The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Nimbus Manticore’s Evolving Cyberespionage Campaign

Sep 29, 2025 2:53:45 PM / by The Hivemind

NUMBUS MANTICORE 2025Verticals Targeted: Defense Manufacturing, Telecommunications, Aerospace
Regions Targeted: Western Europe, Middle East
Related Families: MiniJunk, MiniBrowse

Executive Summary

Nimbus Manticore, an Iranian APT group, has intensified its cyberespionage campaign targeting defense, telecommunications, and aerospace sectors in Western Europe and the Middle East, deploying advanced malware such as MiniJunk and MiniBrowse via sophisticated spear-phishing and DLL sideloading techniques. The group’s focus on stealth, obfuscation, and resilient infrastructure underscores its alignment with IRGC strategic priorities.

Key Takeaways

  • The attacks utilize tailored phishing campaigns impersonating HR recruiters from aerospace and defense firms, directing victims to fake career portals with unique URLs and credentials.  
  • The threat actors employ MiniJunk backdoor and MiniBrowse stealer with heavy compiler-level obfuscation and multi-stage DLL sideloading to evade detection.  
  • The threat actors leverage Cloudflare and Azure App Service for C2 servers, ensuring operational continuity, even if domains are suspended.  
  • The threat actors exhibit increased focus on Western Europe (Denmark, Sweden, Portugal) alongside traditional Middle East targets, aligning with IRGC intelligence collection goals.

The Campaign

Check Point Research (CPR) has been monitoring a sophisticated campaign by Iran nexus threat actor group Nimbus Manticore, which has escalated its operations since early 2025. This group, linked to the Iranian Revolutionary Guard Corps (IRGC), targets high-value sectors such as defense manufacturing, telecommunications, aerospace, airlines, and satellite providers, with a recent pivot toward Western Europe, specifically Denmark, Sweden, and Portugal, alongside traditional Middle East targets such as Israel and the UAE.

The campaign employs highly targeted spear-phishing, impersonating HR recruiters from reputable organizations like Boeing, Airbus, and Rheinmetall. Victims receive personalized phishing emails with unique URLs and credentials directing them to fraudulent career portals built on React templates. These portals, often hosted behind Cloudflare to mask server IPs, deliver malicious ZIP archives disguised as legitimate software. After authentication, a multi-stage infection chain is initiated, leveraging a novel DLL sideloading technique that exploits undocumented low-level NT APIs to manipulate the DLL search path. This allows a legitimate Windows executable to sideload a malicious .dll, which in turn triggers a Windows Defender component to load another malicious .dll from the archive directory.

The primary payload, dubbed MiniJunk, is an evolved version of the Minibike backdoor first documented in 2022. MiniJunk employs advanced obfuscation techniques, including junk code insertion, control-flow obfuscation, opaque predicates, and encrypted strings, likely implemented via custom LLVM passes. These measures render static analysis challenging, with each campaign introducing refined obfuscation to thwart detection. MiniJunk establishes persistence by copying itself to `%AppData%\Local\Microsoft\MigAutoPlay\` and creating a scheduled task to execute an .exe, which sideloads a .dll. The backdoor supports commands like file reading, process creation, and DLL loading, communicating with multiple hardcoded C2 servers via HTTPS, with data encoded through byte reversal.

Additionally, Nimbus Manticore deploys MiniBrowse, a lightweight stealer targeting Chrome and Edge browser credentials. MiniBrowse collects system identifiers, exfiltrates data via JSON payloads to C2 servers, and uses named pipes for communication, further enhancing its covert operations. A separate cluster, linked to the Subtle Snail espionage group, employs simpler payloads like `dxgi.dll`, which shares code similarities with MiniJunk but lacks its sophisticated obfuscation.

To bolster stealth, Nimbus Manticore signs its malware with certificates from SSL.com, reducing detection rates. The group also inflates binary sizes with junk code to bypass antivirus heuristics and leverages Cloudflare and Azure App Service for resilient C2 infrastructure. A distinct naming convention for domains, such as `[a-z]-[a-z]+-[a-z]+-[0-9]{3}.azurewebsites.net`, further differentiates its operations. This campaign reflects a well-resourced, state-aligned actor prioritizing operational security and adaptability. The targeting of critical sectors in Western Europe and the Middle East, coupled with advanced TTPs, underscores the need for robust defenses against such persistent threats.

Who is Nimbus Manticore?

Nimbus Manticore, also known as Smoke Sandstorm , and UNC1549 is a cyber threat group tied to Iran, first identified in 2022. The group employs sophisticated spear-phishing campaigns, often posing as HR recruiters from reputable companies to lure victims to fake career portals that steal credentials or deliver malicious ZIP files containing lure documents. The group’s advanced tradecraft and targeting patterns suggest strong ties to Iran’s Islamic Revolutionary Guard Corps, reflecting state-sponsored cyber espionage efforts, particularly evident during heightened geopolitical tensions, such as the 2025 Israeli-Iranian conflict.Nimbus Manticore targets aerospace, defense manufacturing, telecommunications, satellite, and aviation sectors, primarily focusing on Israel and the UAE, with expanded operations since early 2025 targeting Western Europe, including Denmark, Sweden, and Portugal. These sectors align with Iran’s strategic intelligence-gathering objectives. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

95d246e4956ad5e6b167a3d9d939542d6d80ec7301f337e00bb109cc220432cf

9b186530f291f0e6ebc981399c956e1de3ba26b0315b945a263250c06831f281

4da158293f93db27906e364a33e5adf8de07a97edaba052d4a9c1c3c3a7f234d

3b4667af3a3e6ed905ae73683ee78d2c608a00e566ae446003da47947320097f

3b58fd0c0ef8a42226be4d26a64235da059986ec7f5990d5c50d47b7a6cfadcd

7c77865f27b8f749b7df805ee76cf6e4575cbe0c4d9c29b75f8260210a802fce

b405ae67c4ad4704c2ae33b2cf60f5b0ccdaff65c2ec44f5913664805d446c9b

0e4ff052250ade1edaab87de194e87a9afeff903695799bcbc3571918b131100

 

You can use the following CLI command to search for all NimbusManticore samples in our portal:
$ polyswarm link list -t NimbusManticore

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Telecommunications, Spear Phishing, malware obfuscation, DLL sideloading, Iranian APT, Nimbus Manticore, MiniJunk, MiniBrowse, defense manufacturing

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More