A long-running cyber-espionage campaign tied to Iran has intensified its operations in Europe.
The group, known as Nimbus Manticore, has a history of targeting aerospace, telecommunications and defense industries in line with Iranian Revolutionary Guard Corps (IRGC) priorities.
Spear Phishing Surge in Europe
According to new findings by Check Point Research (CPR), the group’s latest wave of activity shows a shift toward Western Europe, with organizations in Denmark, Sweden and Portugal facing heightened risk.
Attackers pose as recruiters from well-known aerospace and telecommunications firms, directing victims to convincing but fraudulent career portals. Each target receives personalized login credentials, a tactic that allows close tracking of victims and tight control of access.
From there, attackers distribute malicious archives that launch a sophisticated, multi-stage infection process. This involves sideloading malicious DLL files into legitimate Windows executables, including Microsoft Defender components, to avoid detection.
Read more on Iranian cyber operations: MPs Warn of “Significant” Iranian Cyber-Threat to UK
Evolving Malware Toolkit
At the center of these campaigns is a family of custom backdoors. First identified as ‘Minibike’ in 2022, the malware has since evolved into new strains, notably ‘MiniJunk’ and ‘MiniBrowse.’ These tools enable attackers to exfiltrate files, steal browser credentials and issue remote commands while employing heavy obfuscation to resist analysis.
The malware shows advanced techniques such as:
-
Multi-stage DLL sideloading to evade normal security checks
-
Inflated binary sizes to bypass antivirus scans
-
Use of valid code-signing certificates from trusted providers
-
Compiler-level obfuscation that inserts junk code and encrypted strings
“The campaign reflects a mature, well-resourced actor prioritizing stealth, resiliency and operational security,” CPR said.
Cloud Infrastructure For Resilience
Nimbus Manticore relies heavily on cloud services to host its infrastructure, including domains registered under Azure App Service and shielded behind Cloudflare. This setup provides redundancy, allowing attackers to quickly re-establish command-and-control (C2) servers if one is taken down.
The campaign’s targeting is consistent with past operations against Israel and the Gulf states.
However, as mentioned above, CPR researchers recently noted a clear expansion toward Europe, with recent attacks tied to fake career portals impersonating aerospace and telecom companies. The sectors most at risk include:
-
Telecommunications, particularly satellite providers
-
Aerospace and aviation firms
-
Defense contractors
CPR’s analysis suggests the campaign remained active even during the 12-day conflict between Israel and Iran in mid-2025.
The ability to operate undetected through heavy obfuscation and use of legitimate infrastructure highlights the group’s growing sophistication.
