Check Point Research details three waves of Nimbus Manticore (UNC1549) cyberattack campaigns conducted during the 2026 Iranian conflict. The IRGC-affiliated threat actor introduced AppDomain Hijacking as a new execution technique, replacing DLL sideloading. A Trojanized Zoom installer was used to hijack legitimate scheduled tasks for persistence. A new backdoor named MiniFast replaced the earlier MiniJunk malware, featuring an opcode-based C2 command handler, JSON-formatted communications, and Base64-encoded task structures. The actor also deployed SEO poisoning via a fake SQL Developer download site. Evidence of AI-assisted malware development was identified across multiple components. Targets span aviation, software, and defense sectors in the US, Europe, Middle East, and Africa.
Table of contents
Key FindingsIntroductionCampaign 1: Rising TensionCampaign 2: During Operation Epic FuryCampaign 3: Post Ceasfire – “SQL developer” CampaignMiniFast Technical AnalysisVictimologyConclusionIOCsSort: