Evolution of Nimbus Manticore: SEO Poisoning and AI-Assisted Malware in Operation Epic Fury
A sophisticated cyber campaign attributed to the Iranian IRGC-affiliated threat group Nimbus Manticore (also known as UNC1549) has surfaced, signaling a significant shift in the group’s operational methodology. The campaign, emerging amidst the geopolitical tensions of Operation Epic Fury (launched February 28, 2026), demonstrates an increased level of technical maturity, characterized by the integration of SEO poisoning and potentially AI-augmented malware development.
Historically, Nimbus Manticore has focused on the aviation, defense, and telecommunications sectors, primarily utilizing career-themed phishing lures. However, current intelligence indicates a broadening geographic and sectoral footprint, with active targeting across the United States, Europe, and the Middle East by impersonating high-value software providers and aviation entities.
From AppDomain Hijacking to Trojanized Installers
Earlier phases of the 2026 campaign utilized phishing emails containing ZIP archives hosted on legitimate platforms like OnlyOffice. These archives exploited AppDomain hijacking—a technique where attackers use crafted .config files to force trusted .NET applications to load malicious DLLs, effectively bypassing traditional security perimeters through stealthy execution.
As the campaign progressed during Operation Epic Fury, the group transitioned to a more complex infection chain involving a trojanized Zoom installer. This method allows the malware to blend into legitimate software update processes, making detection significantly more difficult for end-users and automated endpoint security tools.
Technical observations of this new infection chain include:
- Binary Impersonation: Use of legitimate, digitally signed binaries to evade heuristic detection.
- Persistence Mechanisms: Hijacking scheduled tasks via existing Zoom update frameworks.
- Advanced Obfuscation: Utilization of multi-stage loaders employing ROT13 and string reversal to frustrate static analysis.
- Evasion Tactics: Strict environment checks designed to detect and terminate execution within sandbox or virtualized environments.

The Debut of the MiniFast Backdoor
This latest operational phase marks the introduction of MiniFast, a 64-bit DLL that succeeds the group’s previous MiniJunk malware. MiniFast provides the threat actor with robust remote command and control (C2) capabilities, including:
- Full remote command execution via CMD.
- Granular file system manipulation (upload/download and directory enumeration).
- Process enumeration and task management.
- Stealthy C2 communication: Using structured HTTP requests and JSON-based exchanges, the malware masquerades as legitimate Google Chrome traffic to blend into standard web activity.
Strategic Shift: SEO Poisoning and Search-Driven Infection
According to a technical report by Checkpoint, the group has launched a third phase leveraging SEO poisoning. Rather than relying on direct phishing, attackers are now manipulating search engine rankings to drive victims toward malicious infrastructure.
The attackers registered the domain getsqldeveloper[.]com, masquerading as an official Oracle SQL Developer download portal. By employing keyword stuffing (e.g., “Download SQL Developer Free”) and deploying numerous supporting domains, the group successfully manipulated search results on platforms like Bing and DuckDuckGo to direct technical users toward malicious installers.

Evidence of AI-Assisted Malware Development
Forensic analysis of the MiniFast codebase has revealed patterns highly indicative of Large Language Model (LLM) or automated coding assistance. Analysts noted several tell-tale signs:
- Verbose and highly repetitive function naming conventions.
- Extensive, “boilerplate” error handling surrounding very simple API calls.
- An unusually modular code structure for a single-purpose backdoor.
- Embedded, highly detailed debug-style messages and logging within the production binary.
These traits suggest that Nimbus Manticore is leveraging AI to accelerate development cycles, allowing them to iterate on their malware and adapt to defensive countermeasures in real-time.
![The getsqldeveloper[.]com site](https://gbhackers.com/wp-content/uploads/2026/05/Screenshot-2026-05-25-102054.png)
Conclusion
The evolution of Nimbus Manticore underscores a growing trend in the threat landscape: the convergence of geopolitical objectives with rapid technological innovation. By adopting SEO poisoning and AI-assisted development, the group has moved from traditional social engineering toward more automated, scalable, and stealthy delivery vectors. This shift necessitates a move toward more robust, behavior-based detection strategies to counter increasingly sophisticated APT actors.
Indicators of Compromise (IOCs)
| SHA256 Hashes |
|---|
| 10fd541674adadfbba99b54280f7e59732746faf2b10ce68521866f737f1e46d |
| eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71 |
| 781605ce9d4a9869e846f6c9657d71437cb6240ab27ffbc4cd550c0e06996690 |
| 2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc |
| f08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03 |
| a57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf |
| 63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4 |
| 74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27 |
| bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad |
| ecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e |
| 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250 |
| 0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864 |
| 485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3 |
| 64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c |
| 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17 |
| 9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1 |
| 43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa |
| 8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b |
| 5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8 |
| 0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40 |
| d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2 |
| 38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d |
| f54cd38632ac9da3af3533ae93e92625cbcb04df521dbf1b6acfaa81218f9e8c |
| b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4 |
| 9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84 |
| a13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441 |
| dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee |
| Malicious Domains |
|---|
| business-startup[.]org |
| business-startup.azurewebsites[.]net |
| businessstartup.azurewebsites[.]net |
| buisness-centeral.azurewebsites[.]net |
| buisness-centeral-transportation.azurewebsites[.]net |
| buisness-centeral-transportation[.]com |
| licencemanagers.azurewebsites[.]net |
| licencesupporting.azurewebsites[.]net |
| peerdistsvcmanagers.azurewebsites[.]net |
| nanomatrix.azurewebsites[.]net |
| PremierHealthAdvisory[.]com |
| PremierHealthAdvisory[.]azurewebsites.net |
| Premier-HealthAdvisory[.]azurewebsites.net |
| ramiltonsfinance[.]com |
| ramiltonsfinance.azurewebsites[.]net |
| ramiltons-finance.azurewebsites[.]net |
| globalitconsultants.azurewebsites[.]net |
| globalit-consultants.azurewebsites[.]net |
| global-it-consultants.azurewebsites[.]net |
| global-it-checkers.azurewebsites[.]net |
| global-it-checkbusiness.azurewebsites[.]net |
| global-check-itbusiness.azurewebsites[.]net |
| global-check-business-it.azurewebsites[.]net |
| globalbusiness-checkers-it.azurewebsites[.]net |
| getsqldeveloper[.]com |
Disclaimer: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.