Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict
The Iranian IRGC-affiliated threat actor Nimbus Manticore launched sophisticated cyber operations during Operation Epic Fury, the US military campaign against Iran beginning February 28, 2026. The campaigns targeted organizations in aviation and software sectors across the United States, Europe, and Middle East using career-themed phishing lures. For the first time, the actor employed SEO poisoning techniques and introduced MiniFast, a previously undocumented backdoor showing signs of AI-assisted development. The operations leveraged AppDomain hijacking and abused legitimate Zoom installer execution flows for malware deployment. The actor demonstrated rapid adaptation capabilities during wartime conditions, maintaining high operational availability while expanding targeting to US-based aviation companies. Multiple campaign waves were observed from February through April 2026, with persistent infrastructure and evolving techniques.
AI Analysis
Technical Summary
During Operation Epic Fury, Nimbus Manticore launched cyber campaigns targeting aviation and software organizations across multiple regions. The actor employed career-themed phishing, SEO poisoning, and introduced MiniFast, a previously undocumented backdoor with AI-assisted traits. Techniques included AppDomain hijacking and abuse of Zoom installer execution to deploy malware. The campaigns showed high operational availability and adaptability, with persistent infrastructure and evolving tactics over several months. There is no indication of known exploits in the wild or available patches for these threats.
Potential Impact
The operations targeted critical sectors such as aviation and software, potentially compromising organizational security and intellectual property. The use of novel techniques like SEO poisoning and AI-assisted backdoors increases the sophistication and stealth of attacks. Persistent and evolving campaigns imply sustained risk to affected organizations. However, no direct evidence of exploitation impact or data loss is provided in the source data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should be aware of the phishing lures and novel attack vectors such as SEO poisoning and AppDomain hijacking. Monitoring for suspicious Zoom installer activity and unusual domain hijacking attempts is advisable. Since no official fixes or patches are indicated, defensive measures should focus on detection and prevention of phishing and malware execution chains specific to this threat.
Indicators of Compromise
- domain: ramiltonsfinance.com
- hash: 3106848925a39b9d51f9ad9f5963e417
- hash: 8eb107b3dde0a7ac039c668b427a3634
- domain: getsqldeveloper.com
- domain: business-startup.org
- domain: buisness-centeral-transportation.com
- hash: 628d831989787ee1b4ffee611cb2014b
- hash: 810f8e3b88eb05f710c09552941d6f56
- hash: cdbe76cdfdec8f7c09781b2ef0fdb7f4
- hash: 0997b6c2fdc3af2de118db559c92ef510c60a994
- hash: 67f41dc48bfd0c0597295259bd3c0d3c09dfea34
- hash: da11679653ef33952c3dc8d8850e43d7b8ac884a
- hash: 0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864
- hash: 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17
- hash: 38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d
- hash: 43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa
- hash: 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250
- hash: 74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27
- hash: 8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b
- hash: 9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84
- hash: 9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1
- hash: b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4
- hash: bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad
- hash: d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2
- hash: 00213937e9c41e69bed025a882de521b
- hash: 2d3fcf0f7a069958a7d9ab2d9d52bee7
