Iranian APT Targets Aviation, Software Companies With Updated Tools
Nimbus Manticore, an Iranian APT group linked to the IRGC and active since at least 2022, continues targeting aviation and software companies with updated malware and tactics. The group uses phishing campaigns with job lures and trojanized installers to deploy new backdoors such as MiniJunk and MiniFast. These backdoors enable long-term persistence, remote command execution, file manipulation, and payload deployment. Recent campaigns have expanded targeting to include US-based organizations, using AppDomain hijacking to execute malicious DLLs in . NET applications. The group has demonstrated rapid adaptation and likely leverages AI-assisted development techniques. There is no public information on patches or vendor advisories related to these attacks.
AI Analysis
Technical Summary
Nimbus Manticore (also known as Bohrium, Smoke Sandstorm, TA455, UNC1549), a subgroup of Charming Kitten (APT35) linked to Iran's IRGC, has updated its toolset and tactics in ongoing cyber espionage campaigns targeting aviation and software sectors. The group employs phishing with job offer lures and trojanized installers (e.g., Zoom installer) to deliver backdoors like MiniJunk and MiniFast. MiniFast is a 64-bit Windows PE DLL that impersonates Chrome and supports extensive remote operations including file and process manipulation, scheduled task creation, and additional payload deployment. The group uses AppDomain hijacking via malicious XML .config files to load DLLs in .NET applications. Campaigns have targeted organizations in Saudi Arabia, Australia, Europe, the Middle East, and recently the US. Nimbus Manticore also uses SEO poisoning to promote fake download sites. The group’s rapid tool development is likely aided by AI and LLM-based techniques. No specific vulnerabilities or patches are identified in the source content.
Potential Impact
The threat enables persistent remote access and control over targeted systems in aviation and software companies, allowing attackers to manipulate files and processes, exfiltrate data, and deploy further malware. The targeting of critical sectors such as aerospace and defense, including US organizations, poses risks to sensitive information and operational security. However, there is no indication of widespread exploitation or known active exploits beyond targeted intrusions. The campaigns leverage social engineering and supply chain deception rather than exploiting software vulnerabilities directly.
Mitigation Recommendations
No vendor advisories or patches are referenced for this threat. Organizations should focus on detecting and blocking phishing campaigns, especially those involving job offer lures and trojanized installers. Monitoring for AppDomain hijacking techniques and suspicious DLL loading in .NET applications is recommended. Employing endpoint detection and response solutions capable of identifying backdoors like MiniJunk and MiniFast can aid in mitigation. Since this is an ongoing APT campaign, organizations should maintain updated threat intelligence and apply security best practices relevant to phishing and malware defense. Patch status is not yet confirmed — check vendor advisories for updates.
Iranian APT Targets Aviation, Software Companies With Updated Tools
Description
Nimbus Manticore, an Iranian APT group linked to the IRGC and active since at least 2022, continues targeting aviation and software companies with updated malware and tactics. The group uses phishing campaigns with job lures and trojanized installers to deploy new backdoors such as MiniJunk and MiniFast. These backdoors enable long-term persistence, remote command execution, file manipulation, and payload deployment. Recent campaigns have expanded targeting to include US-based organizations, using AppDomain hijacking to execute malicious DLLs in . NET applications. The group has demonstrated rapid adaptation and likely leverages AI-assisted development techniques. There is no public information on patches or vendor advisories related to these attacks.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Nimbus Manticore (also known as Bohrium, Smoke Sandstorm, TA455, UNC1549), a subgroup of Charming Kitten (APT35) linked to Iran's IRGC, has updated its toolset and tactics in ongoing cyber espionage campaigns targeting aviation and software sectors. The group employs phishing with job offer lures and trojanized installers (e.g., Zoom installer) to deliver backdoors like MiniJunk and MiniFast. MiniFast is a 64-bit Windows PE DLL that impersonates Chrome and supports extensive remote operations including file and process manipulation, scheduled task creation, and additional payload deployment. The group uses AppDomain hijacking via malicious XML .config files to load DLLs in .NET applications. Campaigns have targeted organizations in Saudi Arabia, Australia, Europe, the Middle East, and recently the US. Nimbus Manticore also uses SEO poisoning to promote fake download sites. The group’s rapid tool development is likely aided by AI and LLM-based techniques. No specific vulnerabilities or patches are identified in the source content.
Potential Impact
The threat enables persistent remote access and control over targeted systems in aviation and software companies, allowing attackers to manipulate files and processes, exfiltrate data, and deploy further malware. The targeting of critical sectors such as aerospace and defense, including US organizations, poses risks to sensitive information and operational security. However, there is no indication of widespread exploitation or known active exploits beyond targeted intrusions. The campaigns leverage social engineering and supply chain deception rather than exploiting software vulnerabilities directly.
Mitigation Recommendations
No vendor advisories or patches are referenced for this threat. Organizations should focus on detecting and blocking phishing campaigns, especially those involving job offer lures and trojanized installers. Monitoring for AppDomain hijacking techniques and suspicious DLL loading in .NET applications is recommended. Employing endpoint detection and response solutions capable of identifying backdoors like MiniJunk and MiniFast can aid in mitigation. Since this is an ongoing APT campaign, organizations should maintain updated threat intelligence and apply security best practices relevant to phishing and malware defense. Patch status is not yet confirmed — check vendor advisories for updates.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/iranian-apt-targets-aviation-software-companies-with-updated-tools/","fetched":true,"fetchedAt":"2026-05-26T13:32:12.770Z","wordCount":1236}
Threat ID: 6a15a0dc891d628fdc364a3f
Added to database: 5/26/2026, 1:32:12 PM
Last enriched: 5/26/2026, 1:32:23 PM
Last updated: 5/26/2026, 9:50:29 PM
Views: 29
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.