EXECUTIVE SUMMARY
The Iranian IRGC-affiliated threat actor Nimbus Manticore resurfaced during Operation Epic Fury, a US military campaign against Iran, demonstrating newly adopted techniques and enhanced capabilities. The campaign leveraged malicious lures impersonating organizations in the aviation and software sectors across the United States, Europe, and the Middle East. For the first time, the threat actor used SEO poisoning as an additional malware delivery method. The operation introduced a previously undocumented backdoor, named MiniFast, which appears to incorporate AI-assisted development practices, enabling the threat actor to rapidly develop and adapt tooling while maintaining high operational availability during the war. The backdoor was used to target the defense, aviation, and telecommunication sectors through career-themed phishing campaigns.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The Iranian IRGC-affiliated threat actor Nimbus Manticore resurfaced during Operation Epic Fury, a US military campaign against Iran, demonstrating newly adopted techniques and enhanced capabilities. The campaign leveraged malicious lures impersonating organizations in the aviation and software sectors across the United States, Europe, and the Middle East. For the first time, the threat actor used SEO poisoning as an additional malware delivery method. The operation introduced a previously undocumented backdoor, named MiniFast, which appears to incorporate AI-assisted development practices, enabling the threat actor to rapidly develop and adapt tooling while maintaining high operational availability during the war. The backdoor was used to target the defense, aviation, and telecommunication sectors through career-themed phishing campaigns.[emaillocker id="1283"]
Nimbus Manticore stands out compared to other Iranian-linked groups due to its complex malware toolset. The malware infects systems through a delivery method that involves a phishing lure impersonating legitimate organizations. Once the victim downloads a compressed archive, the malware is deployed through a series of stages. The first-stage loader, uevmonitor.dll, is responsible for extracting and deploying the next-stage payload, which is stored in encrypted form within the loader itself. The extracted files are written into C:\Users\\AppData\Local\Packages\.
The malware uses AppDomain Hijacking, a technique that abuses legitimate .NET applications to load a malicious DLL at launch time. The threat actor also uses a Trojanized Zoom installer, which demonstrates in-depth research into the original application's installation and execution flow, enabling it to be seamlessly integrated into the infection chain. The threat actor's use of AI-assisted development practices and techniques such as AppDomain Hijacking and SEO poisoning makes this campaign significant for organizations. The backdoor, MiniFast, is a fully featured backdoor designed for long-term persistence and remote command execution. The malware's ability to rapidly adapt and develop new tooling makes it challenging to detect and recover from. To defend against this threat, organizations should prioritize patching and monitoring, as well as maintaining up-to-date backups and endpoint protection.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Reconnaissance | T1580 | Cloud Infrastructure Discovery | — |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Defense Evasion | T1574.002 | Hijack Execution Flow | DLL Side-Loading |
| Defense Evasion | T1218 | System Binary Proxy Execution | — |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1027.001 | Obfuscated Files or Information | Binary Padding |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
REFERENCES:
reports contain further technical details:
https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/