Iran linked threat actor Nimbus Manticore, also known as Screening Serpens and UNC1549, has been linked to a new wave of cyber espionage campaigns using updated malware families including MiniFast and MiniJunk V2 to target organizations across the United States, Europe, Middle East, Saudi Arabia, Australia, Israel, and United Arab Emirates. According to findings published by cybersecurity researchers at Check Point Research and Palo Alto Networks Unit 42, the campaigns accelerated following the joint United States and Israeli military operations against Iran in late February 2026. The group, which is associated with Islamic Revolutionary Guard Corps, has historically focused on sectors including defense, aviation, and telecommunications, often using career themed phishing operations that resemble tactics seen in North Korean cyber campaigns known as Operation Dream Job.
Researchers noted a clear shift in the threat actor’s methods between February and April 2026, marked by the introduction of new malware capabilities and alternative delivery mechanisms. In February, attackers targeted aviation and software sector employees in Saudi Arabia and Australia by sending fake job opportunities hosted through OnlyOffice. Victims were manipulated into downloading ZIP archives containing legitimate looking executables that used a method known as AppDomain hijacking to launch a malicious MiniJunk DLL. By March, Nimbus Manticore had expanded the operation by deploying a new backdoor named MiniFast, also referred to as MiniUpdate, through phishing campaigns involving spoofed meeting invitations and a weaponized Zoom installer. Once activated, the malware used AppDomain hijacking techniques to execute malicious code while maintaining a low detection profile. Researchers stated that there are signs suggesting MiniFast may have been developed with artificial intelligence assistance due to characteristics such as excessive defensive programming, repetitive function naming structures, highly descriptive debugging messages, and modular coding patterns uncommon in relatively simple malware families.
The campaign expanded further in April when Check Point identified a fake software download page impersonating Oracle SQL Developer, representing the first known instance of Nimbus Manticore using search engine optimization poisoning for malware distribution. Researchers observed that attackers registered numerous domains linking to a malicious website designed to appear prominently in search engine results on Bing and DuckDuckGo, increasing the chances of developers unknowingly downloading compromised software installers. Unlike earlier campaigns dependent on career themed social engineering, this method allowed attackers to wait for unsuspecting software professionals to search for commonly used development tools before infecting systems. Once installed, MiniFast established communication with remote servers using HTTP requests to collect commands, upload stolen information, download additional payloads, and send system details back to operators. The malware supports extensive capabilities, including file manipulation, process management, command execution through cmd.exe, privilege escalation, DLL loading, scheduled task persistence, ZIP archive creation, and changes to communication intervals to reduce detection.
Palo Alto Networks Unit 42 reported that the campaign also involved an upgraded version of MiniJunk, known as MiniJunk V2, targeting organizations in the United States, Israel, United Arab Emirates, and other Middle Eastern countries, including a United States oil and gas company. Researchers stated that the operation relied heavily on personalized phishing techniques such as fraudulent job requisitions and spoofed video conferencing invitations to convince victims to trigger infections. Separate reports have also linked Iranian cyber actors to attempts targeting automatic tank gauge systems at gas stations across several United States states. While no physical disruption occurred, experts warned that unauthorized access to such systems could increase risks for critical infrastructure if weaknesses remain unprotected. Security researchers noted that the cyber activity demonstrates sustained operational momentum, with attackers continuously refining delivery tactics and malware capabilities throughout the observed period.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
