Nimbus Manticore Deploys MiniFast and MiniJunk V2 via SEO Poisoning

Nimbus Manticore — the IRGC-affiliated (Islamic Revolutionary Guard Corps) Iranian advanced persistent threat group also tracked as UNC1549, Screening Serpens, and Smoke Sandstorm — has launched a new espionage campaign deploying two previously undocumented malware families, MiniFast and MiniJunk V2, against organizations in the aviation, software development, and defense sectors across the United States, Europe, and the Middle East. The campaign, documented by Check Point Research, marks the first confirmed use of SEO poisoning (manipulating search engine results to deliver malware in place of legitimate software) by this threat actor and represents a significant evolution from the AppDomainManager hijacking techniques Nimbus Manticore used in earlier 2026 operations.

// 01 Nimbus Manticore: Threat Actor Background

Nimbus Manticore is assessed with high confidence as operating on behalf of Iran's IRGC. The group has been active since at least 2020, with a consistent focus on defense, aviation, telecommunications, and energy sector targets across the Middle East, South Asia, Europe, and the United States. It shares infrastructure and tooling with other IRGC-affiliated clusters and is known for combining sophisticated technical tradecraft with disciplined operational security.

Prior Nimbus Manticore campaigns used lures impersonating aerospace and defense recruitment processes — fake job postings, fabricated HR emails, and spoofed video conferencing invitations — to deliver earlier generations of their malware toolkit including the original MiniJunk backdoor and the MiniUpdate RAT (Remote Access Trojan — malware that gives attackers persistent remote control over an infected system).

The new campaign documented in May 2026 emerged in direct response to Operation Epic Fury — the U.S.-Israeli joint military campaign against Iran launched February 28, 2026 — and appears designed to establish persistent access in aviation and defense supply chain organizations in retaliation and for ongoing intelligence collection.

// 02 New Campaign: Three Waves of Activity

Check Point Research tracked the new Nimbus Manticore campaign across three distinct operational waves between February and April 2026:

Wave 1 (February 2026): Spear-phishing emails impersonating aviation industry HR departments, delivering weaponized documents that used AppDomain hijacking (.NET AppDomain — a process isolation boundary in the .NET runtime) to load the MiniFast backdoor without writing a standalone executable to disk.

Wave 2 (March 2026): Expansion to software sector targets using fake job requisitions and technical assessment documents. First appearance of MiniJunk V2, an updated variant of the group's existing backdoor, alongside MiniFast.

Wave 3 (April 2026): Introduction of SEO poisoning as a new delivery channel, specifically targeting users searching for Oracle SQL Developer. Nimbus Manticore registered getsqldeveloper[.]com — a domain designed to mimic Oracle's legitimate download page — and built a network of supporting domains to artificially elevate its search engine ranking. Users searching for "SQL Developer" or "Oracle SQL Developer download" were served results pointing to weaponized installers that deployed MiniFast alongside the legitimate SQL Developer software to avoid arousing suspicion.

// 03 MiniFast and MiniJunk V2: Malware Analysis

MiniFast

MiniFast is a 64-bit backdoor written in .NET that replaces MiniJunk as Nimbus Manticore's primary post-compromise access tool. Key capabilities include:

• Remote command execution via CMD.exe with opcode-based command dispatch
• File upload and download to and from the infected host
• Directory and process enumeration for reconnaissance
• Persistence via a scheduled task disguised as a legitimate Zoom update task (ZoomUpdateTaskUser) — a technique that exploits user familiarity with Zoom's own background update mechanism to avoid detection
• C2 communication using a Base64-encoded tasking protocol with an API-style architecture routing traffic through 3 to 5 unique Azure-hosted domains per target or variant

The use of Azure (Microsoft's cloud infrastructure) for command-and-control (C2 — the server through which attackers issue instructions to malware on compromised systems) is a deliberate anti-detection choice. Outbound HTTPS traffic to Azure domains is rarely blocked at the network perimeter and blends with legitimate Microsoft cloud service traffic from the same environment.

MiniJunk V2

MiniJunk V2 is an evolution of the group's earlier MiniJunk backdoor, with one significant anti-analysis modification: the malware binary has been padded to approximately 12 megabytes with meaningless code strings. This inflation technique — expanding the file with junk data — exploits size limits in automated sandbox environments (isolated analysis systems that detonate suspicious files) that are configured to skip analysis of files above a certain size threshold. MiniJunk V2 retains the remote access trojan functionality of its predecessor, providing persistent control over infected systems.

