Iran-Linked Nimbus Manticore Targets US Aviation with AI-Built MiniFast Backdoor
Iran's Nimbus Manticore group is targeting US aviation organizations in a campaign combining phishing and SEO poisoning to deploy the AI-assisted MiniFast backdoor.
Iran-linked threat actor Nimbus Manticore is actively targeting US aviation organizations with a sophisticated campaign that combines phishing and SEO poisoning to deliver an AI-built backdoor named MiniFast. The group, affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), has leveraged social engineering and search engine manipulation to compromise victims in the critical aviation sector, according to Check Point Research.
The campaign uses spear-phishing emails and SEO poisoning to lure targets to malicious domains, where an infection chain deploys the MiniFast backdoor. This malware was constructed with the assistance of generative AI, marking an escalation in the group's technical capabilities. The backdoor provides persistent remote access, enabling data exfiltration and further lateral movement within victim networks.
Nimbus Manticore has previously been linked to espionage operations against Israeli and US targets, and this latest activity aligns with heightened tensions during what researchers call Operation Epic Fury. The aviation sector is considered critical infrastructure, and intrusions could lead to espionage, operational disruption, or supply chain compromise. The group's use of SEO poisoning—manipulating search engine rankings to direct victims to attacker-controlled sites—demonstrates an evolution in their social engineering tactics.
The MiniFast backdoor itself is notable for its efficiency and stealth. It communicates with command-and-control infrastructure using encrypted channels, and its AI-assisted development suggests the group is experimenting with generative AI to accelerate malware creation and reduce detection signatures. This trend is increasingly observed across state-aligned threat actors.
Organizations in the US aviation sector are advised to implement robust email security filters, conduct user awareness training on phishing and SEO poisoning, and monitor for indicators of compromise associated with MiniFast. Sector-specific threat intelligence sharing will be critical to defend against this targeted campaign.
The campaign underscores the growing sophistication of Iranian cyber operations against Western critical infrastructure. As geopolitical tensions continue, sectors like aviation remain high-priority targets for espionage and sabotage. The integration of AI into malware development also signals a broader shift in the threat landscape that defenders must prepare for.
New reporting from Palo Alto Networks Unit 42 expands the scope of the campaign, revealing that Nimbus Manticore also targeted a U.S. oil and gas firm and deployed an updated variant of MiniJunk, dubbed MiniJunk V2, alongside MiniFast. The findings confirm that the group's operations accelerated during the regional conflict, with deep personalization of lures including fake job requisitions and spoofed video conferencing invitations to breach entities across five countries.