Cybersecurity researchers say they’ve spotted another wave of cyber espionage stuff tied to the Iranian state-linked threat group, sort of Nimbus Manticore, but you might also see it labeled as UNC1549, or Screening Serpens. They report that this crew has been going after organizations in aviation, software, telecommunications, defense, and energy across the United States, Europe, the Middle East, and Australia.
And, supposedly, things got worse after joint U.S.-Israeli military actions against Iran earlier in 2026. At that point, the attackers started rolling out new malware families, swapping the delivery methods around, and widening their activities by leaning hard on phishing, fake job offers, plus SEO poisoning tricks, which is a bit odd. Here we are.
One of the main malware strains that’s shown up in the intrusions is a new backdoor, called “MiniFast,” and it’s also referred to as MiniUpdate. Researchers think the code may be partly made with help from AI tools. They pointed to signs like error handling that’s unusually talkative, repetitive function naming, modular code layouts, and a lot of debug-style messages as hints that someone, or some tooling, was assisting the malware development in a more automated way.
Nimbus Manticore has been sort of known for doing “dream job” type operations like the ones tied to North Korean threat groups. In those cases, victims are basically invited, with fake recruitment chances, and they get nudged into pulling down nasty files that look like normal business docs or real software installers, you know, the usual.
In one campaign aimed at folks working in the aviation and software space in Saudi Arabia and Australia, the targets received career-themed messages that told them to download ZIP archives, which were hosted on OnlyOffice. Once the archive was opened, there was a file that looked harmless, an executable of sorts. But when someone ran it, the whole thing kicked off a method known as AppDomain hijacking. That process then loaded a hostile DLL, tied to the MiniJunk malware family, kinda quietly.
Researchers later spotted something like the same attack chain in March 2026, but it was a bit more elaborate. In that run, the bad actors reportedly leaned on a trojanized Zoom installer, sort of tucked inside the infection flow. People were lured via fake meeting invitations, so the whole thing would look more reasonable, like it belonged in normal corporate life. After the installer was run, it relied on AppDomain hijacking, then it pushed the MiniFast backdoor onto the victim’s device.
What really makes MiniFast hard to ignore is what it can actually do. Researchers say it’s basically a fully featured backdoor, built for steady staying power and remote puppeteering. It phones home to attacker-controlled servers over HTTP and supports lots of different operator commands. For example, it handles file manipulation, directory listing, process enumeration, and it can kick off command execution through cmd.exe. There’s also DLL loading, archive creation, privilege escalation, and it can keep itself around via scheduled tasks.
MiniFast can also tune its communication intervals on the fly, through jitter changes and polling modifications, so the malware feels less routine and more awkward to track by security monitoring systems. Before jumping into the command loop, it’s reported that it sends system details back to its operators, which lets attackers map out the infected machines in a pretty practical way.
One of the more eye-catching turns in this campaign was the group leaning into SEO poisoning. They didn’t just stick with phishing messages; they also built decoy websites that impersonate Oracle SQL Developer download pages. Those pages were pushed forward with search engine optimization tricks to get top placement on search engines like Bing and DuckDuckGo.
According to researchers, the attackers registered dozens of supporting domains to bolster credibility and visibility for the bad download pages. People looking up everyday software utilities might stumble onto the fake sites, then download trojanized installers that quietly carry MiniFast malware.
Security experts say this shift marks a big evolution in the group’s tactics, and honestly, it feels like they’ve been turning it into a quieter kind of operation. Instead of reaching out straight at victims, the attackers now try to compromise people passively, by messing with search engine rankings and then just… waiting for the targets to stumble onto the bad pages themselves.
Extra info from security researchers also showed that Nimbus Manticore rolled out a fresh build of MiniJunk, called MiniJunk V2, during espionage operations aimed at organizations in the United States, Israel, the United Arab Emirates, and other countries across the Middle East. One of the reported victims was a U.S. oil and gas firm.
Researchers also observed that the group went pretty far with personalization in its social engineering. Fake job offers, spoofed meeting invitations, and tailored messages were used to make the whole thing seem more believable. This kind of tuning really pushes up the chances that victims will trust the notes and, basically, kick off the infection sequence on their own.
The campaign points out how modern threat actors are kind of blending old school phishing with newer tricks like SEO poisoning, AI-assisted malware creation, and software impersonation. When they stack several delivery approaches together, attackers end up boosting their chances of getting into high-value targets, but also lowering the whole dependence on one single attack path.
Security experts say orgs should boost employee awareness training, only confirm software downloads via official channels, keep an eye on weird network activity, remove or limit the unneeded administrative permissions, and use more advanced endpoint monitoring tools that can catch memory-based malware and persistence tactics. People in sensitive fields, like developers and employees, also should stay wary of unexpected job offers and random meeting invitations that feel too convenient.
Cybersecurity firms such as IntelligenceX keep pushing the idea that proactive threat intelligence really matters more and more, along with endpoint monitoring, phishing awareness, and software supply chain security. This is because state-sponsored cyber groups are increasingly targeting enterprise settings, critical infrastructure, and those high-value industries using pretty sophisticated attack campaigns, not just basic stuff.
Top comments (0)