Iranian state-aligned hackers have pushed a new backdoor through a mix of career-themed phishing and, for the first time, search engine poisoning, expanding their reach into the American aviation sector during the recent US-Iran military conflict.
According to new analysis from Check Point Research, the IRGC-affiliated actor Nimbus Manticore resurfaced across three waves of activity between February and April 2026, coinciding with Operation Epic Fury, the US military campaign launched on February 28.
The group, also tracked as UNC1549, has historically run career-themed phishing against the defense, aviation and telecommunications sectors.
Its latest operations impersonated aviation firms and software providers across the US, Europe and the Middle East.
SEO Poisoning Joins the Playbook
The most notable shift came in April, when the group abandoned its usual fake job lures for a counterfeit download page impersonating Oracle’s SQL Developer database tool.
The attackers registered dozens of domains linking back to a bogus site and filled its pages with search keywords to climb the rankings. At the time of analysis, the site ranked highly on Bing and DuckDuckGo for searches related to the legitimate software.
This marked the first time researchers had observed the group using search engine poisoning rather than direct phishing to reach victims.
Earlier waves leaned on more familiar methods, including a trojanized Zoom installer distributed through fake meeting invitations and ZIP archives hosted on the OnlyOffice platform.
Read more on this threat actor: Iranian Hacking Group Nimbus Manticore Expands European Targeting
Across the campaign, the actor leaned on AppDomain hijacking, a technique that loads a malicious DLL into a trusted .NET application by planting a tampered configuration file beside it.
AI Fingerprints on New Tooling
The campaign also introduced a previously undocumented backdoor that Check Point named MiniFast, retiring the MiniJunk family the group used through 2025.
MiniFast is a 64-bit Windows DLL that operates as a full-featured implant, communicating with its command-and-control (C2) server over JSON while disguising its traffic as a Chrome browser. Its opcode-driven command set covers shell execution, file transfer, process control and scheduled-task persistence.
Check Point assessed that both the loaders and the backdoor itself bear hallmarks of AI-assisted development, pointing to excessive error handling around trivial functions, verbose and repetitive naming patterns and debug-style status strings scattered through the code.
The researchers said this likely helped the group sustain rapid tooling development and a high operational tempo even under wartime pressure.
