Nimbus Manticore Deploys MiniFast Backdoor During Iranian Conflict Using SEO Poisoning and Zoom Installer Abuse

Nimbus Manticore did not just return during the Iranian conflict. It adapted under pressure.

Check Point Research’s latest investigation shows an Iranian, IRGC-affiliated threat actor shifting from familiar career-themed phishing into a faster, broader, and more technically flexible operation. The group used aviation and software-sector lures, abused legitimate installer behavior, experimented with SEO poisoning, and introduced a new Windows backdoor named MiniFast during a period of heightened military tension.

The result is a campaign that matters beyond one malware family. It shows how a state-aligned actor can compress its development cycle during conflict, using trusted software flows and search visibility to reach targets while keeping the infection chain close enough to normal user behavior to complicate detection.

What Happened

On May 22, 2026, Check Point Research published details of three recent Nimbus Manticore campaign waves connected to the Iranian conflict and Operation Epic Fury, the U.S. military campaign against Iran launched on February 28, 2026.

Nimbus Manticore, also tracked as UNC1549, is described by Check Point as an IRGC-affiliated threat actor that has historically focused on defense, aviation, and telecommunications targets through career-themed phishing campaigns. In this activity, the group expanded its playbook with several notable techniques: AppDomain hijacking, SEO poisoning, possible AI-assisted malware development, a Trojanized Zoom installer flow, and a newly documented backdoor called MiniFast.

The targeting spanned the United States, Europe, and the Middle East, with lures impersonating organizations in the aviation and software sectors. Check Point also observed targeting in Saudi Arabia and Australia during earlier waves, while later activity showed an apparent expansion toward U.S. aviation-sector targets.

A Shift From Phishing Lures to Search-Driven Infection

Nimbus Manticore has long leaned on fake career opportunities to reach employees in strategic sectors. In February 2026, Check Point observed phishing activity using compressed ZIP archives hosted on OnlyOffice and masquerading as job opportunities. The archive included a benign Microsoft-signed executable, a malicious configuration file, a first-stage dropper, and a benign support DLL.

The important technical pivot was AppDomain hijacking. Instead of relying only on classic DLL sideloading, the group placed a malicious .config file next to a legitimate .NET application. When the trusted application launched, the .NET runtime loaded an attacker-controlled DLL through the specified AppDomainManager class, giving the malware execution inside a legitimate process context.

By April 2026, the actor added a different delivery route: a fake SQL Developer download site. Users searching for SQL Developer could be pushed toward a bogus domain, getsqldeveloper[.]com, which served a weaponized installer delivering MiniFast. Check Point said the actor registered dozens of domains pointing to the fake site, likely to manipulate link-based reputation signals and improve search ranking. At the time of analysis, the malicious site ranked highly in Bing and DuckDuckGo results for the query “sql developer.”

The Zoom Installer Abuse Was the Clever Part

During Operation Epic Fury, Nimbus Manticore used a Trojanized Zoom installer package that appears to have been built around fake meeting invitations. The archive, named Zoominstall64.zip, contained a legitimate Microsoft-signed binary, a legitimate Zoom installer, multiple malicious DLLs, and configuration files used for AppDomain hijacking.

The first-stage loader displayed a fake installation progress window while launching the legitimate Zoom installer. That mattered because the victim saw something plausible: software appeared to install normally while the malware prepared the next stage.

The infection chain then watched for a legitimate Zoom scheduled task matching ZoomUpdateTaskUser-<current user SID>. Check Point said the malware monitored for about one minute, then hijacked the scheduled task when it appeared and modified it to execute the second-stage component. Instead of creating an obviously suspicious persistence mechanism, the actor rode on a task users and defenders might already expect to see on a system with Zoom installed.

The next-stage files were copied into C:\Users\<USER>\AppData\Local\Zoom\bin\update, where another trusted executable named Update.exe loaded the second-stage DLL through AppDomain hijacking. Before continuing, the loader checked that the hosting process was update.exe and the parent process was svchost.exe, a simple but useful guardrail against sandbox execution and direct analyst launching.

MiniFast: A New Backdoor Built for Operator Control

The centerpiece of the campaign is MiniFast, a 64-bit Windows PE DLL with a single export named CheckForUpdates. Check Point describes it as a fully featured backdoor designed for long-term persistence and remote command execution, with multiple samples indicating active development across versions.

