The Iranian APT group Nimbus Manticore (also known as Screening Serpens and UNC1549) carried out three consecutive campaigns from February to April 2026, targeting organizations in the aviation, software, and oil and gas sectors in the U.S., Europe, the Middle East, and Australia. According to researchers from Check Point and Palo Alto Networks Unit 42, the group deployed a previously undocumented backdoor called MiniFast, used the AppDomain hijacking technique, and for the first time resorted to SEO poisoning to deliver malware — indicating a significant expansion of its toolset and operational tempo.

Three waves: campaign timeline

According to the Check Point Research report, the group’s activity can be divided into three distinct phases, each demonstrating an evolution of tactics.

February 2026: phishing with career lures and MiniJunk

The first wave focused on employees of companies in the software and aviation sectors in Saudi Arabia and Australia. Victims were offered fake job opportunities that prompted them to download a ZIP archive hosted on the OnlyOffice platform. When the legitimate executable from the archive was launched, the AppDomain hijacking technique was used to load the malicious DLL library MiniJunk.

March 2026: trojanized Zoom and MiniFast deployment

The second campaign retained the AppDomain hijacking approach but expanded the delivery vector. The group used a trojanized Zoom installer, presumably distributed via fake video conference invitations. The resulting infection chain led to the deployment of the new backdoor MiniFast (also referred to as MiniUpdate).

April 2026: SEO poisoning and fake SQL Developer

The third wave marked a fundamental shift in tactics. Instead of targeted phishing, the group created a fake Oracle SQL Developer download site and promoted it via SEO poisoning. To boost the site’s visibility in Bing and DuckDuckGo search results, dozens of domains were registered that linked to the primary malicious domain getsqldeveloper[.]com, generating artificial link-based reputation signals. According to Check Point, this is the first documented case of Nimbus Manticore using SEO poisoning to deliver malware.

Technical profile of the MiniFast backdoor

MiniFast is a fully featured backdoor designed for long-term persistence and remote control. Communication with the command-and-control server takes place over HTTP. Before entering its main task-processing loop, the malware sends the operator basic information about the system.

The supported command set includes:

• File operations and directory listing
• Process enumeration and termination by PID
• Command execution via cmd.exe
• Loading DLL libraries
• Creating ZIP archives
• Persistence via scheduled tasks
• Privilege escalation using the runas command
• Downloading additional payloads from the server
• File exfiltration

Of particular note is support for dynamically updating the polling interval and jitter value to randomize the frequency of requests to the command server — a mechanism that complicates detection based on network traffic analysis.

Threat context and scale of operations

Nimbus Manticore has historically focused on the defense, aviation, and telecommunications sectors, using career-themed phishing lures — an approach dubbed “Iranian Dream Job” by analogy with the North Korean Operation Dream Job. A parallel Palo Alto Networks Unit 42 report confirms the group’s increased activity and documents attacks against organizations in the U.S., Israel, the UAE, and across the Middle East using MiniUpdate and an updated version, MiniJunk V2. Among the targets, according to Unit 42, was a U.S. oil and gas company.

Unit 42 researchers highlight the deep personalization of the lures: in addition to fake job postings, fabricated video conference invitations were used. The group deployed two RAT families across organizations in up to five countries, pointing to substantial operational resources.

Important caveat: attribution of the group to specific Iranian state structures is based on the analytical assessments of research companies rather than official government statements. Check Point’s assertion that artificial intelligence tools may have been used in developing MiniFast is likewise an analytical hypothesis based on indirect indicators in the code.

Impact assessment

Organizations in the aviation sector, software developers, oil and gas companies, and defense industry enterprises in the U.S., Europe, the Middle East, and Australia are at greatest risk. The shift to SEO poisoning broadens the pool of potential victims: while phishing requires a deliberately chosen recipient, the fake SQL Developer download page threatens any developer searching for this software via search engines. This turns the attack from targeted to semi-opportunistic, significantly increasing the attack surface.

Mitigation recommendations

• IOC blocking: add the domain getsqldeveloper[.]com and related resources to DNS and proxy blocklists
• Control download sources: download Oracle SQL Developer, Zoom, and other software only from official vendor sites. Consider implementing policies that restrict installing software from unverified sources
• Monitor AppDomain hijacking: track anomalous DLL loading by .NET applications, especially from non-standard directories. Pay attention to legitimate executables launched from temporary folders or user download directories
• Detect MiniFast behavior: configure detection rules for HTTP communications with a characteristic pattern — transmission of system information on first connection, followed by periodic polling with a variable interval. Monitor the creation of scheduled tasks and use of the runas command from unusual contexts
• Staff training: conduct targeted awareness sessions for HR staff and technical specialists about phishing campaigns using career-themed lures and fake video conference invitations
• Network segmentation: restrict outbound HTTP traffic from workstations, applying the principle of least privilege to network access

The three Nimbus Manticore campaigns over three months — with a sequential shift in delivery vectors from phishing to trojanized installers and SEO poisoning — demonstrate the group’s ability to rapidly adapt its tactics. Priority actions for organizations in the targeted sectors are: immediate blocking of the known malicious domain getsqldeveloper[.]com, auditing software download policies, and implementing detection rules for AppDomain hijacking and the characteristic HTTP communication patterns of MiniFast.