Researchers at Check Point Research detailed that the Iranian Islamic Revolutionary Guard Corps (IRGC)-affiliated threat actor known as Nimbus Manticore resurfaced during the ongoing Iran conflict with a more aggressive and technically refined cyber campaign targeting organizations across the U.S., Europe, and the Middle East. The operation reportedly leveraged phishing lures impersonating aviation and software firms, introduced SEO poisoning as a malware delivery tactic for the first time, and deployed a newly identified backdoor dubbed ‘MiniFast,’ which researchers believe shows signs of AI-assisted malware development aimed at accelerating operational adaptability during wartime conditions.
The campaign marked a shift in tradecraft, replacing traditional DLL sideloading with AppDomain hijacking and abusing legitimate software installation flows, including a trojanized Zoom installer, to conceal malware execution within normal system activity. Check Point Research identified that the hacker, also tracked as UNC1549 and previously associated with the ‘Iranian Dream Job’ operations, continues to focus heavily on defense, aerospace, and telecommunications sectors as geopolitical tensions intensify and cyber operations increasingly align with broader military objectives.
“Nimbus Manticore (also tracked as UNC1549) is an IRGC-affiliated threat actor who primarily targets the defense, aviation and telecommunication sectors through career-themed phishing campaigns. Nimbus Manticore stands out compared to other Iranian-linked groups due to its complex malware toolset,” Check Point researchers wrote in a blog post last week. “In 2025, we documented the MiniJunk malware framework used by Nimbus Manticore to target high-profile organizations across Western Europe and the Middle East.”
In the recent campaign, the researchers identified that the hacker adopted several new techniques, including AppDomain (application domain) hijacking, AI-assisted malware development, and SEO poisoning. “In February 2026, amid rising tensions between the US, Israel and Iran and weeks of military buildup, we monitored new Nimbus Manticore phishing activity worldwide. In this campaign, the threat actor introduced a modified infection chain by abusing AppDomain Hijacking for execution instead of relying on the usual DLL sideloading techniques.”
AppDomain Hijacking abuses legitimate .NET applications to load malicious DLLs at startup. The technique relies on a trojanized XML file placed in the same directory as the targeted application. Named after the legitimate binary with a suffix, the file directs the .NET runtime to load an attacker-controlled ‘AppDomainManager’ class tied to a malicious DLL. When the application launches, the runtime automatically loads the DLL, enabling malicious code execution within a trusted process.
“Nimbus Manticore consistently focuses on Europe, the Middle East and Africa, particularly Israel and the United Arab Emirates,” according to the researchers. “However, in contrast to our previous research, the actor’s recent operations demonstrate an expansion toward aviation-sector targets in the United States.”
As observed in prior campaigns, there appears to be a strong correlation between the phishing lure and the targeted sector. “For example, fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonate US domestic airlines suggest a deliberate focus on US-based targets. Our findings indicate targeting extends across several strategic sectors, including aviation and software development. These sectors align with the IRGC’s broader intelligence collection priorities.”
The post noted that the phishing lure is consistent with previous Nimbus Manticore campaigns, targeting employees in selected organizations, primarily software and aviation sectors, with fake career opportunities. Targeted organizations in Saudi Arabia and Australia were directed to download a compressed ZIP archive stored on the OnlyOffice platform.
When setup[dot]exe executes, it loads the first-stage loader, which extracts and deploys an encrypted next-stage payload embedded within the DLL itself. The files are then dropped and include a legitimate executable used for DLL sideloading alongside an updated version of the MiniJunk backdoor. The loader also mirrors behaviors seen in earlier MiniJunk variants, including verifying it was launched specifically by Setup[dot]exe and displaying a fake ‘Couldn’t connect to survey server’ error message to disguise the malicious activity as a legitimate application failure.
During Operation Epic Fury, Check Point said that it continued to observe activity from the threat actor. Despite the challenging environment, Nimbus Manticore demonstrated a strong ability to adapt, maintain infrastructure, and develop new tooling. The researchers assessed that this capability was likely supported, at least in part, by LLM-based tools and an AI-assisted development technique.
