Evolution of Nimbus Manticore: SEO Poisoning and AI-Assisted Malware in Operation Epic Fury

A sophisticated cyber campaign attributed to the Iranian IRGC-affiliated threat group Nimbus Manticore (also known as UNC1549) has surfaced, signaling a significant shift in the group’s operational methodology. The campaign, emerging amidst the geopolitical tensions of Operation Epic Fury (launched February 28, 2026), demonstrates an increased level of technical maturity, characterized by the integration of SEO poisoning and potentially AI-augmented malware development.

Historically, Nimbus Manticore has focused on the aviation, defense, and telecommunications sectors, primarily utilizing career-themed phishing lures. However, current intelligence indicates a broadening geographic and sectoral footprint, with active targeting across the United States, Europe, and the Middle East by impersonating high-value software providers and aviation entities.

From AppDomain Hijacking to Trojanized Installers

Earlier phases of the 2026 campaign utilized phishing emails containing ZIP archives hosted on legitimate platforms like OnlyOffice. These archives exploited AppDomain hijacking—a technique where attackers use crafted .config files to force trusted .NET applications to load malicious DLLs, effectively bypassing traditional security perimeters through stealthy execution.

As the campaign progressed during Operation Epic Fury, the group transitioned to a more complex infection chain involving a trojanized Zoom installer. This method allows the malware to blend into legitimate software update processes, making detection significantly more difficult for end-users and automated endpoint security tools.

Technical observations of this new infection chain include:

  • Binary Impersonation: Use of legitimate, digitally signed binaries to evade heuristic detection.
  • Persistence Mechanisms: Hijacking scheduled tasks via existing Zoom update frameworks.
  • Advanced Obfuscation: Utilization of multi-stage loaders employing ROT13 and string reversal to frustrate static analysis.
  • Evasion Tactics: Strict environment checks designed to detect and terminate execution within sandbox or virtualized environments.
2026 campaign timeline during the ongoing military campaign
2026 campaign timeline during the ongoing military campaign (Source: Checkpoint).

The Debut of the MiniFast Backdoor

This latest operational phase marks the introduction of MiniFast, a 64-bit DLL that succeeds the group’s previous MiniJunk malware. MiniFast provides the threat actor with robust remote command and control (C2) capabilities, including:

  • Full remote command execution via CMD.
  • Granular file system manipulation (upload/download and directory enumeration).
  • Process enumeration and task management.
  • Stealthy C2 communication: Using structured HTTP requests and JSON-based exchanges, the malware masquerades as legitimate Google Chrome traffic to blend into standard web activity.

Strategic Shift: SEO Poisoning and Search-Driven Infection

According to a technical report by Checkpoint, the group has launched a third phase leveraging SEO poisoning. Rather than relying on direct phishing, attackers are now manipulating search engine rankings to drive victims toward malicious infrastructure.

The attackers registered the domain getsqldeveloper[.]com, masquerading as an official Oracle SQL Developer download portal. By employing keyword stuffing (e.g., “Download SQL Developer Free”) and deploying numerous supporting domains, the group successfully manipulated search results on platforms like Bing and DuckDuckGo to direct technical users toward malicious installers.

Campaign 2: During Operation Epic Fury – Attack Chain
Campaign 2: During Operation Epic Fury – Attack Chain (Source: Checkpoint).

Evidence of AI-Assisted Malware Development

Forensic analysis of the MiniFast codebase has revealed patterns highly indicative of Large Language Model (LLM) or automated coding assistance. Analysts noted several tell-tale signs:

  • Verbose and highly repetitive function naming conventions.
  • Extensive, “boilerplate” error handling surrounding very simple API calls.
  • An unusually modular code structure for a single-purpose backdoor.
  • Embedded, highly detailed debug-style messages and logging within the production binary.

These traits suggest that Nimbus Manticore is leveraging AI to accelerate development cycles, allowing them to iterate on their malware and adapt to defensive countermeasures in real-time.

The getsqldeveloper[.]com site
The getsqldeveloper[.]com site (Source: Checkpoint).

Conclusion

The evolution of Nimbus Manticore underscores a growing trend in the threat landscape: the convergence of geopolitical objectives with rapid technological innovation. By adopting SEO poisoning and AI-assisted development, the group has moved from traditional social engineering toward more automated, scalable, and stealthy delivery vectors. This shift necessitates a move toward more robust, behavior-based detection strategies to counter increasingly sophisticated APT actors.

Indicators of Compromise (IOCs)

SHA256 Hashes
10fd541674adadfbba99b54280f7e59732746faf2b10ce68521866f737f1e46d
eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71
781605ce9d4a9869e846f6c9657d71437cb6240ab27ffbc4cd550c0e06996690
2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc
f08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03
a57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf
63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4
74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27
bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad
ecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e
44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250
0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864
485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3
64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c
332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17
9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1
43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa
8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b
5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8
0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40
d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2
38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d
f54cd38632ac9da3af3533ae93e92625cbcb04df521dbf1b6acfaa81218f9e8c
b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4
9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84
a13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441
dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee
Malicious Domains
business-startup[.]org
business-startup.azurewebsites[.]net
businessstartup.azurewebsites[.]net
buisness-centeral.azurewebsites[.]net
buisness-centeral-transportation.azurewebsites[.]net
buisness-centeral-transportation[.]com
licencemanagers.azurewebsites[.]net
licencesupporting.azurewebsites[.]net
peerdistsvcmanagers.azurewebsites[.]net
nanomatrix.azurewebsites[.]net
PremierHealthAdvisory[.]com
PremierHealthAdvisory[.]azurewebsites.net
Premier-HealthAdvisory[.]azurewebsites.net
ramiltonsfinance[.]com
ramiltonsfinance.azurewebsites[.]net
ramiltons-finance.azurewebsites[.]net
globalitconsultants.azurewebsites[.]net
globalit-consultants.azurewebsites[.]net
global-it-consultants.azurewebsites[.]net
global-it-checkers.azurewebsites[.]net
global-it-checkbusiness.azurewebsites[.]net
global-check-itbusiness.azurewebsites[.]net
global-check-business-it.azurewebsites[.]net
globalbusiness-checkers-it.azurewebsites[.]net
getsqldeveloper[.]com

Disclaimer: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Related Articles

Back to top button