[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwBcnXfxTioTAtx8VPG4IZ644RACqv5SrQlql-_fdsb0":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"06226219-ef25-47ed-8192-b0f10a5dcb07","Iran’s Nimbus Manticore Used Trojanized Zoom Installers Against US Firms","iran-s-nimbus-manticore-used-trojanized-zoom-installers-against-us-firms-cacbd7","Iran’s Nimbus Manticore hackers used trojanized Zoom installers to deploy malware against US firms during a wider IRGC linked cyber campaign.","Iran-affiliated Nimbus Manticore (UNC1549) conducted a cyber campaign from February to April 2026 targeting US aviation and software firms using trojanized Zoom installers and fake job offers. The group employed AppDomain hijacking to deploy MiniJunk and MiniFast backdoors while masking malicious activity. By April, they shifted to SEO poisoning with fake Oracle SQL Developer sites to distribute malware at scale.","Iran's Nimbus Manticore deployed trojanized Zoom installers against US firms via social engineering.","Security Cyber Attacks MalwareIran’s Nimbus Manticore Used Trojanized Zoom Installers Against US Firms Iran’s Nimbus Manticore hackers used trojanized Zoom installers to deploy malware against US firms during a wider IRGC linked cyber campaign. byDeeba AhmedMay 27, 20262 minute read If you installed Zoom from unofficial sites earlier this year, your device may have been exposed to malware linked to Iran’s Nimbus Manticore hackers. Check Point Research (CPR) recently exposed a series of cyberattacks carried out by an Iranian group called Nimbus Manticore (also tracked as UNC1549), which is affiliated with the Islamic Revolutionary Guard Corps (IRGC). Nimbus Manticore has been most active between February and April 2026- a time of major military tension after the launch of Operation Epic Fury on 28 February 2026. Reportedly, the group has expanded its targets beyond Israel and the UAE to hit aviation and software firms in the US. Fake Job Offers and Zoom Invites According to CPR’s blog post, in February 2026, the hackers targeted workers in Saudi Arabia and Australia with fake job offers on OnlyOffice. When victims downloaded a ZIP archive, the group used a technique called AppDomain hijacking. By placing a malicious configuration file (Setup.exe.config) with a safe Microsoft binary (Setup.exe), they tricked the system into running a malicious file (uevmonitor.dll) to launch MiniJunk malware. By March 2026, they switched to fake Zoom meeting invitations containing Zoominstall64.zip. This launched a real Zoom installer (Zoom_cm.exe) to hide the attack, while AppDomain hijacking quietly deployed a new backdoor called MiniFast via InitInstall.dll. The malware even hijacked a real Windows scheduled task (ZoomUpdateTaskUser) to stay hidden on the system. Attack chain during Operation Epic Fury (Source: Check Point Research) Search Engine Tricks MiniFast stands out for showing clear signs of AI-assisted development. The code was exceptionally neat, featured modular organisation, and included excessive error handling for basic tasks such as GetUserName. This allowed the group to build tools rapidly mid-conflict, and when active, MiniFast gave hackers full remote control via cmd.exe while hiding its traffic by impersonating a Google Chrome browser. In April, the group abandoned emails for SEO poisoning. They built a fake website, getsqldevelopercom, to mimic Oracle’s SQL Developer software. By registering dozens of connected domains and using keyword stuffing, they pushed the scam site to the top of Bing and DuckDuckGo results, tricking developers into downloading the MiniFast backdoor directly. 2026 campaign timeline (Source: Check Point Research) The Verdict Check Point Research noted that wartime pressures actually accelerated the group’s capabilities. By mixing AI-driven coding with public search engine manipulation, Nimbus Manticore skipped targeted emails entirely to compromise systems faster, showing an expansion of their ambitions well beyond regional spying. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts CPRCyber AttackCybersecurityIranMalwareMiniFastNimbus ManticoreScamUNC1549 Leave a Reply Cancel reply View Comments (0) Related Posts Censorship Security Brazilian Court Puts 48 Hours Ban on WhatsApp A court in Brazil has ordered the mobile phone operators on Wednesday to block the WhatsApp messaging application… byCarolina Security Leaks Personal details of 38 million+ US citizens leaked in database mess up The database belongs to a US-based market company called View Media. byZara Khan Read More Security Cyber Attacks Salesloft Drift Breach Traced to GitHub Compromise and Stolen OAuth Tokens Salesloft Drift breach traced to GitHub compromise and stolen OAuth tokens, Mandiant confirms breach contained and Salesforce data targeted. byWaqas Cyber Events Cyber Attacks The Forgotten Victims of Data Breach I quoted Captain Willard to set the stage for a discussion of the consequences of a data breach on a class of victims that do not receive enough understanding or compassion. byIan Trump","https:\u002F\u002Fhackread.com\u002Firan-nimbus-manticore-trojan-zoom-installers-us-firms\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Firan-nimbus-manticore-trojan-zoom-installers-us-firms.jpg","2026-05-27T18:08:35+00:00","2026-05-27T20:00:15.537694+00:00",9,[18,21,23,25,28,31],{"name":19,"type":20},"Nimbus Manticore","threat_actor",{"name":22,"type":20},"UNC1549",{"name":24,"type":20},"Islamic Revolutionary Guard Corps (IRGC)",{"name":26,"type":27},"Operation Epic Fury","campaign",{"name":29,"type":30},"Check Point Research","vendor",{"name":32,"type":33},"Zoom","product","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":34,"icon":36,"name":37,"slug":38},null,"Nation-state","nation-state",[40,45,50],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[56,59,62,65],{"type":49,"value":57,"context":58},"MiniJunk","Backdoor deployed via OnlyOffice fake job offer trojanized ZIP archives in February 2026",{"type":49,"value":60,"context":61},"MiniFast","Backdoor deployed via fake Zoom meeting invitations and SEO poisoning campaigns; showed AI-assisted development",{"type":49,"value":63,"context":64},"uevmonitor.dll","Malicious DLL used in AppDomain hijacking attack chain via Setup.exe.config",{"type":49,"value":66,"context":67},"InitInstall.dll","DLL deploying MiniFast backdoor in Zoom installer attack chain"]