“In addition to career-themed phishing lures masquerading as a US-based airline, the threat actor also used a Trojanized Zoom installer, which we assess was part of a phishing campaign using fake meeting invitations,” the post identified. “In addition, the Trojanized Zoom installer demonstrated in-depth research into the original application’s installation and execution flow, enabling it to be seamlessly integrated into the infection chain.”
Similar to previous campaigns, the threat actor continued leveraging AppDomain Hijacking, not just for the initial execution stage but also during the deployment and execution of the final backdoor. For the final payload, the threat actor introduced a new backdoor that we named MiniFast, replacing the previously used MiniJunk malware family.
After Setup[dot]exe is launched, the malware uses AppDomain Hijacking to execute the first-stage loader through a malicious file. The loader displays a fake installation window and launches a legitimate Zoom installer to disguise the infection chain as normal software installation activity. It then monitors the system for the creation of a legitimate Zoom scheduled task, hijacking it to establish persistence and execute the second-stage payload.
The second-stage components are copied into the Zoom update directory, where a renamed trusted binary is again abused through AppDomain Hijacking. The loader performs basic anti-analysis checks by verifying it runs and is launched, helping evade sandbox detection. Its primary role is to load and execute the final MiniFast payload, through its exported function.
Check Point detailed that this campaign also provides multiple indications that the threat actor leveraged AI-assisted development during the malware creation. “We see evidence for this in both the initial access loaders and within the MiniFast backdoor itself.”
Several coding patterns and implementation details strongly suggest the use of AI-generated or AI-assisted code during development, including excessive error handling and defensive programming logic, even around simple API calls such as GetUserName; repetitive function and method naming patterns containing descriptive or verbose identifiers; multiple detailed error-reporting strings and debug-style status messages embedded throughout the codebase; and modular code organization despite the malware’s overall simplicity.
These characteristics are increasingly prevalent in malware development as threat actors leverage AI-assisted tools to accelerate development, improve code structure, and rapidly utilize new capabilities.
In the third campaign, observed in April after the ceasefire period, the researchers said that the attackers used a fake website impersonating a download page for SQL Developer, a graphical database management tool. Users attempting to download the software from the spoofed site instead received a weaponized installer that deployed the MiniFast backdoor.
The delivery method marks a shift from Nimbus Manticore’s typical career-themed phishing lures. In this campaign, the actor relied on SEO poisoning, registering dozens of domains that redirected users to the fake site in an apparent effort to boost its search ranking through link reputation signals.
At the time of analysis, the malicious domain appeared prominently in Bing and DuckDuckGo search results for ‘sql developer,’ increasing likelihood that users searching for legitimate downloads would encounter the site. The pages also used aggressive keyword stuffing, repeatedly embedding phrases such as ‘Download SQL Developer’ and ‘SQL Developer Free’ to manipulate search visibility.
In conclusion, Check Point identified that Nimbus Manticore is one of the most sophisticated Iranian-aligned threat actors with a long-standing focus on the defense, telecommunications, and aviation sectors. “The ongoing conflict in the Middle East, combined with the operational demands of wartime activity, appears to have significantly accelerated their malware evolution.”
As an IRGC-affiliated entity operating under heightened geopolitical conditions, Nimbus Manticore demonstrated a rapid adoption cycle for new techniques, tooling, and operational methodologies. The actor’s activity during Operation Epic Fury highlights their increasing adaptability, particularly through the integration of AI-assisted malware development, novel infection vectors, and advanced stealth mechanisms.
Last week, European law enforcement authorities dismantled a large-scale online propaganda network linked to Iran’s IRGC, removing around 14,200 links as part of a coordinated crackdown targeting extremist and terrorist-linked content across digital platforms. Led by Europol’s EU Internet Referral Unit, the operation focused on disrupting online ecosystems used to spread propaganda, influence campaigns, and extremist narratives tied to the IRGC, which the European Union recently designated as a terrorist organization.
