Swedish news outlet ‘Dagens Nyheter’ have published an article stating that hacker networks connected to the Islamic Republic of Iran Intelligence Services, in Spring this year, exploited 2 Swedish software companies and their trade infrastructure to carry out covert cyber operations in Europe. These hackers are known by the names “Nimbus Manticore”. The group of hackers fabricated digital certificates in the name of these small Swedish companies in order to bypass security systems.

Nimbus Manticore

Nimbus Manticore are an Iranian threat actor group that overlap with UNC1549, Smoke Sandstorm and the “Iranian dream job” operations. The campaign target defense manufacturing, telecommunications and aviation that are aligned with IRGC strategic priorities. The group uses advanced malware like MiniBrowse and MiniJunk.

Their most recent activity focussed on Western Europe, especially Denmark, Sweden and Portugal. They have also carried out operations in the Middle East. The threat actor impersonates local and global aerspace, defense manufacturing and telecommunications organisations. The group often use malware delivery websites which start with phishing links that direct its victims to fake job related log in pages. Victims are then directed to a fraudulent portal hosted behind Cloudfare and are then prompted to download malicious files.