ICNA

Iranian Cyber News Agency

    • Iran hacker

    Nimbus Manticore

    ICNA Posted on

    List of names used by industry:

    • Screening Serpens
    • UNC1549
    • Smoke Sandstorm
    • TA455

    Date founded:
    The group is believed to have been active since June 2022.

    Affiliation:
    The group has been affiliated with the Islamic Revolutionary Guard Corps and overlaps with other Iranian hacking groups such as Crimson Sandstorm.
    Nimbus Manticore is an Iran nexus cyberespionage group linked to Charming Kitten and involved in the Iranian “dream job” campaign. The group has historically focussed on aerospace and defense targets in the Middle East and Europe.

    Social media handles/websites:

    N/A

    Previous operations:

    19 September 2025 – The group hacked 34 devices in 11 Telecom Firms located in Canada, France, the UAE, the UK and the USA via LinkedIn job lures and MINIBIKE malware.

    September 2025 – The group carried out a cyber operation against 2 Swedish companies.
    February 2026 – Indication of a payload delivery to a Middle Eastern target. The group introduced a modified infection chain by abusing AppDoman Hijacking for execution.
    February 2026 – The group targeted workers in Saudi Arabia and Australia with fake job offers on OnlyOffice. The victims downloaded ZIP archives and the group then placed malicious configuration files to launch MiniJunk malware.
    March 2026 – The group switched to fake Zoom meeting invites containing Zoominstall64.zip. This launched a real Zoom installer while AppDomain hijacking deployed a new backdoor called MiniFast.
    Identified samples uploaded to VirusTotal from organizations in the US and Israel.
    April 2026 – Samples from the UAE and another Middle Eastern entity discovered. A new infection method was observed, a fake website impersonating a download page for SQL developer. Users who attempted to download the software from the fake site received a weaponized installer that delivered the MiniFast backdoor.
    22 May 2026The group carried out a campaign impersonating organizations in the aviation and software sectors across the US, Europe and the Middle East. The group made use of a new backdoor codenamed MiniFast (aka MiniUpdate) that appears to have been developed with the use of AI. This was the first time the use of SEO poisoning was observed as an additional malware delivery method.
    1 June 2026 – The group were attributed to a campaign to a sideloading chain using AppDomain hijacking, fake Ebix job lures, Azure C2, and multi-stage payloads for data exfiltration.

    Tactics/Techniques/Tradecraft/Procedures (TTP’s):

    • Targeting of aerospace, aviation and defense industries in the Middle East with the use of malware families such as MINIBIKE, TWOSTROKE, DEEPROOT and CRASHPAD.
    • Uses previously undocumented low-level API’s to establish a multi stage DLL side-loading chain. This causes a legitimate process to sideload a malicious DLL from a different location and override the normal DLL search order.
    • The threat actor uses tailored spear-phishing and dream job campaigns that trick users into giving up credentials under the guise of legitimate employment opportunities. The attackers set up HR account profiles on LinkedIn and reach out to prospective targets with non-existent job opportunities.

    Sources:
    Unit42.paloaaltonetworks.com/tracking-iran-apt-screening-serpens
    Research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe
    Hackread.com/iran-nimbus-manticore-trojan-zoom-installers-us-firms
    Nextron-systems.com/2026/06/01/detecting-nimbus-manticore-and-their-sideloading-infection-chains
    Research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict

    LEAVE A RESPONSE

    Your email address will not be published. Required fields are marked *

    ICNA
    View all posts