Suspected Iranian government-backed online attackers have expanded their European cyber operations with fake job portals and new malware targeting organizations in the defense, manufacturing, telecommunications, and aviation sectors, researchers said. Check Point Research says it has been tracking waves of activity since early this year, attributing the campaigns to Nimbus Manticore, a threat group also known as UNC1549.
Security researchers note overlaps with broader threat activity linked to Iran. Google’s threat hunters at Mandiant have observed that Nimbus Manticore overlaps with another gang that has been linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), a finding highlighted in Google’s threat intelligence coverage.
The researchers also describe the campaign as a continuation of the Iran Dream Job operation, a recruitment-themed phishing scheme connected to previously documented activity. The Dream Job alignment is discussed in detail by Clearsky Sec, which hosts background on the related campaign.
The new operation appears to target Western Europe in particular, with focus areas identified as Denmark, Portugal, and Sweden. Victims are lured with claims of employment in aerospace, defense manufacturing, and telecommunications companies, but the delivery chain instead deploys a custom backdoor known as MiniJunk and an information stealer called MiniBrowse, both variants in the Minibike family.
Phishing starts with a link to a fake job-related login page spoofing industry giants such as Boeing, Airbus, Rheinmetall, and Flydubai. Each victim receives a unique credential set linked to the lure, and upon login, the attacker delivers a malicious archive masquerading as legitimate hiring software. The archive then executes via a multi-stage sideloading technique designed to bypass standard defenses.
According to Check Point Research, Nimbus Manticore’s latest malware set includes MiniJunk and MiniBrowse, which are heavily obfuscated to avoid detection while enabling persistence and data theft. The researchers describe the campaign as using a novel technique to load DLLs from alternate paths by modifying process execution parameters, alongside size inflation, junk code, obfuscation, and code signing to lower detection rates. Check Point Research notes the evolution of these techniques in the latest Minibike variants.
Analysts caution that the campaign underscores a broader pattern of state-backed cyber operations leveraging social engineering to reach high-value Western targets, with the potential for cross-border impact across defense, manufacturing, and critical infrastructure sectors. For broader context on related activity, see reporting from Wired regarding Iran-linked espionage and catfishing tied to IRGC-linked actors.