MiniFast Backdoor

The Iranian state-sponsored threat actor known as Islamic Revolutionary Guard Corps-linked Nimbus Manticore, also tracked as Screening Serpens and UNC1549, has intensified its cyber campaigns against organizations in the United States, Europe, and the Middle East following the joint U.S.-Israeli strikes on Iran in February 2026. The group targeted companies in the aviation and software industries using increasingly sophisticated intrusion techniques and malware delivery methods.

Security researchers identified several operational changes that distinguish the latest campaigns from earlier activity. These include the introduction of a new backdoor called MiniFast, expanded use of AppDomain hijacking, and a strategic pivot toward SEO poisoning to infect victims through fake software download portals. Analysts also discovered indicators suggesting that artificial intelligence-assisted development may have accelerated the creation of the malware.

From Fake Job Offers to Search Engine Manipulation

Nimbus Manticore has historically focused on defense, aviation, and telecommunications targets through career-themed phishing campaigns commonly referred to as the 'Iranian Dream Job' operations. The tactics closely resemble Operation Dream Job, a long-running social engineering campaign associated with North Korean threat actors.

Between February and April 2026, the group executed three distinct campaign waves without interruption, demonstrating an aggressive operational tempo during the regional conflict.

In February 2026, employees in aviation and software organizations in Saudi Arabia and Australia received fraudulent job offers containing ZIP archives hosted on OnlyOffice. Opening a benign executable inside the archive triggered AppDomain hijacking, which ultimately deployed the MiniJunk malware DLL.

In March 2026, the threat actor adopted a similar infection chain but incorporated a trojanized Zoom installer into the process. The malware was likely distributed through fake meeting invitations and ultimately installed the newly identified MiniFast backdoor.

In April 2026, Nimbus Manticore introduced an entirely different strategy by deploying SEO poisoning techniques. The operators created a counterfeit download page impersonating Oracle SQL Developer and manipulated search engine rankings on Bing and DuckDuckGo by registering numerous supporting domains designed to boost the site's visibility.

This marked the first known instance in which the group abandoned traditional spearphishing in favor of search-engine-driven malware distribution. Instead of directly targeting victims through email lures, the attackers waited for developers and IT personnel to search for commonly used software online before delivering infected installers.

MiniFast Backdoor Reveals Expanding Technical Capabilities

MiniFast, also known as MiniUpdate, represents a major advancement in Nimbus Manticore's malware arsenal. Researchers describe the malware as a fully featured backdoor engineered for persistent access, remote command execution, and long-term espionage operations.

Before entering its command loop, the malware transmits basic system information to its command-and-control infrastructure over HTTP. It then continuously retrieves instructions, uploads execution results, exfiltrates files, and downloads additional payloads.

The backdoor supports a wide range of capabilities, including:

• File manipulation and directory enumeration
• Process listing and forced process termination via PID
• Remote command execution through cmd.exe
• DLL loading and ZIP archive creation
• Persistence through scheduled tasks
• Privilege escalation using the 'runas' command
• Adjustable beacon intervals with configurable jitter to randomize communications

Researchers also observed signs that AI-assisted coding tools may have contributed to the malware's development. Evidence includes unusually verbose error handling, excessive defensive programming logic, repetitive naming conventions, highly detailed debug-style status messages, and modular code structuring uncommon for malware of this scale and complexity.

Conflict Fueled Faster and Broader Cyber Operations

Cybersecurity experts believe the campaigns demonstrate a significant operational evolution for Nimbus Manticore. Rather than slowing down during active geopolitical conflict, the group expanded both the pace and sophistication of its activities.

The rapid deployment of a newly developed backdoor in the middle of ongoing operations suggests accelerated malware development cycles, potentially supported by artificial intelligence tooling. At the same time, the transition from targeted phishing to SEO poisoning reflects a broader ambition extending beyond traditional espionage-focused intrusions in the Middle East.

By combining phishing operations, AppDomain hijacking, AI-assisted malware development, and search engine manipulation across multiple campaign waves, Nimbus Manticore demonstrated a highly adaptive threat model capable of rapidly evolving during periods of geopolitical instability.