MiniFast communicates with command-and-control infrastructure through an API-style HTTP architecture and JSON-formatted exchanges. Its lifecycle includes structured endpoints for initial handshake, victim registration, task retrieval, command result upload, file exfiltration, and file download. The malware also impersonates Chrome using a hardcoded browser user-agent to make traffic appear more ordinary.

The command set gives operators broad control over infected systems. Check Point documented capabilities for directory listing, file movement and deletion, command execution through cmd.exe /c, process enumeration, file upload and download, drive enumeration, process termination, DLL loading, directory creation, ZIP archive creation, UAC elevation attempts, scheduled-task persistence, polling interval changes, and jitter adjustment.

That combination is operationally meaningful. MiniFast is not just a loader or one-shot implant. It gives the operator interactive control, file staging, exfiltration, persistence, and timing control inside a single backdoor framework.

Why the AI Angle Matters

Check Point assessed that the campaign showed signs of AI-assisted malware development, particularly in the loaders and MiniFast itself. The evidence cited includes excessive error handling, verbose and repetitive function naming, detailed error-reporting strings, debug-style status messages, and modular code organization despite the malware’s relative simplicity.

The finding should not be overread as proof that AI made the group more sophisticated by itself. The more practical takeaway is speed. AI-assisted coding can help a capable operator produce cleaner scaffolding, test variants faster, and maintain multiple components during high-tempo operations. In a conflict-driven campaign, that acceleration matters.

For defenders, the risk is not “AI malware” as a label. The risk is a shorter gap between operational need and deployable tooling.

Why This Stands Out

The campaign is notable because Nimbus Manticore combined old tradecraft with new routes to execution. Career-themed phishing remained in play, but the group added SEO poisoning. DLL sideloading patterns remained relevant, but the actor expanded AppDomain hijacking across stages. Legitimate installers were not just used as decoys; the Zoom installation flow itself became part of the persistence strategy.

The abuse of signed files also matters. Check Point identified files with valid digital signatures issued through SSL.com, including certificates associated with Gray Matter Software S.R.L. and Kirubel Kerie Negeya. Signed malware components do not guarantee bypass, but they can reduce friction in some environments and complicate triage when defenders are sorting noisy endpoint events.

This is the kind of campaign where individual techniques may not look extraordinary in isolation. The danger comes from the stitching: search manipulation, plausible installers, trusted process execution, scheduled-task hijacking, signed files, and a backdoor with enough operator functionality to support follow-on intelligence collection.

Defender Takeaways

Security teams in aviation, software development, defense, telecommunications, and Middle East-linked organizations should treat this activity as more than routine phishing. The campaign shows direct interest in strategic sectors and uses lures that are tightly aligned to victim context.

Defenders should look for suspicious .config files placed next to legitimate .NET executables, unexpected use of AppDomainManager, unusual DLL loads from user profile paths, and modifications to Zoom scheduled tasks. The path C:\Users\<USER>\AppData\Local\Zoom\bin\update deserves attention where unexpected DLLs or renamed executables appear.

Network defenders should also review outbound HTTP traffic that mimics Chrome but communicates with suspicious infrastructure using API-style paths such as /rg, /agent/init, /agent/poll?token=, /agent/result, /upload/, and /files/. These indicators should be correlated with endpoint telemetry rather than treated as standalone signatures.

Bigger Picture

Nimbus Manticore’s activity fits a broader pattern in modern conflict-linked cyber operations: state-aligned actors do not pause during kinetic escalation; they retool. The group’s operations during Operation Epic Fury show an attempt to maintain access, expand targeting, and update malware delivery while geopolitical pressure was high.

The move into SEO poisoning is especially important because it widens the route to compromise. Phishing targets a person directly. Search poisoning waits for the right victim to arrive voluntarily. For developers, database users, and technical staff searching for tools, that creates a dangerous overlap between routine work and attacker-controlled infrastructure.

NeuraCyb's Assessment

Nimbus Manticore’s latest campaign is not defined by one flashy exploit. It is defined by operational tempo. The group adapted its delivery methods, abused legitimate software behavior, introduced MiniFast, and appears to have used AI-assisted development patterns to keep tooling moving during wartime pressure. For defenders, the lesson is blunt: watch the trusted paths, because that is where this campaign tried hardest to hide.

References

Check Point Research: Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict

Google Cloud / Mandiant: UNC1549 Iran-Nexus Espionage Activity

Check Point Research: Nimbus Manticore Deploys MiniJunk Malware Framework