- hash: 36e3cd7b35f5abdf8b5f76afb46e4dea
- hash: 8d1f16c615b39b13ddfe5d2820c6bae8
- hash: d6cfee4032ba6f8737242fbbe2ec87d7
- hash: ef0b3833f96b9b5dfe2fc91ec7ba0727
- hash: 491ac43610a46ad3a9ca647e6e7b29e6387b2169
- hash: 510668d94c3638749b6c945246922679d4db4df7
- hash: 6e12c54d1861a455c0008ed9ce166e843298a4a0
- hash: 94a0fcc1fb22c6a96abfefbb75bc40afb126f69a
- hash: a067d4a121af6922fd695e76fa5720135ed12e7b
- hash: fca243db4f4671e6425c7813b24585c22137224f
- hash: 0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40
- hash: 10fd541674adadfbba99b54280f7e59732746faf2b10ce68521866f737f1e46d
- hash: 2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc
- hash: 485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3
- hash: 5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8
- hash: 63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4
- hash: 64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c
- hash: 781605ce9d4a9869e846f6c9657d71437cb6240ab27ffbc4cd550c0e06996690
- hash: a13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441
- hash: a57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf
- hash: dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee
- hash: ecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e
- hash: eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71
- hash: f08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03
- hash: f54cd38632ac9da3af3533ae93e92625cbcb04df521dbf1b6acfaa81218f9e8c
- hash: be3b4a74f3872008c4cde0cbe8624e2c15618eaf
- hash: 1004a0df8dd34741b40ed6bc3c04ade5
- hash: 1274eb21a996552f2bba7ed949f66c02
- hash: 16b421555b84b87e82a56813e86dbf80
- hash: 34af888f33898a4c3b93ac0e8fecf3a2
- hash: 6bba585b1377068865cb07b1d882cf3d
- hash: 756d53fb230a482568d46da68548227c
- hash: 9ef9afb9821cbe7e77191b13a7948a2d
- hash: ece99a279b8c48271b000c620d291c6a
- hash: 1e982096ec2cbe8d2f2a325b59d0a1783f15a994
- hash: 25c14e19526be586b75b52cae8bdb1553c746642
- hash: 3b2926400541e017a043926ebf92dd91ee80d797
- hash: 4b35cda868585a0e593f6d316b17633b1fd42f1c
- hash: b4538d26e69b64e8160d3577c04b7db8aee6bff4
- hash: d64634926ed100d4d8b845df21a69536291afc36
- hash: e508d429e7ded70726f3bfb4e64a26274cebab61
- hash: f2049d64631264ed6c8ccabdd486763341e18163
- hash: f687b606e7bdd7533e327c98fecb71937564dc92
Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict
Description
The Iranian IRGC-affiliated threat actor Nimbus Manticore launched sophisticated cyber operations during Operation Epic Fury, the US military campaign against Iran beginning February 28, 2026. The campaigns targeted organizations in aviation and software sectors across the United States, Europe, and Middle East using career-themed phishing lures. For the first time, the actor employed SEO poisoning techniques and introduced MiniFast, a previously undocumented backdoor showing signs of AI-assisted development. The operations leveraged AppDomain hijacking and abused legitimate Zoom installer execution flows for malware deployment. The actor demonstrated rapid adaptation capabilities during wartime conditions, maintaining high operational availability while expanding targeting to US-based aviation companies. Multiple campaign waves were observed from February through April 2026, with persistent infrastructure and evolving techniques.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
During Operation Epic Fury, Nimbus Manticore launched cyber campaigns targeting aviation and software organizations across multiple regions. The actor employed career-themed phishing, SEO poisoning, and introduced MiniFast, a previously undocumented backdoor with AI-assisted traits. Techniques included AppDomain hijacking and abuse of Zoom installer execution to deploy malware. The campaigns showed high operational availability and adaptability, with persistent infrastructure and evolving tactics over several months. There is no indication of known exploits in the wild or available patches for these threats.
