**Nimbus Manticore** (aka Screening Serpens and **UNC1549**), linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been attributed to a new wave of attacks impersonating organizations in the aviation and software industries. These campaigns, observed after the joint U.S.-Israeli military actions in late February 2026, showcase previously undocumented techniques and enhanced capabilities. ### MiniFast Backdoor and AI Assistance A key element of these campaigns is the **MiniFast** backdoor (aka MiniUpdate). **Check Point**'s analysis suggests that its development may have been aided by artificial intelligence (AI). This is evidenced by the malware's extensive error handling, defensive programming logic, repetitive naming patterns, detailed error reporting, and modular code organization. ### Evolution of Tactics **Nimbus Manticore**, known for targeting defense, aviation, and telecommunication sectors with career-themed phishing lures reminiscent of North Korea's **Operation Dream Job**, has shifted its tradecraft. Recent attacks have utilized AppDomain hijacking to deliver **MiniJunk** in February 2026, followed by **MiniFast** deployment in March, and SEO poisoning to distribute a trojanized version of **Oracle**'s SQL Developer software in April. ### Campaign Details * **Pre-Conflict Campaign:** Employees in software and aviation sectors in Saudi Arabia and Australia were targeted with fake job opportunities, leading them to download a ZIP archive hosted on OnlyOffice. The archive contained a benign executable that used AppDomain hijacking to launch a malicious **MiniJunk** DLL. * **March 2026 Campaign:** This campaign mirrored the previous one but also included a trojanized Zoom installer to launch the binary, which then deployed **MiniFast** via AppDomain hijacking. The activity is believed to be part of a phishing campaign using fake meeting invitations.  ### SEO Poisoning and SQL Developer Trojan **Check Point** also discovered a fake website impersonating **Oracle**'s SQL Developer download page. Victims who landed on the page via SEO poisoning were tricked into downloading a weaponized installer that delivered **MiniFast**. This marks the first time the threat actor has used this technique for malware distribution. ### MiniFast Capabilities **MiniFast** is a full-featured backdoor designed for long-term persistence and remote command execution. It communicates with a remote server via HTTP requests to fetch tasks, upload command execution results, exfiltrate files, and download additional payloads. The malware also beacons basic system information to the operator. The backdoor supports various commands, including file operations, directory listings, process enumeration, command execution via "cmd.exe," process termination, DLL loading, ZIP archive creation, persistence via scheduled tasks, and privilege escalation via the "runas" command. It can also update the polling interval and jitter value to randomize beacon frequency.  ### Expert Analysis Sergey Shykevich, threat intelligence group manager at **Check Point Research**, noted the group's ambitions extend beyond targeted espionage in the Middle East, highlighting the use of AI tools to accelerate malware development. He emphasized the rapid deployment of a new backdoor during active conflict and the shift to SEO poisoning tactics. ### Palo Alto Networks' Findings The disclosure aligns with a report from **Palo Alto Networks** Unit 42, which details the targeting of entities in the U.S., Israel, the United Arab Emirates, and the Middle East with **MiniUpdate** and an updated version of **MiniJunk** called **MiniJunk V2**. A U.S. oil and gas firm was among those targeted. **Check Point** confirmed that **MiniJunk V2** was observed in both the February and March 2026 campaigns. These findings underscore the increasing sophistication of Iranian threat actors, who are adopting tactics similar to those used by North Korea to infiltrate organizations.  ### Personalized Social Engineering Unit 42 researchers emphasized the deep personalization of the attackers' lures, which include tailored social engineering tactics such as fake job requisitions and spoofed video conferencing meeting invitations. ### Implications for Critical Infrastructure These developments follow suspected attacks by Iranian hackers targeting tank readers at gas stations across multiple U.S. states, raising concerns about potential risks to critical infrastructure.