Nimbus Manticore: Iranian APT Leverages AI-Assisted Backdoors to Target Aviation and Software Sectors

The Iranian threat group Nimbus Manticore has expanded its operations, targeting aviation and software entities across Saudi Arabia, Australia, and the U.S. wi…

Nimbus Manticore: Iranian APT Leverages AI-Assisted Backdoors to Target Aviation and Software Sectors

Nimbus Manticore, an Iranian APT group linked to the IRGC, targeted aviation and software companies in Saudi Arabia, Australia, and the United States in a sophisticated three-wave campaign between February and April 2026. Researchers from Check Point Research and Palo Alto Networks Unit 42 have documented the group's use of updated backdoors—MiniFast and MiniJunk V2—distributed through AppDomain hijacking in .NET applications and SEO poisoning used to deliver trojanized installers.

Reports published in May 2026 indicate clear signs of AI-assisted malware development. Check Point assesses that these tools likely bolstered the group's ability to adapt rapidly, maintaining high operational tempo even during periods of regional conflict.

Key Takeaways
  • Nimbus Manticore has transitioned from DLL sideloading to AppDomain hijacking, using trojanized .config XML files to force .NET applications into loading malicious DLLs at startup.
  • The MiniFast backdoor was distributed via a compromised Zoom installer and a fraudulent SQL Developer site optimized for search engines, expanding the group's reach from specific targets to the general developer community.
  • Check Point identified code patterns in MiniFast consistent with LLM generation: excessive error handling, verbose function naming, and modularity that exceeds the malware's operational requirements.
  • Unit 42 confirms targeting across five countries, including a U.S.-based oil company, noting an acceleration in operations during and after U.S. military actions against Iran.

From Fake Recruiters to Malicious Downloads: A Shift in Tactics

Previous campaigns relied heavily on job lures: fraudulent employment offers delivered via compromised OnlyOffice documents aimed at airline and software employees. While the first wave of 2026 followed this pattern by distributing MiniJunk V2 through OnlyOffice ZIP archives, the group's strategy quickly evolved.

In March, the group began spreading MiniFast (also known as MiniUpdate) via a trojanized Zoom installer. By April, they had registered dozens of domains pointing to getsqldeveloper[.]com, a site impersonating Oracle SQL Developer. Leveraging SEO poisoning, the site ranked highly on Bing and DuckDuckGo for the query "sql developer."

This shift marks a significant move from targeted spear-phishing to broad traffic acquisition. A developer seeking legitimate tools becomes a potential target without ever receiving a suspicious email. The attack surface has expanded from specific personnel to anyone installing software from unverified sources.

AppDomain Hijacking: The Evolution of Malicious Loading

The group has largely abandoned DLL sideloading—a technique now frequently flagged by EDR solutions—in favor of AppDomain hijacking within .NET environments.

Operators place a trojanized .config XML file within a legitimate .NET application's directory, redefining the assembly loading path. Upon execution, the .NET runtime automatically loads a malicious DLL instead of the intended component. This execution occurs entirely within the context of a trusted process.

Observed in the February 2026 campaigns, this technique offers clear operational advantages: no suspicious processes are spawned, the malicious payload is masked by a legitimate binary, and persistence is baked into the application's normal startup routine. This transition highlights a calculated adaptation to modern defensive countermeasures.

MiniFast: Anatomy of a "Chrome" Backdoor with AI Characteristics

MiniFast is a 64-bit Windows PE DLL engineered for long-term persistence and remote command execution. It masquerades as Google Chrome using hardcoded User-Agents, communicating via HTTP with C2 servers to fetch tasks, upload results, exfiltrate files, and download secondary payloads. It supports cmd.exe, runas, and scheduled tasks.

Check Point documented several code patterns consistent with LLM (Large Language Model) generation: error handling that is disproportionately robust for such a simple payload, verbose function and variable names, detailed debug strings, and a modular organization that contrasts with the malware's linear operational flow. Researchers attribute these traits to output generated by language models rather than traditional human coding styles.

"Nimbus Manticore demonstrated a strong ability to rapidly adapt, maintain infrastructure, and develop new tooling. We assess that this capability was likely supported, at least in part, by LLM-based tools and AI-assisted development techniques" — Check Point Research

The distinction is critical: this is not autonomous AI-created malware, but rather the acceleration of the development lifecycle. Check Point suggests that LLM tools helped compress timelines, allowing new backdoors to be deployed mid-conflict rather than requiring prolonged preparation phases.

Mitigation and Detection Strategies

  • Monitor .config Files in .NET Applications: Implement alerting for unauthorized changes to XML .config files in .NET application directories and for anomalous assembly paths. Indicator: Altered .config files in trusted application folders.
  • Audit Hardcoded Chrome User-Agents: Inspect non-browser processes (such as Zoom installers or .NET utilities) that exhibit Chrome User-Agents or suspicious HTTP connections to domains associated with MiniFast. Indicator: Chrome User-Agents originating from non-browser executables.
  • Verify Hostnames Before Downloading: Ensure that software like Zoom, SQL Developer, and similar tools are sourced exclusively from official domains. Verify that search engine queries for "sql developer" do not lead to getsqldeveloper[.]com. Indicator: Typosquatting or impersonation in SEO results.
  • Update EDR Patterns: Configure endpoint detection products to flag DLL loading from non-standard paths within trusted .NET processes, moving beyond traditional sideloading detection. Indicator: DLLs loaded via AppDomain hijacking in legitimate .NET processes.

Strategic Acceleration: Analyzing the Mid-Conflict Pivot

Converging data from Check Point and Unit 42 reveals an operational profile that challenges conventional wisdom. While APT groups typically reduce exposure during periods of high geopolitical tension, Nimbus Manticore did the opposite.

Sergey Shykevich of Check Point Research noted: "They built and deployed a brand-new backdoor mid-conflict while operations were actively underway. [...] The conflict didn't slow them down; it actually accelerated them." According to Check Point's assessment, this acceleration was likely facilitated by the use of LLM tools.

Unit 42 confirmed the group's targeting of entities in up to five countries, with a U.S. oil company included in the scope. This geographic reach—spanning Saudi Arabia, Australia, and the U.S.—demonstrates ambitions that, as Shykevich observed, "extended well beyond targeted espionage in the Middle East."

The aviation sector is now joined by the software sector as a vector for indirect access to broader supply chains. While the exact scale of the SEO poisoning campaign remains unquantified, the investment in dozens of malicious domains suggests a calculated expectation of high returns rather than a sporadic experiment.

Information has been verified against the cited sources and is current as of the time of publication.

Sources