, also tracked as UNC1549, is an Iranian IRGC-affiliated cyber espionage threat actor known for targeting aviation, defense, telecommunications, and software organizations across the Middle East, Europe, Africa, and increasingly the United States. The group is recognized for its use of socially engineered phishing campaigns, stealth-focused malware deployment techniques, and increasingly sophisticated modular malware tooling. Historically associated with the MiniJunk malware framework, Nimbus Manticore has evolved toward more advanced operational tradecraft including AppDomain Hijacking, trusted code-signing abuse, scheduled task hijacking, and SEO poisoning. Recent campaigns also suggest the actor has begun integrating AI-assisted development practices into malware engineering workflows to accelerate tooling adaptation and operational tempo during periods of geopolitical conflict.
Analyst Commentary
Nimbus Manticore’s latest operations demonstrate how rapidly state-aligned threat actors are evolving malware development and delivery methodologies, even amid periods of geopolitical conflict. The integration of stealth-focused persistence mechanisms, trusted code-signing abuse, modular malware architecture, and SEO poisoning significantly complicates detection efforts while expanding opportunities for initial access against enterprise environments.
The emergence of AI-assisted development indicators within operational malware further highlights the growing role of LLM-assisted tooling in offensive cyber operations. Even when AI-generated code does not independently increase sophistication, it can substantially accelerate malware iteration cycles and operational scalability.
Campaigns such as this reinforce the importance of layered malware analysis and behavioral detection capabilities capable of identifying emerging threats before widespread signature coverage exists. PolySwarm’s marketplace of specialized malware detection engines and aggregated PolyScore analysis model can help defenders identify low-consensus threats, suspicious signed binaries, and evolving malware families earlier in the attack lifecycle by leveraging multiple independent detection methodologies and behavioral analysis approaches.
IOCs
PolySwarm has multiple samples associated with this activity.
eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71
2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc
f08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03
a57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf
63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4
74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27
bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad
ecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e
0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864
485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3
64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c
332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17
9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1
43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa
8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b
5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8
0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40
d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2
b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4
9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84
a13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441
dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.