Nimbus Manticore Resurfaces During Iran Conflict with AI-Assisted MiniFast Backdoor and SEO Poisoning
Check Point Research reveals that IRGC-affiliated threat actor Nimbus Manticore launched new campaigns during Operation Epic Fury, using AppDomain hijacking, SEO poisoning, and a novel AI-assisted backdoor named MiniFast.
Check Point Research has published a detailed report on the resurgence of Nimbus Manticore (also tracked as UNC1549), an IRGC-affiliated threat actor that intensified its operations during Operation Epic Fury, the US military campaign against Iran that began on February 28, 2026. The actor targeted aviation and software organizations across the United States, Europe, and the Middle East with a sophisticated multi-wave campaign that introduced several new techniques, including AppDomain hijacking for code execution, SEO poisoning for malware delivery, and a previously undocumented backdoor named MiniFast that appears to incorporate AI-assisted development practices.
The first wave of activity occurred in February 2026, amid rising tensions between the US, Israel, and Iran. Nimbus Manticore distributed career-themed phishing lures hosted on the OnlyOffice platform, masquerading as job opportunities from companies like Accenture. The infection chain relied on AppDomain hijacking, a technique that abuses legitimate .NET applications to load a malicious DLL at launch time by placing a trojanized XML configuration file in the same directory as the target binary. When the application starts, the .NET runtime loads the attacker-controlled DLL, enabling code execution within the context of the trusted process. The first-stage loader, uevmonitor.dll, extracted and deployed a new variant of the MiniJunk backdoor, displaying a fake error message to reduce user suspicion.
During Operation Epic Fury, the threat actor demonstrated remarkable operational resilience, maintaining infrastructure and rapidly developing new tooling despite the challenging geopolitical environment. Check Point researchers assess that this capability was likely supported, at least in part, by LLM-based tools and AI-assisted development techniques. The actor introduced a new backdoor named MiniFast, which replaces the previously used MiniJunk malware family. MiniFast appears to have been developed with AI assistance, enabling the threat actor to rapidly adapt tooling while maintaining high operational availability during the war.
In addition to career-themed phishing lures masquerading as a US-based airline, Nimbus Manticore also used a trojanized Zoom installer, which researchers believe was part of a phishing campaign using fake meeting invitations. The trojanized installer demonstrated in-depth research into the original application's installation and execution flow, enabling it to be seamlessly integrated into the infection chain. The actor continued leveraging AppDomain hijacking not just for initial execution but also during the deployment and execution of the final backdoor.
For the first time, researchers observed the use of SEO poisoning as an additional malware delivery method. This technique allows the threat actor to lure victims searching for legitimate software or services to malicious websites hosting the trojanized payloads. The combination of SEO poisoning with the Zoom installer abuse represents a significant expansion of Nimbus Manticore's operational toolkit, blending into legitimate system activity while maintaining time-sensitive infection chains.
The report highlights three distinct waves of activity during the last few months, each demonstrating the actor's ability to adapt and evolve. The introduction of AI-assisted development practices marks a notable shift in the threat landscape, potentially enabling faster iteration and more sophisticated evasion techniques. Organizations in the aviation, defense, and software sectors should review their phishing defenses and monitor for indicators of compromise associated with Nimbus Manticore's latest campaigns.
Check Point Research's findings underscore the persistent threat posed by Iranian state-sponsored cyber actors, particularly during periods of heightened geopolitical tension. The rapid adoption of new techniques and the integration of AI-assisted development suggest that Nimbus Manticore will continue to be a formidable adversary, capable of launching targeted attacks against high-value sectors across multiple regions.