The Iranian state-sponsored threat actor known as Nimbus Manticore (aka Screening Serpens and UNC1549) has been attributed to a fresh campaign using lures impersonating organizations in the aviation and software sectors across the U.S., Europe, and the Middle East following the joint U.S.-Israeli military campaign against the country in late February 2026.
The activity, besides embracing previously undocumented techniques and enhanced capabilities, is characterized by the use of a new backdoor codenamed MiniFast (aka MiniUpdate) that appears to have been developed with assistance using artificial intelligence (AI), Check Point said in an analysis published last week.
Affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), Nimbus Manticore is best known for targeting defense, aviation, and telecommunication sectors using career-themed phishing lures. These campaigns have also been codenamed the Iranian Dream Job, owing to tactical similarities with Operation Dream Job orchestrated by North Korean hackers.
Recent attack chains linked to the threat actor have witnessed a shift in tradecraft, as evidenced by the use of AppDomain hijacking to deliver MiniJunk in February 2026, followed by the deployment of the MiniFast backdoor in March and a reliance on SEO poisoning to distribute a trojanized version of Oracle’s SQL Developer software in April.
In the first campaign observed before the onset of the war, employees in software and aviation sectors in Saudi Arabia and Australia were targeted with bogus career opportunities, tricking them into downloading a ZIP archive hosted on OnlyOffice. Launching a benign executable within the ZIP file leveraged a technique known as AppDomain hijacking to launch a rogue MiniJunk DLL.
The March 2026 campaign has been found to follow more or less the same approach, only this time the threat actor also used a trojanized Zoom installer as part of the attack sequence to launch the binary that then leverages AppDomain hijacking to deploy MiniFast. It’s suspected that the activity was part of a phishing campaign using fake meeting invitations.
There are signs that Nimbus Manticore used AI-assisted development to help create MiniFast. This includes excessive error handling and defensive programming logic, repetitive function and method naming patterns with descriptive or verbose identifiers, several detailed error-reporting strings and debug-style status messages, and modular code organization despite the malware’s overall simplicity.
Check Point said it also observed last month a fake website impersonating a download page for SQL Developer, duping visitors who land the page via SEO poisoning to download a weaponized installer that delivers MiniFast. The development marks the first time the threat actor has resorted to this approach for malware delivery.
“This malware delivery method differs from Nimbus Manticore’s usual infection chains, which typically rely on career-themed phishing lures,” the company said. “In this campaign, the actor abuses search engine optimization techniques by registering dozens of domains that link to the bogus domain, getsqldeveloper[.]com. This is likely an attempt to increase the site’s visibility through link-based reputation signals.”
MiniFast is described as a fully featured backdoor designed for long-term persistence and remote command execution. It communicates with a remote server over HTTP requests to fetch tasks, upload command execution results, exfiltrate files, and download additional payload from the server. Before entering the tasking loop, the malware also beacons basic system information to the operator.
The commands supported by the backdoor are varied, enabling file operations, directory listings, process enumeration, command execution via “cmd.exe,” process termination using its PID, DLL loading, ZIP archive creation, persistence via scheduled tasks, and privilege escalation via the “runas” command.
The backdoor also supports the ability to update the polling interval and jitter value applied to beacon intervals so as to randomize the frequency with which commands are retrieved from the server.
“What stands out is that this group’s ambitions extended well beyond targeted espionage in the Middle East,” Sergey Shykevich, threat intelligence group manager at Check Point Research, said in a statement shared with The Hacker News. “We found strong indicators that Nimbus Manticore used AI tools to write malware faster.”
“They built and deployed a brand-new backdoor mid-conflict while operations were actively underway. We also tracked a third campaign wave using a completely different playbook: SEO poisoning.”
“They built a fake SQL Developer download page and pushed it to the top of Bing and DuckDuckGo – no spearphishing, no fake job offer, just waiting for a developer to search for common software. And when you map all three waves together, February through April, there was no pause. The conflict didn’t slow them down; it actually accelerated them.”
The disclosure coincides with a report from Palo Alto Networks Unit 42 about the threat actor’s targeting of entities in the U.S., Israel, the United Arab Emirates, and the Middle East with MiniUpdate and an updated version of MiniJunk called MiniJunk V2. Among those targeted as part of the elaborate espionage scheme was a U.S. oil and gas firm.
The findings show that Iranian threat actors are taking a page out of North Korea’s playbook to infiltrate organizations of interest by going after their employees with lucrative job opportunities.
“The group has increased its operations since the regional conflict that started in February 2026, deploying two families of RAT variants across entities in up to five different countries,” Unit 42 researchers said.
“A defining characteristic of these recent campaigns is the deep personalization of the attackers’ lures. By leveraging tailored social engineering tactics, including fake job requisitions and spoofed video conferencing meeting invitations, the attackers lure victims into initiating the infection chain, thereby exposing their organizations to further exploitation.”
The development also comes as Iranian hackers are suspected to have conducted a series of attacks aimed at tank readers at gas stations across multiple states in the U.S. While the incidents did not cause physical damage or harm, they have sparked concerns that such access could potentially cause gas leaks to go undetected or create other risks to critical infrastructure.
“The hackers responsible have exploited automatic tank gauge (ATG) systems that were sitting online and unprotected by passwords, allowing them in some cases to tinker with display readings on the tanks but not the actual levels of fuel in them,” CNN reported, citing unnamed sources.
