Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict
Nimbus Manticore, an Iranian IRGC-affiliated threat actor, conducted sophisticated cyber operations during the US military campaign Operation Epic Fury starting February 28, 2026. Targeting aviation and software sectors in the US, Europe, and Middle East, the actor used career-themed phishing lures and novel SEO poisoning techniques. They deployed a new backdoor called MiniFast, which shows signs of AI-assisted development, and abused legitimate Zoom installer execution flows alongside AppDomain hijacking for malware deployment. Multiple waves of attacks occurred from February through April 2026, demonstrating rapid adaptation and persistent infrastructure. No known exploits or patches are indicated for this threat.
AI Analysis
Technical Summary
During Operation Epic Fury, Nimbus Manticore launched cyber campaigns targeting aviation and software organizations across multiple regions. The actor employed career-themed phishing, SEO poisoning, and introduced MiniFast, a previously undocumented backdoor with AI-assisted traits. Techniques included AppDomain hijacking and abuse of Zoom installer execution to deploy malware. The campaigns showed high operational availability and adaptability, with persistent infrastructure and evolving tactics over several months. There is no indication of known exploits in the wild or available patches for these threats.
Potential Impact
The operations targeted critical sectors such as aviation and software, potentially compromising organizational security and intellectual property. The use of novel techniques like SEO poisoning and AI-assisted backdoors increases the sophistication and stealth of attacks. Persistent and evolving campaigns imply sustained risk to affected organizations. However, no direct evidence of exploitation impact or data loss is provided in the source data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should be aware of the phishing lures and novel attack vectors such as SEO poisoning and AppDomain hijacking. Monitoring for suspicious Zoom installer activity and unusual domain hijacking attempts is advisable. Since no official fixes or patches are indicated, defensive measures should focus on detection and prevention of phishing and malware execution chains specific to this threat.
Indicators of Compromise
- domain: ramiltonsfinance.com
- hash: 3106848925a39b9d51f9ad9f5963e417
- hash: 8eb107b3dde0a7ac039c668b427a3634
- domain: getsqldeveloper.com
- domain: business-startup.org
- domain: buisness-centeral-transportation.com
- hash: 628d831989787ee1b4ffee611cb2014b
- hash: 810f8e3b88eb05f710c09552941d6f56
- hash: cdbe76cdfdec8f7c09781b2ef0fdb7f4
- hash: 0997b6c2fdc3af2de118db559c92ef510c60a994
- hash: 67f41dc48bfd0c0597295259bd3c0d3c09dfea34
- hash: da11679653ef33952c3dc8d8850e43d7b8ac884a
- hash: 0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864
- hash: 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17
- hash: 38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d
- hash: 43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa
- hash: 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250
- hash: 74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27
- hash: 8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b
- hash: 9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84
- hash: 9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1
- hash: b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4
- hash: bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad
- hash: d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2
- hash: 00213937e9c41e69bed025a882de521b
- hash: 2d3fcf0f7a069958a7d9ab2d9d52bee7
