Iranian state-backed hackers linked to Nimbus Manticore targeted aviation and software sectors in the U.S., Europe and the Middle East with a new MiniFast backdoor in a campaign that emerged after the February 2026 conflict, according to a technical analysis from Check Point.
KEY FACTS
- Threat actor Nimbus Manticore, also known as Screening Serpens and UNC1549
- New malware MiniFast, also called MiniUpdate, was used as a backdoor
- Delivery methods Included fake job offers, trojanized Zoom and SQL Developer installers, and SEO poisoning
- Targets Aviation, software, defense and telecom sectors across multiple countries
The report said the group used previously undocumented techniques and added new capabilities during the campaign. It described MiniFast as a fully featured backdoor built for long-term persistence, remote command execution, file theft and the download of additional payloads.
Check Point said the malware showed signs of AI-assisted development, including repetitive naming patterns, detailed error messages and modular code organization. The company said the actor first used AppDomain hijacking to deploy MiniJunk in February, then MiniFast in March, and later a trojanized Oracle SQL Developer installer in April.
The backdoor communicates with a remote server over HTTP, beacons system information and supports file operations, directory listings, process enumeration, command execution, process termination, DLL loading, ZIP creation, scheduled task persistence and privilege escalation. The disclosure also said the attackers abused search engine optimization by registering dozens of domains that redirected users to a fake SQL Developer download page.
Separate findings from Palo Alto Networks Unit 42 said the same threat actor targeted entities in the U.S., Israel, the United Arab Emirates and the wider Middle East with MiniUpdate and an updated MiniJunk variant. The report said one target was a U.S. oil and gas firm.
WHY IT MATTERS
The campaign suggests the group is broadening its methods beyond job-themed phishing and using more varied routes to infect targets. That increases the chances that employees, job seekers and software users could be exposed to malicious downloads and follow-on intrusion attempts.