Nimbus Manticore Targets Defense and Telecom Industries with New Malware Attack

Check Point Research has identified a long-running campaign by the Iranian-aligned threat actor Nimbus Manticore—also known as UNC1549, Smoke Sandstorm, and the “Iranian Dream Job” operation—targeting defense manufacturers, telecommunications, and aviation entities aligned with IRGC priorities.

Recent activity demonstrates a sharpened focus on Western Europe, notably Denmark, Sweden, and Portugal, with spear-phishing lures impersonating aerospace, defense, and telecom recruiters.

Each victim receives a unique URL and credentials for a bespoke fake career portal, showcasing advanced OPSEC and credible pretexting.

The actor leverages a previously undocumented multi-stage DLL side-loading chain via low-level Windows API, causing legitimate processes to sideload malicious libraries from attacker-controlled locations.

The primary malware toolset consists of the MiniJunk backdoor and the MiniBrowse stealer, both featuring valid digital signatures, inflated binary sizes, and sophisticated compiler-level obfuscation to evade static analysis.

Overall, this campaign reflects nation-state tradecraft emphasizing stealth, resiliency, and operational security across delivery, infrastructure, and payload layers.

Since early 2025, Check Point Research (CPR) has addressed waves of activity by Nimbus Manticore, a mature Iran-nexus APT targeting aerospace and defense organizations across the Middle East and Europe.

First documented in 2022 as Minibike (also SlugResin), the group’s custom implants have evolved with modular architectures, redundant command-and-control (C2) servers, and powerful obfuscation techniques.

The “Iranian Dream Job” phishing operation demonstrated the actor’s ability to create convincing recruitment-themed lures. In mid-2025, Nimbus Manticore introduced a new suite—MiniJunk and MiniBrowse—employing multi-stage sideloading, compiler-level obfuscation, and valid code signing to enhance stealth and persistence.

Malware Delivery and Infection Chain

Nimbus Manticore’s attack begins with tailored spear-phishing emails from alleged HR recruiters.

Victims are directed to React-based fake portals impersonating companies like Boeing, Airbus, Rheinmetall, and flydubai, often hosted behind Cloudflare to conceal infrastructure. Each portal URL and login credential is unique, enabling precise tracking.

Upon successful authentication via a /login-user API, victims download a malicious ZIP archive containing Setup.exe, a legitimate executable that initiates one of the most sophisticated infection chains observed.

1. User Execution
   Setup.exe sideloads a malicious userenv.dll from the archive directory.
2. Malware Setup
   Setup.exe invokes Windows Defender SenseSampleUploader.exe, which sideloads xmllite.dll via a manipulated DllPath parameter in the low-level NT API.
3. Persistence
   The loader creates a working directory under %AppData%\Local\Microsoft\MigAutoPlay, copying Setup.exe (renamed MigAutoPlay.exe) and userenv.dll and scheduling a task for auto-execution.

Following persistence, MigAutoPlay.exe sideloads userenv.dll again, displaying a fake network error pop-up to the user.

Once the xmllite.dll is loaded, its actions are pretty straightforward. It creates a working folder under the path AppData\Local\Microsoft\MigAutoPlay\. 

MiniJunk Backdoor and MiniBrowse Stealer

The core backdoor, MiniJunk, begins in DLLMain, resolving imports and collecting system identifiers (computer and domain names).

The combination of obfuscations, size, and codesigning result in lower endpoint detection. As you can see, some of the largest samples remained with zero detections on VirusTotal:

Network data is simply encoded—wide strings converted to bytes, reversed, then the string reversed—rather than encrypted. MiniJunk hooks ExitProcess to prevent termination, then launches a branch-heavy main thread for C2 communication. Hardcoded lists of three to five HTTPS C2 servers ensure redundancy.

Parsed C2 commands (e.g., read file, create process, load DLL) follow a string-separated schema, enabling data exfiltration and remote execution with standard backdoor functionality.

MiniBrowse, a companion stealer, targets Chrome and Edge credentials by injecting into browser processes. It collects identifiers, connects to C2, and exfiltrates credential databases via HTTP POST or named pipes.

Both MiniJunk and MiniBrowse leverage valid digital signatures and inflated binary sizes to evade antivirus engines.

Nimbus Manticore’s latest campaign demonstrates a nation-state’s commitment to stealth, resiliency, and operational security. By refining its multi-stage sideloading and obfuscation techniques, leveraging legitimate cloud services, and customizing lures for European defense and telecom sectors, the actor continues to operate beneath detection thresholds.

Organizations in Denmark, Sweden, Portugal, and beyond must strengthen phishing defenses, monitor DLL-side-loading behaviors, and scrutinize large, signed binaries for anomalous side-loading. Vigilance and layered security controls remain critical to countering this evolving threat.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.