Full Report
The Iranian state-sponsored threat actor known as Nimbus Manticore (aka Screening Serpens and UNC1549) has been attributed to a fresh campaign using lures impersonating organizations in the aviation and software sectors across the U.S., Europe, and the Middle East following the joint U.S.-Israeli military campaign against the country in late February 2026. The activity, besides embracing
Analysis Summary
# Threat Actor: Nimbus Manticore
## Attribution & Identity
* **Actor Name:** Nimbus Manticore
* **Aliases:** Screening Serpens, UNC1549
* **Affiliation:** Iranian state-sponsored; attributed to the Islamic Revolutionary Guard Corps (IRGC).
* **Note:** Known for tactical similarities to North Korean groups (e.g., Operation Dream Job), leading to the campaign moniker "Iranian Dream Job."
## Activity Summary
Following the U.S.-Israeli military campaign in late February 2026, Nimbus Manticore launched three distinct waves of activity:
* **February 2026:** Targeted software and aviation sectors in Saudi Arabia and Australia using career-themed phishing lures.
* **March 2026:** Conducted a phishing campaign using fake meeting invitations and trojanized Zoom installers.
* **April 2026:** Shifted to SEO poisoning to distribute trojanized database management software.
## Tactics, Techniques & Procedures
* **AppDomain Hijacking:** Used to execute rogue DLLs via benign executables.
* **AI-Assisted Development:** Identified in the creation of the MiniFast backdoor, characterized by excessive error handling, verbose/repetitive function naming, and modular but simple code structures.
* **SEO Poisoning:** Registered dozens of domains to boost the search reputation of a rogue download site (getsqldeveloper[.]com).
* **Social Engineering:** Career-themed lures (phishing) and fake meeting invitations.
* **Privilege Escalation:** Use of the `runas` command.
* **Persistence:** Establishing scheduled tasks.
## Targeting
* **Sectors:** Aviation, Defense, Telecommunications, Software.
* **Geography:** United States, Europe, Middle East (specifically Saudi Arabia), and Australia.
* **Victims:** Employees in aviation and software development; Saudi Arabian and Australian entities specifically identified.
## Tools & Infrastructure
* **Malware Families:**
* **MiniFast (aka MiniUpdate):** A new, likely AI-assisted backdoor capable of file exfiltration, remote command execution, and DLL loading.
* **MiniJunk (v2):** A rogue DLL delivered via AppDomain hijacking.
* **Trojanized Software:** Modified versions of Oracle SQL Developer and Zoom installers.
* **Infrastructure:**
* **getsqldeveloper[.]com** (Defanged: getsqldeveloper[.]com)
* **OnlyOffice** (Used for hosting malicious ZIP archives)
* C2 communication protocol: HTTP-based beaconing with randomized jitter/intervals.
## Implications
Nimbus Manticore is evolving its tradecraft beyond traditional phishing. The adoption of AI-assisted malware development suggests a trend toward more robust and "defensively programmed" code that may be harder for automated systems to flag as malicious initially. The move toward SEO poisoning indicates a strategic shift to capture high-value technical targets (like DBAs or developers) who may not fall for standard phishing but trust search engine results for professional tools.
## Mitigations
* **Endpoint Monitoring:** Monitor for AppDomain hijacking by auditing `.config` file modifications and unexpected DLL loads from common software (Zoom, Oracle).
* **Supply Chain / Software Integrity:** Enforce strict application whitelisting and verify digital signatures of installers downloaded from the internet.
* **SEO/Web Filtering:** Block newly registered domains associated with common software names and alerts for "typosquatted" domains.
* **User Training:** Educate high-value targets (HR, IT, Engineering) on the risks of "too good to be true" career opportunities and the dangers of downloading software from non-official repositories.