Cybersecurity researchers at Check Point Research have uncovered a new campaign linked to the Iranian state-backed threat group, tracked as Nimbus Manticore (UNC1549), believed to be affiliated with Islamic Revolutionary Guard Corps (IRGC). The operation took place during “Operation Epic Fury,” the US military campaign against Iran launched on February 28, 2026.
According to researchers, the campaign targeted organizations in the aviation and software sectors across the United States, Europe and the Middle East using fake job offers and phishing lures. For the first time, Nimbus Manticore also used SEO poisoning to spread malware, tricking users into downloading infected software from fake websites that appeared in search engine results.
The attackers used a previously undocumented backdoor called MiniFast, replacing the group’s MiniJunk malware framework. Check Point researchers noted that the malware appears to show signs of AI-assisted development.
The campaign involved AppDomain hijacking, a method that abuses legitimate .NET applications to load malicious DLL files via tampered configuration files. Unlike traditional DLL sideloading, the approach allows attackers to execute malware within trusted processes, making detection more difficult.
Researchers also observed a trojanized Zoom installer used in phishing campaigns based on fake meeting invitations. The modified installer closely mirrored Zoom’s legitimate installation process, helping the malware blend into normal system activity while deploying the MiniFast backdoor.
In another campaign spotted in April, attackers created a fake download page impersonating SQL Developer software. Victims who downloaded the installer unknowingly installed the MiniFast implant, a 64-bit Windows DLL capable of long-term persistence and remote command execution.
Check Point said the malware is under active development, with multiple evolving versions identified during analysis. The researchers assess that Nimbus Manticore’s ability to quickly update infrastructure and malware during wartime conditions was likely supported in part by large language model tools and AI-assisted coding techniques.
“Nimbus Manticore consistently focuses on Europe, the Middle East and Africa, particularly Israel and the United Arab Emirates. However, in contrast to our previous research, the actor’s recent operations demonstrate an expansion toward aviation-sector targets in the United States,” the report noted.