An Iranian APT tracked as Nimbus Manticore has adopted new tactics and updated its arsenal in new intrusions targeting aviation and software companies, Check Point reports.
Also known as Bohrium, Smoke Sandstorm, TA455, and UNC1549, and active since at least 2022, Nimbus Manticore is believed to be a subgroup of Charming Kitten (APT35) and to have ties with Iran’s Islamic Revolutionary Guard Corps (IRGC).
Nimbus Manticore was previously seen targeting aerospace, aviation, and defense organizations in the Middle East and Europe with the MiniBike and MiniBus backdoors.
In November 2024, the group was blamed for adopting North Korea-linked Lazarus Group’s tactics in a Dream Job campaign targeting the aerospace industry.
Earlier this year, Google warned of the APT’s continuous targeting of organizations in the defense sector with fake job offers, and Check Point now says that the group’s activities have continued during and after the US military campaign against Iran that started in February 2026.
Amid rising geopolitical tensions in the Middle East, Nimbus Manticore’s phishing campaigns started employing AppDomain hijacking for payload execution, instead of DLL sideloading.
The technique relies on a trojanized XML .config file placed in the target .NET application’s directory to load a malicious DLL at launch time.
Nimbus Manticore used a phishing lure resembling previous campaigns, targeting employees at aviation and software companies in Saudi Arabia and Australia to download a compressed ZIP archive from the OnlyOffice platform, leading to infections with a new version of the MiniJunk backdoor.
In another campaign, the APT used job lures masquerading as a US-based airline, leading to a trojanized Zoom installer. Using AppDomain hijacking, the infection chain led to the deployment of a new backdoor, named MiniFast.
Deployed as a 64-bit Windows PE DLL, the backdoor impersonates a Chrome browser and was designed for long-term persistence and remote command execution.
It also allows attackers to manipulate files, exfiltrate files, enumerate processes, terminate processes, manipulate directories, create scheduled tasks, and deploy additional payloads.
“Nimbus Manticore demonstrated a strong ability to rapidly adapt, maintain infrastructure, and develop new tooling. We assess that this capability was likely supported, at least in part, by LLM-based tools and AI-assisted development techniques,” Check Point notes.
In April, Nimbus Manticore was seen using a fake SQL Developer download website to distribute the MiniFast backdoor. The campaign abused search engine optimization techniques, relying on dozens of domains linking to the fake website to increase its reputation.
“At the time of our analysis, the malicious domain ranked high in the results returned by multiple search engines, such as Bing and DuckDuckGo, for the query ‘sql developer’. This increased the likelihood that users searching for legitimate SQL Developer downloads would encounter the site,” Check Point notes.
While typical Nimbus Manticore operations have focused on the Middle East, Europe, and Africa, mainly targeting Israel and the United Arab Emirates, the fresh campaigns also revealed a shift towards US organizations.
“Fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonating US domestic airlines suggests a deliberate focus on US-based targets,” Check Point notes.
Related: Iranian APT Intrusion Masquerades as Chaos Ransomware Attack
Related: Iranian Cyber Group Handala Targets US Troops in Bahrain
Related: Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions
Related: Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
