[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fw9fKVHzeynhHQirI44tcGGt71TG006Hp1CL8vZUGJnQ":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"25bde12f-dd53-46e4-b76c-42c0112b7f6b","Iranian APT Targets Aviation, Software Companies With Updated Tools","iranian-apt-targets-aviation-software-companies-with-updated-tools-561f11","Nimbus Manticore has continued its operations during and after the US military campaign against Iran. The post Iranian APT Targets Aviation, Software Companies With Updated Tools appeared first on SecurityWeek.","Nimbus Manticore, an Iranian APT linked to the IRGC and believed to be a Charming Kitten subgroup, has expanded operations targeting aviation and software companies with updated tooling including new backdoors (MiniJunk, MiniFast) and AppDomain hijacking techniques instead of traditional DLL sideloading. The group has shifted focus toward US-based targets while conducting phishing campaigns via fake job offers and trojanized installers, with Check Point assessing that LLM-based tools likely support their rapid development capabilities.","Iranian APT Nimbus Manticore targets aviation and software firms with new backdoors and AppDomain hijacking tactics.","An Iranian APT tracked as Nimbus Manticore has adopted new tactics and updated its arsenal in new intrusions targeting aviation and software companies, Check Point reports. Also known as Bohrium, Smoke Sandstorm, TA455, and UNC1549, and active since at least 2022, Nimbus Manticore is believed to be a subgroup of Charming Kitten (APT35) and to have ties with Iran’s Islamic Revolutionary Guard Corps (IRGC). Nimbus Manticore was previously seen targeting aerospace, aviation, and defense organizations in the Middle East and Europe with the MiniBike and MiniBus backdoors. In November 2024, the group was blamed for adopting North Korea-linked Lazarus Group’s tactics in a Dream Job campaign targeting the aerospace industry. Earlier this year, Google warned of the APT’s continuous targeting of organizations in the defense sector with fake job offers, and Check Point now says that the group’s activities have continued during and after the US military campaign against Iran that started in February 2026. Amid rising geopolitical tensions in the Middle East, Nimbus Manticore’s phishing campaigns started employing AppDomain hijacking for payload execution, instead of DLL sideloading.Advertisement. Scroll to continue reading. The technique relies on a trojanized XML .config file placed in the target .NET application’s directory to load a malicious DLL at launch time. Nimbus Manticore used a phishing lure resembling previous campaigns, targeting employees at aviation and software companies in Saudi Arabia and Australia to download a compressed ZIP archive from the OnlyOffice platform, leading to infections with a new version of the MiniJunk backdoor. In another campaign, the APT used job lures masquerading as a US-based airline, leading to a trojanized Zoom installer. Using AppDomain hijacking, the infection chain led to the deployment of a new backdoor, named MiniFast. Deployed as a 64-bit Windows PE DLL, the backdoor impersonates a Chrome browser and was designed for long-term persistence and remote command execution. It also allows attackers to manipulate files, exfiltrate files, enumerate processes, terminate processes, manipulate directories, create scheduled tasks, and deploy additional payloads. “Nimbus Manticore demonstrated a strong ability to rapidly adapt, maintain infrastructure, and develop new tooling. We assess that this capability was likely supported, at least in part, by LLM-based tools and AI-assisted development techniques,” Check Point notes. In April, Nimbus Manticore was seen using a fake SQL Developer download website to distribute the MiniFast backdoor. The campaign abused search engine optimization techniques, relying on dozens of domains linking to the fake website to increase its reputation. “At the time of our analysis, the malicious domain ranked high in the results returned by multiple search engines, such as Bing and DuckDuckGo, for the query ‘sql developer’. This increased the likelihood that users searching for legitimate SQL Developer downloads would encounter the site,” Check Point notes. While typical Nimbus Manticore operations have focused on the Middle East, Europe, and Africa, mainly targeting Israel and the United Arab Emirates, the fresh campaigns also revealed a shift towards US organizations. “Fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonating US domestic airlines suggests a deliberate focus on US-based targets,” Check Point notes. Related: Iranian APT Intrusion Masquerades as Chaos Ransomware Attack Related: Iranian Cyber Group Handala Targets US Troops in Bahrain Related: Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions Related: Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire 266,000 Affected by Data Breach at Radiology Associates of RichmondLaravel-Lang Packages Poisoned for Malware DeliveryDocketWise Data Breach Impacts 143,000Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted DomainsGrafana Says Codebase and Other Data Stolen via TanStack Supply Chain AttackCisco Patches Critical Vulnerability in Secure WorkloadApple Rejected 2 Million App Store Submissions in 2025 for Security and Fraud Prevention Latest News AppOmni’s Marlin AI Brings Autonomous Investigation to SaaS Security185,000 Likely Impacted by 7-Eleven Data BreachAnthropic Expands Claude’s Enterprise Security Governance With 28 New IntegrationsHackers Exploited KnowledgeDeliver Zero-Day for Web Shell DeploymentWatch on Demand: Threat Detection & Incident Response Summit – All Sessions AvailableOpen Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker ImagesLithuania Suspects Foreign Involvement in Data Leak of Over 600,000 National Register EntriesAdmins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the MoveJoe Chen has become Chief Technology Officer at Trellix.Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO.SecureAuth has named Mark van Oppen as Chief Revenue Officer.More People On The MoveExpert Insights Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email","https:\u002F\u002Fwww.securityweek.com\u002Firanian-apt-targets-aviation-software-companies-with-updated-tools\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2023\u002F04\u002FIran-Cyberattacks.jpg","2026-05-26T13:26:17+00:00","2026-05-26T14:00:12.32867+00:00",9,[18,21,23,25,28,31],{"name":19,"type":20},"Nimbus Manticore","threat_actor",{"name":22,"type":20},"Charming Kitten (APT35)",{"name":24,"type":20},"Lazarus Group",{"name":26,"type":27},"Dream Job","campaign",{"name":29,"type":30},"Check Point","vendor",{"name":32,"type":30},"Google","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":33,"icon":35,"name":36,"slug":37},null,"Nation-state","nation-state",[39,44],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[50,53,56,59],{"type":43,"value":51,"context":52},"MiniJunk","New backdoor deployed via trojanized ZIP archives in phishing campaigns",{"type":43,"value":54,"context":55},"MiniFast","64-bit Windows PE DLL backdoor impersonating Chrome browser, used for persistence and remote command execution",{"type":43,"value":57,"context":58},"MiniBike","Previously used backdoor by Nimbus Manticore targeting aerospace and defense",{"type":43,"value":60,"context":58},"MiniBus"]