Full Report
Researchers at Check Point Research detailed that the Iranian Islamic Revolutionary Guard Corps (IRGC)-affiliated threat actor known as... The post IRGC-linked Nimbus Manticore group attacks defense, aerospace, telecom sectors using Minifast malware toolkit appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Nimbus Manticore
## Attribution & Identity
* **Actor Name:** Nimbus Manticore
* **Aliases:** UNC1549
* **Affiliation:** Iranian Islamic Revolutionary Guard Corps (IRGC)
* **Known Associations:** Associated with the "Iranian Dream Job" operations.
## Activity Summary
Nimbus Manticore has resurfaced in 2026 with more aggressive cyber campaigns coinciding with regional military tensions involving Iran, Israel, and the U.S. Recent operations demonstrate increased technical refinement, specifically employing AI-assisted malware development to accelerate operational adaptability. The group has moved beyond traditional DLL sideloading toward more sophisticated persistence and execution methods, such as AppDomain hijacking and SEO poisoning.
## Tactics, Techniques & Procedures
* **Phishing & Lures:** Execution of career-themed phishing campaigns and fraudulent hiring portals impersonating aviation companies and domestic airlines.
* **SEO Poisoning:** First-time use of Search Engine Optimization poisoning to deliver malware.
* **Persistence & Execution:**
* **AppDomain Hijacking (T1574.013):** Abuse of legitimate .NET applications to load malicious DLLs via trojanized XML files.
* **Trojanized Installers:** Use of legitimate software flows, such as a trojanized Zoom installer, to conceal activity.
* **AI-Assisted Development:** Utilization of AI to refine and adapt malware toolkits (MiniFast) quickly during wartime conditions.
* **Social Engineering:** Impersonating aviation and software firms to target specific industry sectors.
## Targeting
* **Sectors:** Defense, Aerospace/Aviation, Telecommunications, Software Development, and Critical Infrastructure.
* **Geography:** Primarily Israel, United Arab Emirates (UAE), Western Europe, and a recent expansion specifically targeting the United States.
* **Victims:** Employees and organizations within the aviation and software development sectors (e.g., users of Zoom and domestic U.S. airlines).
## Tools & Infrastructure
* **Malware Families:**
* **MiniFast:** A newly identified backdoor backdoor believed to be AI-refined for adaptability.
* **MiniJunk:** A malware framework previously documented in 2025 operations.
* **Infrastructure:**
* C2 delivery via SEO-poisoned links and phishing portals.
* Trojanized XML files for AppDomain management.
## Implications
The group’s activities represent a strategic alignment between cyber operations and Iranian military objectives. The shift toward AI-assisted development and more complex execution techniques (like AppDomain hijacking) indicates a maturing threat actor capable of bypassing traditional security controls. The explicit expansion toward U.S. aviation targets suggests an intent to conduct espionage or disruptive preparation against Western critical infrastructure during periods of high geopolitical tension.
## Mitigations
* **Execution Prevention:** Implement controls to monitor and restrict the loading of unauthorized .NET AppDomainManager classes and monitor for suspicious `.xml` files in application directories.
* **Software Integrity:** Validate software installers and ensure employees only download collaboration tools (like Zoom) from verified, official sources.
* **Email Security:** Deploy advanced phishing protection to identify career-themed lures and fraudulent hiring domains.
* **Endpoint Monitoring:** Monitor for "AppDomain Manager" events in Windows Event Logs which may indicate hijacking attempts.
* **Network Filtering:** Block known C2 infrastructure and monitor for traffic to newly registered domains mimicking aviation or recruitment portals.