Iranian Hackers Leverage AI to Deploy Advanced Malware via Phishing and SEO Poisoning
In a series of sophisticated cyber operations, the Iranian state-sponsored group known as Nimbus Manticore, also referred to as Screening Serpens and UNC1549, has been implicated in deploying advanced malware targeting organizations in the aviation and software sectors across the United States, Europe, and the Middle East. These activities have intensified following the joint U.S.-Israeli military campaign against Iran in late February 2026.
Nimbus Manticore, affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), has a history of targeting defense, aviation, and telecommunications sectors using career-themed phishing lures. These campaigns, often dubbed the Iranian Dream Job, bear tactical similarities to North Korea’s Operation Dream Job.
Evolution of Attack Techniques
Recent operations by Nimbus Manticore have demonstrated a significant evolution in their attack methodologies:
1. AppDomain Hijacking and MiniJunk Deployment (February 2026): Prior to the onset of the conflict, the group targeted employees in the software and aviation sectors in Saudi Arabia and Australia with fraudulent job offers. Victims were tricked into downloading a ZIP archive from OnlyOffice. Executing a benign file within the archive triggered AppDomain hijacking, leading to the deployment of a malicious MiniJunk DLL.
2. Introduction of MiniFast Backdoor (March 2026): Building upon previous tactics, Nimbus Manticore utilized a trojanized Zoom installer to launch a binary that employed AppDomain hijacking to deploy a new backdoor named MiniFast (also known as MiniUpdate). This campaign likely involved phishing emails with fake meeting invitations.
3. SEO Poisoning and Trojanized Software Distribution (April 2026): In a departure from traditional phishing methods, the group created a counterfeit website mimicking Oracle’s SQL Developer download page. By leveraging search engine optimization (SEO) poisoning, they increased the site’s visibility, leading unsuspecting users to download a compromised installer that delivered the MiniFast backdoor.
Artificial Intelligence in Malware Development
Analysis indicates that Nimbus Manticore may have utilized artificial intelligence (AI) tools in developing MiniFast. Evidence supporting this includes:
– Extensive error handling and defensive programming practices.
– Repetitive function and method naming with descriptive identifiers.
– Detailed error-reporting strings and debug-style status messages.
– Modular code organization, despite the malware’s overall simplicity.
These characteristics suggest an AI-assisted approach to expedite malware development.
Technical Capabilities of MiniFast
MiniFast is a fully featured backdoor designed for long-term persistence and remote command execution. Its capabilities include:
– Communicating with a remote server over HTTP to fetch tasks, upload command execution results, exfiltrate files, and download additional payloads.
– Beaconing basic system information to the operator before entering the tasking loop.
– Supporting commands for file operations, directory listings, process enumeration, command execution via cmd.exe, process termination, DLL loading, ZIP archive creation, persistence via scheduled tasks, and privilege escalation using the runas command.
– Updating polling intervals and jitter values to randomize the frequency of command retrieval from the server.
Implications and Broader Context
The deployment of MiniFast and the use of SEO poisoning mark a significant shift in Nimbus Manticore’s tactics, indicating a move towards more sophisticated and diversified attack vectors. This evolution underscores the group’s adaptability and the increasing integration of AI in cyber operations.
These developments coincide with reports from Palo Alto Networks Unit 42, which detail the group’s targeting of entities in the U.S., Israel, the United Arab Emirates, and the broader Middle East using MiniUpdate and an updated version of MiniJunk called MiniJunk V2. Notably, a U.S. oil and gas firm was among the targets, highlighting the group’s focus on critical infrastructure.
Furthermore, Iranian hackers are suspected of conducting attacks on tank readers at gas stations across multiple U.S. states. While these incidents did not cause physical damage, they raise concerns about potential risks to critical infrastructure, such as undetected gas leaks.
These activities reflect a broader trend of Iranian threat actors adopting tactics similar to those used by North Korean hackers, such as targeting individuals with lucrative job opportunities to infiltrate organizations. The deep personalization of lures, including fake job requisitions and spoofed meeting invitations, demonstrates a sophisticated approach to social engineering aimed at compromising targeted organizations.