MiniUpdate RAT

The campaign also continues to use MiniUpdate RAT, an earlier Nimbus Manticore tool that routes traffic through 3 to 5 unique Azure-hosted C2 domains per variant, complicating domain-based blocking and attribution.

// 04 Targeted Sectors and Regions

Targeted sectors: Aviation, software development, defense, telecommunications, oil and energy Targeted regions: United States, Europe (UK, Germany, and other NATO member states), Middle East (Israel, UAE, Saudi Arabia)

The targeting pattern is consistent with Iran's strategic intelligence priorities following Operation Epic Fury — specifically, collection against aviation sector companies that may support military logistics or aerial surveillance capabilities, and software companies that may hold source code relevant to defense or critical infrastructure systems.

// 05 Indicators of Compromise

| Indicator | Type | Description | |———–|——|————-| | getsqldeveloper[.]com | Domain | Fake Oracle SQL Developer download page | | ZoomUpdateTaskUser | Scheduled Task Name | MiniFast persistence mechanism | | Azure-hosted C2 domains | Infrastructure | 3–5 unique domains per target/variant | | ~12MB .NET executable | File | MiniJunk V2 size-inflated binary |

// 06 What You Should Do Right Now

• Block getsqldeveloper[.]com and audit software download policies. Add this domain to DNS blocklists and proxy deny lists. Review and enforce organizational policies requiring software to be downloaded only from official vendor sites (oracle.com for SQL Developer) or an internally approved software repository.

• Hunt for the ZoomUpdateTaskUser scheduled task. Run the following on Windows endpoints:

Get-ScheduledTask | Where-Object { $_.TaskName -like "*ZoomUpdate*" } | Select-Object TaskName, TaskPath, State

Any result not created by a legitimate Zoom installation should be treated as a MiniFast persistence indicator.

• Audit outbound HTTPS to Azure domains from non-browser processes. MiniFast routes C2 over HTTPS to Azure-hosted domains. Use EDR (Endpoint Detection and Response) telemetry or network flow data to identify non-browser processes (e.g., cmd.exe, scheduled task host processes) initiating HTTPS connections to *.azurewebsites.net or similar Azure domains.

• Implement DNS-based monitoring for typosquatting domains. Tools like DNSTwist can generate and monitor typosquatting variations of your vendor software download domains. Configure your DNS resolver or proxy to alert on resolution of newly registered lookalike domains.

• Check email gateways for aviation and software recruitment lures. Search email security logs for messages referencing Oracle SQL Developer downloads, aviation HR processes, or fake job application materials. Flag and quarantine for manual review.

• Enable .NET AppDomain monitoring in EDR. MiniFast uses AppDomain hijacking for initial execution. Many EDR platforms can log AppDomain.CreateDomain() calls and abnormal .NET assembly loading from network paths or temp directories — review these logs for non-standard behavior.

// 07 Background: Understanding the SEO Poisoning Technique

SEO poisoning — also called search engine optimization poisoning or malvertising via organic search — is an attack technique where threat actors register lookalike domains and use link-building networks to manipulate their position in organic search results for high-value queries like software downloads. Unlike malicious advertising (which requires purchasing ad placements), SEO poisoning operates through legitimate search ranking signals and is harder to detect and block proactively.

The technique has been used extensively by initial access brokers and ransomware affiliates targeting enterprise software searches (Zoom, Cisco AnyConnect, Notepad++, Python), but this is the first documented use by Nimbus Manticore — marking a capability expansion for an already sophisticated state-sponsored group. The combination of phishing (targeting humans with tailored lures) and SEO poisoning (targeting humans through search behavior) represents a comprehensive initial access strategy that does not rely solely on email as the delivery vector.

For security teams, this underscores the inadequacy of email-only defenses against state APT groups that adapt delivery mechanisms in response to improving email security tooling.

// 08 Conclusion

Nimbus Manticore is an active Iranian state threat actor conducting a multi-vector espionage campaign against aviation, defense, and software organizations in the U.S., Europe, and Middle East. The introduction of MiniFast with Azure-based C2, size-inflated MiniJunk V2, and SEO poisoning as a delivery channel represents a measurable increase in operational sophistication. Security teams in targeted sectors should immediately hunt for the ZoomUpdateTaskUser scheduled task, block getsqldeveloper[.]com, and audit outbound HTTPS from non-browser processes to Azure infrastructure.