- hash: 36e3cd7b35f5abdf8b5f76afb46e4dea
- hash: 8d1f16c615b39b13ddfe5d2820c6bae8
- hash: d6cfee4032ba6f8737242fbbe2ec87d7
- hash: ef0b3833f96b9b5dfe2fc91ec7ba0727
- hash: 491ac43610a46ad3a9ca647e6e7b29e6387b2169
- hash: 510668d94c3638749b6c945246922679d4db4df7
- hash: 6e12c54d1861a455c0008ed9ce166e843298a4a0
- hash: 94a0fcc1fb22c6a96abfefbb75bc40afb126f69a
- hash: a067d4a121af6922fd695e76fa5720135ed12e7b
- hash: fca243db4f4671e6425c7813b24585c22137224f
- hash: 0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40
- hash: 10fd541674adadfbba99b54280f7e59732746faf2b10ce68521866f737f1e46d
- hash: 2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc
- hash: 485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3
- hash: 5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8
- hash: 63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4
- hash: 64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c
- hash: 781605ce9d4a9869e846f6c9657d71437cb6240ab27ffbc4cd550c0e06996690
- hash: a13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441
- hash: a57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf
- hash: dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee
- hash: ecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e
- hash: eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71
- hash: f08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03
- hash: f54cd38632ac9da3af3533ae93e92625cbcb04df521dbf1b6acfaa81218f9e8c
- hash: be3b4a74f3872008c4cde0cbe8624e2c15618eaf
- hash: 1004a0df8dd34741b40ed6bc3c04ade5
- hash: 1274eb21a996552f2bba7ed949f66c02
- hash: 16b421555b84b87e82a56813e86dbf80
- hash: 34af888f33898a4c3b93ac0e8fecf3a2
- hash: 6bba585b1377068865cb07b1d882cf3d
- hash: 756d53fb230a482568d46da68548227c
- hash: 9ef9afb9821cbe7e77191b13a7948a2d
- hash: ece99a279b8c48271b000c620d291c6a
- hash: 1e982096ec2cbe8d2f2a325b59d0a1783f15a994
- hash: 25c14e19526be586b75b52cae8bdb1553c746642
- hash: 3b2926400541e017a043926ebf92dd91ee80d797
- hash: 4b35cda868585a0e593f6d316b17633b1fd42f1c
- hash: b4538d26e69b64e8160d3577c04b7db8aee6bff4
- hash: d64634926ed100d4d8b845df21a69536291afc36
- hash: e508d429e7ded70726f3bfb4e64a26274cebab61
- hash: f2049d64631264ed6c8ccabdd486763341e18163
- hash: f687b606e7bdd7533e327c98fecb71937564dc92
Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict
Description
Nimbus Manticore, an Iranian IRGC-affiliated threat actor, conducted sophisticated cyber operations during the US military campaign Operation Epic Fury starting February 28, 2026. Targeting aviation and software sectors in the US, Europe, and Middle East, the actor used career-themed phishing lures and novel SEO poisoning techniques. They deployed a new backdoor called MiniFast, which shows signs of AI-assisted development, and abused legitimate Zoom installer execution flows alongside AppDomain hijacking for malware deployment. Multiple waves of attacks occurred from February through April 2026, demonstrating rapid adaptation and persistent infrastructure. No known exploits or patches are indicated for this threat.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
During Operation Epic Fury, Nimbus Manticore launched cyber campaigns targeting aviation and software organizations across multiple regions. The actor employed career-themed phishing, SEO poisoning, and introduced MiniFast, a previously undocumented backdoor with AI-assisted traits. Techniques included AppDomain hijacking and abuse of Zoom installer execution to deploy malware. The campaigns showed high operational availability and adaptability, with persistent infrastructure and evolving tactics over several months. There is no indication of known exploits in the wild or available patches for these threats.
