Threat Management , Threat Intelligence Iranian threat group targets US aviation sector with AI-assisted ‘MiniFast’ backdoor May 27, 2026 Share By Laura French The Iran state-sponsored threat group Nimbus Manticore conducted attacks during the U.S.-Israel military campaign Operation Epic Fury targeting the U.S. aviation industry and others for deployment of a new AI-assisted backdoor called “MiniFast,” Check Point Research reported Friday . The attacks, seen throughout the 2026 Iran war in March, followed previous campaigns throughout February using an older backdoor called MiniJunk. Both waves of attacks utilized career-themed phishing lures for initial access and AppDomain hijacking techniques to execute malicious payloads. Nimbus Manticore is affiliated with the Iranian military’s Islamic Revolutionary Guard Corps (IRGC). The group, which shows some overlap with another Iranian advanced persistent threat (APT) called MuddyWater , previously conducted attacks targeting European defense, telecom and aerospace companies using fake job opportunities in 2025. The group is also linked to attacks on aviation and defense organizations across the Middle East between 2023 and 2025, deploying backdoors such as MINIBIKE, TWOSTROKE and DEEPROOT. Check Point said Nimbus Manticore has shifted tactics in its most recent attacks, seen after the Iran war ceasefire in April, using search engine optimization (SEO) poisoning to impersonate the software Oracle SQL Developer and spread MiniFast. New Iranian backdoor hijacks Zoom installer for execution MiniFast, the successor of MiniJunk, enables extensive control of the victim’s machine through API-based communications with the attacker’s command-and-control (C2) server. As in previous attacks, Nimbus Manticore used career-themed phishing lures to spread MiniFast during Operation Epic Fury, specifically impersonating a U.S. domestic airline. Victims were lured to install a trojanized version of the legitimate Zoom installer after clicking a fake meeting invitation link. The ZIP archive containing the trojanized installer, Zoominstall64.zip, also contained several components used for AppDomain hijacking of a different benign Microsoft-signed binary named Setup.exe to execute two malicious loader DLLs (InitInstall.dll and Updater.dll). Upon initial execution of Setup.exe, InitInstall.dll is executed, displays a fake installation progress window and launches the legitimate Zoom installer, Zoom_cm.exe. It then monitors for the creation of a scheduled task — a part of the legitimate Zoom installation process — and modifies this task to load the second-stage components, copying them to C:\Users\<USER>\AppData\Local\Zoom\bin\update. This allows the malicious actions to blend in with the legitimate Zoom installation flow and evade detection. AppDomain hijacking is again used to load the second-stage loader Updater.dll via the Setup.exe binary — now renamed to Update.exe — and ultimately execute the MiniFast payload, named UpdateChecker.dll. Prior to executing the payload, the loader ensures that the hosting process name is update.exe and the parent process is svchost.exe to maintain stealth and persistence via the scheduled task. MiniFast performs system reconnaissance and then awaits commands from the C2 server, transmitting data in the JSON format. The malware impersonates a Chrome browser user agent to blend in with legitimate traffic. The backdoor supports commands for a wide range of actions including file and folder management and exfiltration, file download from the C2, shell command execution and creation of an additional scheduled task. Check Point assessed that MiniFast was likely created with assistance from AI tools based on signs such as excessive error handling logic, repetitive function and method naming patterns with overly descriptive identifiers and detailed debug status messages present throughout the codebase. A previous report by Microsoft and OpenAI revealed Iranian APTs have been experimenting with AI tools since at least 2024, with a 2025 Google Threat Intelligence Group (GTIG) report also highlighting the use of large language models (LLMs) by Iranian state-sponsored actors. Latest attacks leverage fake SQL Developer websites In addition to using career-themed phishing for initial access, Nimbus Manticore has most recently been seen using SEO poisoning to spread MiniFast, namely through impersonation of the legitimate SQL Developer software by Oracle. SQL Developer is a popular graphical tool used to manage SQL databases. Check Point found in April that dozens of domains had been registered to link to the website getsqldeveloper[.]com, which purports to offer a free download of the software but instead installs the backdoor. Keyword stuffing of phrases such as “download SQL Developer” and “SQL Developer free” was also used to help the fake website surface high in search results for engines such as Bing and DuckDuckGo. Check Point noted this is the first time Nimbus Manticore has been observed leveraging SEO poisoning in its campaigns. In addition to targeting the aviation and software development sectors in its recent attacks, Nimbus Manticore has also consistently targeted entities in Israel, the United Arab Emirates, Europe and other parts of the Middle East and Africa. Laura French Related Threat Intelligence Iranian-backed hackers linked to Los Angeles transit system breach SC Staff May 26, 2026 The hacktivist group Ababil of Minab initially claimed responsibility for the breach, stating they had stolen and subsequently deleted data from the Los Angeles County Metropolitan Transportation Authority (LACMTA) systems. Threat Intelligence North Korea’s Lazarus Group uses new RemotePE malware against financial targets SC Staff May 26, 2026 RemotePE is deployed through a multi-stage attack chain involving two loaders, DPAPILoader and RemotePELoader. Threat Intelligence Middle East malicious infrastructure report highlights concentration of C2 servers SC Staff May 22, 2026 The Hunt.io report identified over 1,350 C2 servers across 98 providers in 14 Middle Eastern countries. Saudi Telecom Company (STC) alone accounted for more than 72% of this regional activity, often through compromised customer systems. Related Events Cybercast Better Threat Intelligence Between Public and Private Sectors On-Demand Event Cybercast RSAC Preview: Exposure management takes center stage On-Demand Event Virtual Conference Nationwide Cybersecurity Summit 2025: Safeguarding America’s Digital Future On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Account Harvesting Backdoor DNS Spoofing Deauthentication Attack Dictionary Attack Distributed Scans Domain Hijacking Google Hacking Hybrid Attack Password Cracking You can skip this ad in 5 seconds