Cybersecurity researchers have discovered a new hacking campaign linked to an Iranian threat group known as Nimbus Manticore, also tracked as UNC1549 and Screening Serpens. The group is believed to be connected to Iran’s Islamic Revolutionary Guard Corps (IRGC). Researchers said the hackers used phishing emails, fake job offers, and manipulated search engine results to spread new malware called MiniFast and MiniJunk V2. The campaign mainly focused on cyber-espionage and long-term access to victim systems.

The attacks were observed between February and April 2026 and mainly targeted organizations working in aviation, defense, telecommunications, and software sectors. Victims were found in the United States, Europe, the Middle East, Saudi Arabia, Australia, Israel, and the UAE. Researchers also noticed that the hackers continued their operations during the ongoing regional tensions involving Iran, the United States, and Israel. This showed the group’s active involvement in cyber operations during geopolitical conflicts.

In the early stage of the campaign, attackers used fake recruitment emails and career opportunities to target employees working in aviation and software companies. Victims received malicious ZIP files disguised as normal documents or job-related files. Once opened, the files secretly installed malware into the victim’s system without attracting attention. Researchers said the attackers used AppDomain hijacking techniques to launch the malicious code more effectively.

Later, the hackers switched tactics and started using fake meeting invitations and modified Zoom installers to distribute another malware called MiniFast. After installation, the malware allowed attackers to remotely control infected systems and steal sensitive information. Researchers described MiniFast as a backdoor capable of uploading files, downloading more malware, and running commands remotely. The malware also helped attackers maintain long-term access inside compromised networks.

One of the most important parts of this campaign was the use of SEO poisoning techniques for malware delivery. In SEO poisoning, hackers manipulate search engine rankings so that malicious websites appear among top search results. Researchers found fake websites pretending to provide Oracle SQL Developer downloads for users searching online. People using search engines like Bing and DuckDuckGo unknowingly downloaded infected installers from these fake websites.

Researchers from Check Point said this was the first known time Nimbus Manticore used SEO poisoning in its operations. Earlier attacks from the group mainly depended on phishing emails and fake attachments to infect victims. By using fake software download pages, the attackers expanded their reach beyond direct email-based attacks. This method increased the chances of infecting users who trusted search engine results while downloading software.

The campaign also included the use of MiniJunk V2, an upgraded version of the MiniJunk malware family linked to previous Iranian cyber activities. Researchers from Palo Alto Networks Unit 42 said the malware used DLL sideloading and customized phishing lures to avoid detection. These techniques helped the malware stay hidden inside systems for longer periods without raising security alerts. Some phishing attacks were highly personalized, especially for people searching for jobs online.

Researchers also raised concerns about the possible use of AI-assisted coding during malware development in this campaign. Experts observed repetitive coding structures, advanced debugging messages, and organized error-handling patterns inside the malware samples. According to researchers, these signs suggest that AI tools may have helped the attackers develop and improve malware more quickly. Cybersecurity experts warned organizations to carefully verify software downloads and remain alert against phishing attacks and suspicious online activity.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news