Potential Impact
The operations targeted critical sectors such as aviation and software, potentially compromising organizational security and intellectual property. The use of novel techniques like SEO poisoning and AI-assisted backdoors increases the sophistication and stealth of attacks. Persistent and evolving campaigns imply sustained risk to affected organizations. However, no direct evidence of exploitation impact or data loss is provided in the source data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should be aware of the phishing lures and novel attack vectors such as SEO poisoning and AppDomain hijacking. Monitoring for suspicious Zoom installer activity and unusual domain hijacking attempts is advisable. Since no official fixes or patches are indicated, defensive measures should focus on detection and prevention of phishing and malware execution chains specific to this threat.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/"]
- Adversary
- Nimbus Manticore
- Pulse Id
- 6a141fcbde28865faa897cb4
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainramiltonsfinance.com | — | |
domaingetsqldeveloper.com | — | |
domainbusiness-startup.org | — | |
domainbuisness-centeral-transportation.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash3106848925a39b9d51f9ad9f5963e417 | — | |
hash8eb107b3dde0a7ac039c668b427a3634 | — | |
hash628d831989787ee1b4ffee611cb2014b | — | |
hash810f8e3b88eb05f710c09552941d6f56 | — | |
hashcdbe76cdfdec8f7c09781b2ef0fdb7f4 | — | |
hash0997b6c2fdc3af2de118db559c92ef510c60a994 | — | |
hash67f41dc48bfd0c0597295259bd3c0d3c09dfea34 | — | |
hashda11679653ef33952c3dc8d8850e43d7b8ac884a | — | |
hash0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864 | — | |
hash332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17 | — | |
hash38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d | — | |
hash43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa | — | |
hash44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250 | — | |
hash74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27 | — | |
hash8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b | — | |
hash9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84 | — | |
hash9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1 | — | |
hashb19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4 | — | |
hashbc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad | — | |
hashd4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2 | — | |
hash00213937e9c41e69bed025a882de521b | — | |
hash2d3fcf0f7a069958a7d9ab2d9d52bee7 | — | |
hash36e3cd7b35f5abdf8b5f76afb46e4dea | — | |
hash8d1f16c615b39b13ddfe5d2820c6bae8 | — | |
hashd6cfee4032ba6f8737242fbbe2ec87d7 | — | |
hashef0b3833f96b9b5dfe2fc91ec7ba0727 | — | |
hash491ac43610a46ad3a9ca647e6e7b29e6387b2169 | — | |
hash510668d94c3638749b6c945246922679d4db4df7 | — | |
hash6e12c54d1861a455c0008ed9ce166e843298a4a0 | — | |
hash94a0fcc1fb22c6a96abfefbb75bc40afb126f69a | — | |
hasha067d4a121af6922fd695e76fa5720135ed12e7b | — | |
hashfca243db4f4671e6425c7813b24585c22137224f | — | |
hash0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40 | — | |
hash10fd541674adadfbba99b54280f7e59732746faf2b10ce68521866f737f1e46d | — | |
hash2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc | — | |
hash485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3 | — | |
hash5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8 | — | |
hash63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4 | — | |
hash64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c | — | |
hash781605ce9d4a9869e846f6c9657d71437cb6240ab27ffbc4cd550c0e06996690 | — | |
hasha13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441 | — | |
hasha57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf | — | |
hashdfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee | — | |
hashecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e | — | |
hasheee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71 | — | |
hashf08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03 | — | |
hashf54cd38632ac9da3af3533ae93e92625cbcb04df521dbf1b6acfaa81218f9e8c | — | |
hashbe3b4a74f3872008c4cde0cbe8624e2c15618eaf | — | |
hash1004a0df8dd34741b40ed6bc3c04ade5 | — | |
hash1274eb21a996552f2bba7ed949f66c02 | — | |
hash16b421555b84b87e82a56813e86dbf80 | — | |
hash34af888f33898a4c3b93ac0e8fecf3a2 | — | |
hash6bba585b1377068865cb07b1d882cf3d | — | |
hash756d53fb230a482568d46da68548227c | — | |
hash9ef9afb9821cbe7e77191b13a7948a2d | — | |
hashece99a279b8c48271b000c620d291c6a | — | |
hash1e982096ec2cbe8d2f2a325b59d0a1783f15a994 | — | |
hash25c14e19526be586b75b52cae8bdb1553c746642 | — | |
hash3b2926400541e017a043926ebf92dd91ee80d797 | — | |
hash4b35cda868585a0e593f6d316b17633b1fd42f1c | — | |
hashb4538d26e69b64e8160d3577c04b7db8aee6bff4 | — | |
hashd64634926ed100d4d8b845df21a69536291afc36 | — | |
hashe508d429e7ded70726f3bfb4e64a26274cebab61 | — | |
hashf2049d64631264ed6c8ccabdd486763341e18163 | — | |
hashf687b606e7bdd7533e327c98fecb71937564dc92 | — |
Threat ID: 6a14237ba5ae1af1aa877343
Added to database: 5/25/2026, 10:24:59 AM
Last enriched: 5/25/2026, 10:39:54 AM
Last updated: 5/25/2026, 11:35:04 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.