Nimbus Manticore Deploys AI-Assisted MiniFast Backdoor

Iran-linked threat actor Nimbus Manticore deployed an AI-assisted backdoor called MiniFast in multiple campaigns that ran from February through April 2026 across the U.S., Europe and the Middle East. The group used career-themed phishing, spoofed meeting invites and search-engine–poisoned downloads to deliver trojanized installers to targets in aviation, software, defense and energy.

Security researchers from Check Point Research and Palo Alto Networks Unit 42 attributed the activity to Nimbus Manticore, a cluster tied to Iran’s Islamic Revolutionary Guard Corps also tracked as Screening Serpens and UNC1549. Researchers say the group increased its operations after a joint U.S.-Israeli military action in late February 2026 and ran several attack waves without interruption.

Early February attacks targeted software and aviation employees in Saudi Arabia and Australia with fake job offers. Victims were directed to a ZIP archive hosted on OnlyOffice; launching a benign executable inside the archive triggered an AppDomain hijacking technique that loaded a rogue MiniJunk DLL.

In March the actor used spoofed video-conferencing meeting invitations and a trojanized Zoom installer. That installer launched a binary that used AppDomain hijacking to deploy the MiniFast backdoor.

In April the group published a counterfeit SQL Developer download page and registered dozens of related domains to raise its search visibility. Visitors who reached the bogus site via search engines downloaded a weaponized installer that delivered MiniFast. Security teams described this as the first time the actor used search-engine optimization as the primary distribution channel rather than spearphishing.

MiniFast is a full-featured backdoor. Before running tasks it beacons basic system information and then communicates with a command-and-control server over HTTP to fetch tasks, upload command output, exfiltrate files and retrieve additional payloads. Supported commands include file operations and directory listing, process enumeration and termination by PID, remote command execution via cmd.exe, DLL loading, on-demand ZIP creation, persistence through scheduled tasks and privilege escalation using runas. Operators can change the polling interval and add jitter to randomize beacon timing.

Researchers observed related tools in the same campaign cluster, including a component called MiniUpdate and an updated MiniJunk V2. Targets named by analysts include organizations in the U.S., Israel, the United Arab Emirates and other Middle East countries; one victim was identified as a U.S. oil and gas firm. The social-engineering messages were personalized, using custom job requisitions and fake meeting invites to prompt victims to start the infection chain.

Sergey Shykevich, threat intelligence group manager at Check Point Research, noted: “We found strong indicators that Nimbus Manticore used AI tools to write malware faster.” Check Point researchers also reported that the group built and deployed a new backdoor while operations were active and that the April wave used SEO poisoning instead of direct spearphishing.

Separately, investigators reported incidents in which Iranian-linked actors accessed unprotected automatic tank gauge systems at U.S. gas stations and altered display readings without changing actual fuel levels. Those probes did not cause physical damage but raised concerns about access to operational systems in critical infrastructure.