Iranian Hackers Expand Operations with Innovative Tactics Amid Military Tensions
In a bold maneuver, state-aligned Iranian cyber operatives have introduced a sophisticated backdoor into the American aviation sector, leveraging a blend of career-oriented phishing schemes and, for the first time, search engine manipulation. This escalation aligns with the heightened military tensions between the United States and Iran.
Recent findings from Check Point Research reveal that the IRGC-affiliated group known as Nimbus Manticore has been active in three distinct waves from February to April 2026, coinciding with Operation Epic Fury, the U.S. military operation that commenced on February 28.
This group, also identified as UNC1549, is notorious for targeting defense, aviation, and telecommunications industries through career-focused phishing attacks.
In their latest campaign, the hackers impersonated various aviation firms and software vendors across the United States, Europe, and the Middle East.
Search Engine Manipulation Introduced
The most significant alteration in their tactics occurred in April. The attackers shifted from traditional job-related bait to a deceptive download page masquerading as Oracle’s SQL Developer tool.
They registered a multitude of domains leading back to this fraudulent site and optimized its content with carefully selected keywords to enhance its visibility.
At the time of reporting, this site ranked prominently on both Bing and DuckDuckGo for queries related to the legitimate software.
This development marks the first recorded instance of the group employing search engine poisoning instead of direct phishing approaches to entrap unsuspecting users.
Previous iterations of their campaign relied on established techniques, such as distributing a trojanized Zoom installer through counterfeit meeting invites and ZIP files stored on the OnlyOffice platform.
For further insights on this adversarial group, refer to: Iranian Hacking Group Nimbus Manticore Expands European Targeting
Throughout this campaign, the actors utilized AppDomain hijacking, a tactic that injects malevolent DLL files into trusted .NET applications by placing a modified configuration file adjacent to them.
New Backdoor Features AI Characteristics
The ongoing operations have also unveiled a previously undocumented backdoor, designated MiniFast by Check Point, which replaces the erstwhile MiniJunk family utilized in 2025.
MiniFast is a 64-bit Windows DLL functioning as a comprehensive implant, establishing communication with its command-and-control (C2) server via JSON while camouflaging its data as Chrome browser traffic.
Its command set, governed by opcodes, facilitates shell execution, file transfers, process supervision, and the persistence of scheduled tasks.
Check Point’s analysis indicates that both the loaders and the backdoor exhibit characteristics typical of AI-assisted programming.
This includes excessive error handling for minor functions, verbose and redundant naming conventions, and debug-style status strings strewn throughout the code.
The researchers contend that such factors have likely enabled the group to maintain rapid development of their tools and sustain a high operational tempo, notwithstanding the pressures associated with wartime conditions.
Source link: Infosecurity-magazine.com.