Potential Impact
The operations targeted critical sectors such as aviation and software, potentially compromising organizational security and intellectual property. The use of novel techniques like SEO poisoning and AI-assisted backdoors increases the sophistication and stealth of attacks. Persistent and evolving campaigns imply sustained risk to affected organizations. However, no direct evidence of exploitation impact or data loss is provided in the source data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should be aware of the phishing lures and novel attack vectors such as SEO poisoning and AppDomain hijacking. Monitoring for suspicious Zoom installer activity and unusual domain hijacking attempts is advisable. Since no official fixes or patches are indicated, defensive measures should focus on detection and prevention of phishing and malware execution chains specific to this threat.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/"]
- Adversary
- Nimbus Manticore
- Pulse Id
- 6a141fcbde28865faa897cb4
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainramiltonsfinance.com | — | |
domaingetsqldeveloper.com | — | |
domainbusiness-startup.org | — | |
domainbuisness-centeral-transportation.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash3106848925a39b9d51f9ad9f5963e417 | — | |
hash8eb107b3dde0a7ac039c668b427a3634 | — | |
hash628d831989787ee1b4ffee611cb2014b | — | |
hash810f8e3b88eb05f710c09552941d6f56 | — | |
hashcdbe76cdfdec8f7c09781b2ef0fdb7f4 | — | |
hash0997b6c2fdc3af2de118db559c92ef510c60a994 | — | |
hash67f41dc48bfd0c0597295259bd3c0d3c09dfea34 | — | |
hashda11679653ef33952c3dc8d8850e43d7b8ac884a | — | |
hash0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864 | — | |
hash332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17 | — | |
hash38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d | — | |
hash43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa | — | |
hash44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250 | — | |
hash74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27 | — | |
hash8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b | — | |
hash9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84 | — | |
hash9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1 | — | |
hashb19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4 | — | |
hashbc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad | — | |
hashd4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2 | — | |
hash00213937e9c41e69bed025a882de521b | — | |
hash2d3fcf0f7a069958a7d9ab2d9d52bee7 | — | |
hash36e3cd7b35f5abdf8b5f76afb46e4dea | — | |
hash8d1f16c615b39b13ddfe5d2820c6bae8 | — | |
hashd6cfee4032ba6f8737242fbbe2ec87d7 | — | |
hashef0b3833f96b9b5dfe2fc91ec7ba0727 | — | |
hash491ac43610a46ad3a9ca647e6e7b29e6387b2169 | — | |
hash510668d94c3638749b6c945246922679d4db4df7 | — | |
hash6e12c54d1861a455c0008ed9ce166e843298a4a0 | — | |
hash94a0fcc1fb22c6a96abfefbb75bc40afb126f69a | — | |
hasha067d4a121af6922fd695e76fa5720135ed12e7b | — | |
hashfca243db4f4671e6425c7813b24585c22137224f | — | |
hash0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40 | — | |
hash10fd541674adadfbba99b54280f7e59732746faf2b10ce68521866f737f1e46d | — | |
hash2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc | — | |
hash485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3 | — | |
hash5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8 | — | |
hash63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4 | — | |
hash64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c | — | |
hash781605ce9d4a9869e846f6c9657d71437cb6240ab27ffbc4cd550c0e06996690 | — | |
hasha13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441 | — | |
hasha57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf | — | |
hashdfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee | — | |
hashecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e | — | |
hasheee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71 | — | |
hashf08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03 | — | |
hashf54cd38632ac9da3af3533ae93e92625cbcb04df521dbf1b6acfaa81218f9e8c | — | |
hashbe3b4a74f3872008c4cde0cbe8624e2c15618eaf | — | |
hash1004a0df8dd34741b40ed6bc3c04ade5 | — | |
hash1274eb21a996552f2bba7ed949f66c02 | — | |
hash16b421555b84b87e82a56813e86dbf80 | — | |
hash34af888f33898a4c3b93ac0e8fecf3a2 | — | |
hash6bba585b1377068865cb07b1d882cf3d | — | |
hash756d53fb230a482568d46da68548227c | — | |
hash9ef9afb9821cbe7e77191b13a7948a2d | — | |
hashece99a279b8c48271b000c620d291c6a | — | |
hash1e982096ec2cbe8d2f2a325b59d0a1783f15a994 | — | |
hash25c14e19526be586b75b52cae8bdb1553c746642 | — | |
hash3b2926400541e017a043926ebf92dd91ee80d797 | — | |
hash4b35cda868585a0e593f6d316b17633b1fd42f1c | — | |
hashb4538d26e69b64e8160d3577c04b7db8aee6bff4 | — | |
hashd64634926ed100d4d8b845df21a69536291afc36 | — | |
hashe508d429e7ded70726f3bfb4e64a26274cebab61 | — | |
hashf2049d64631264ed6c8ccabdd486763341e18163 | — | |
hashf687b606e7bdd7533e327c98fecb71937564dc92 | — |
Threat ID: 6a14237ba5ae1af1aa877343
Added to database: 05/25/2026, 10:24:59 UTC
Last enriched: 05/25/2026, 10:39:54 UTC
Last updated: 07/09/2026, 20:12:47 UTC
Views: 337
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.