Nimbus Manticore, an Iranian IRGC-affiliated threat actor, carried out a new campaign using lures impersonating aviation and software organizations across the U.S., Europe, and the Middle East. The activity included previously undocumented techniques and enhanced capabilities, centered on a new backdoor called MiniFast (MiniUpdate), reportedly developed with AI assistance. Earlier campaigns used career-themed phishing lures against defense, aviation, and telecommunications targets, including Saudi Arabia and Australia, where victims downloaded ZIP archives hosted on OnlyOffice. The ZIP contained a benign executable that used AppDomain hijacking to launch a rogue MiniJunk DLL. Later activity used a trojanized Zoom installer and continued AppDomain hijacking, followed by SEO poisoning to distribute a trojanized Oracle SQL Developer trojan.
"The activity, besides embracing previously undocumented techniques and enhanced capabilities, is characterized by the use of a new backdoor codenamed MiniFast (aka MiniUpdate) that appears to have been developed with assistance using artificial intelligence (AI), Check Point said in an analysis published last week."
"Recent attack chains linked to the threat actor have witnessed a shift in tradecraft, as evidenced by the use of AppDomain hijacking to deliver MiniJunk in February 2026, followed by the deployment of the MiniFast backdoor in March and a reliance on SEO poisoning to distribute a trojanized version of Oracle's SQL Developer software in April."
"In the first campaign observed before the onset of the war, employees in software and aviation sectors in Saudi Arabia and Australia were targeted with bogus career opportunities, tricking them into downloading a ZIP archive hosted on OnlyOffice. Launching a benign executable within the ZIP file leveraged a technique known as AppDomain hijacking to launch a rogue MiniJunk DLL."
"The March 2026 campaign has been found to follow more or less the same approach, only this time the threat actor also used a trojanized Zoom installer as part of the attack sequence to launch the binary that then leverages AppDomain hijacking to"
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]