{
	"id": "30631c7b-46f5-4c44-ac5e-e56597470c51",
	"created_at": "2026-04-13T02:21:47.645116Z",
	"updated_at": "2026-04-13T02:23:13.787214Z",
	"deleted_at": null,
	"sha1_hash": "2c50856eed4bfa330ec817343006621baa489bb3",
	"title": "Iranian Threat Actor Nimbus Manticore Expands Campaigns into Europe with Advanced Malware and Fake Job Lures",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66845,
	"plain_text": "Iranian Threat Actor Nimbus Manticore Expands Campaigns into\r\nEurope with Advanced Malware and Fake Job Lures\r\nBy rohann@checkpoint.com\r\nPublished: 2025-09-22 · Archived: 2026-04-13 02:00:47 UTC\r\nKey Highlights\r\nCheck Point Research is actively tracking Iranian threat actor Nimbus Manticore. Our latest findings show\r\nit is expanding operations into Europe and now targeting the defense, telecom, and aerospace sectors.\r\nThe group uses fake job portals and spear‑phishing to lure victims, delivering malicious files disguised as\r\npart of hiring processes, all while impersonating major local and global aerospace companies.\r\nEvolving malware such as MiniJunk and MiniBrowse help attackers stay hidden, steal data, and maintain\r\nlong‑term access.\r\nCampaigns align with IRGC strategic priorities, focusing on intelligence collection on sensitive defense\r\nvendors during periods of heightened geopolitical tension.\r\nIntroduction\r\nSince early 2025, Check Point Research has tracked successive waves of activity from Nimbus Manticore, a\r\nmature Iran-nexus advanced persistent threat (APT) group. Sometimes referred to as UNC1549 or Smoke\r\nSandstorm, and previously associated with the Iranian Dream Job campaign, Nimbus Manticore primarily targets\r\naerospace and defense organizations in the Middle East and Europe.\r\nThe group is best known for its targeted spear-phishing campaigns that deliver custom implants, including\r\nMinibike, also known as SlugResin. First reported in 2022, Minibike has evolved steadily, adopting obfuscation\r\ntechniques, modular architecture, and redundant C2 infrastructure.\r\nRecent activity shows a significant leap in sophistication: the use of a previously undocumented technique to load\r\nDLLs from alternate paths by modifying process execution parameters. This variant, dubbed\r\nMiniJunk, demonstrates how Nimbus Manticore continuously advances its malware to evade detection.\r\nIn this blog, we highlight the evolution of Minibike into a new variant dubbed MiniJunk, the use of fake recruiting\r\nportals for malware delivery, victimology across the Middle East and Western Europe, and the broader\r\nimplications for defense, telecom, and aviation sectors.\r\nFor more details, read the comprehensive technical analysis published by Check Point Research:\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nMalware Delivery Websites\r\nhttps://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-expands-campaigns-into-europe-with-advanced-malware-and-fake-job-lures/\r\nPage 1 of 5\n\nThe infection chain begins with phishing links that lure victims to fake job-related login pages. These sites share\r\nseveral notable traits:\r\nBrand Impersonation: Sites mimic companies such as Boeing, Airbus, Rheinmetall, and flydubai, built\r\nusing a React template that adapts to the brand being impersonated.\r\nDomain Strategy: Domains typically follow a “career” theme, are registered behind Cloudflare, and\r\nconceal the true hosting infrastructure.\r\nControlled Access: Each victim is given a unique set of login details in advance. Only when the correct\r\ncredentials are entered does the site deliver a malicious archive containing the malware, allowing attackers\r\nto track individuals and block unwanted visitors.\r\nThis controlled, per-victim access demonstrates strong operational security and credible pretexting consistent with\r\nstate-sponsored tradecraft.\r\nFigure 1 – Websites used to deliver malicious archives after successful login.\r\nEvolving Toolset: MiniJunk and MiniBrowse\r\nNimbus Manticore’s newer tools focus on two main outcomes. MiniJunk allows the attackers to quietly maintain\r\naccess to a victim’s systems over long periods of time, while MiniBrowse is used to steal sensitive information\r\nwithout drawing attention. These tools are constantly updated so they can avoid security scans, remain functional\r\nfor longer, and give attackers reliable ways to spy on targeted organizations.\r\nhttps://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-expands-campaigns-into-europe-with-advanced-malware-and-fake-job-lures/\r\nPage 2 of 5\n\nFigure 2 – The infection chain.\r\nSeparate Cluster of Activity\r\nAlongside MiniJunk operations, Check Point Research observed a parallel activity cluster, previously reported by\r\nPRODAFT. While this cluster uses smaller payloads and simpler techniques without the heavy obfuscation seen in\r\nMiniJunk, it still relies on the same spear‑phishing and fake recruiting strategies. In other words, the attackers are\r\napplying similar methods with less technical complexity but the same goal: tricking victims into handing over\r\naccess.\r\nHere, too, attackers pose as HR recruiters, but in this case, they likely reach out on LinkedIn or other professional\r\nplatforms. After making contact, they move the conversation to email and send Outlook messages that direct\r\nvictims to tailored recruiting portals. As in the MiniJunk campaigns, each portal is customized with unique login\r\ndetails for the target, giving attackers close control and visibility.\r\nhttps://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-expands-campaigns-into-europe-with-advanced-malware-and-fake-job-lures/\r\nPage 3 of 5\n\nCheck Point Harmony Email \u0026 Collaboration blocked one such attempt against an Israeli telecommunications\r\nprovider, underscoring how both activity clusters share the same deceptive tactics and wide‑ranging targets.\r\nVictimology and Target Sectors\r\nExpansion to Europe:\r\nWhile Nimbus Manticore consistently targets the Middle East, especially Israel and the UAE, recent\r\noperations show increased interest in western Europe, specifically Denmark, Sweden, and Portugal.\r\nFocused targeting of specific sectors:\r\nWe found a correlation between the malware delivery websites and the targeted sectors. For example, a\r\nfake hiring portal of a telecommunication company will target employees and organizations in this sector.\r\nOur findings point to similar targets in several key sectors: telecommunications, especially satellite\r\nproviders, defense contractors, aerospace and airlines. These sectors align with the IRGC’s strategic\r\nintelligence collection efforts.\r\nProtecting Against Nimbus Manticore\r\nOver the past year, Nimbus Manticore has advanced its malware arsenal, delivery methods, and targeting strategy.\r\nBy evolving Minibike into MiniJunk, deploying MiniBrowse, and refining its spear-phishing techniques, the actor\r\nhas demonstrated resilience and stealth even during high-intensity geopolitical conflict.\r\nThe group’s expanded focus on Western Europe, particularly in defense, telecom, and aviation, signals a growing\r\nIranian cyber espionage campaign aligned with IRGC strategic priorities.\r\nTo counter these threats, organizations need protection that blocks attacks before they reach employees. Check\r\nPoint Harmony Email \u0026 Collaboration provides exactly that by detecting and preventing spear‑phishing attempts,\r\nfake job portals, and malicious attachments like those used in Nimbus Manticore campaigns. By stopping these\r\nlures at the email and collaboration level, Harmony helps organizations avoid compromise and ensures their\r\npeople remain the strongest line of defense.\r\nTo counter these threats, organizations need protection that blocks attacks before they reach employees and\r\nendpoints.\r\n▪ Check Point Harmony Email \u0026 Collaboration: To detect and prevent spear-phishing, fake job portals, and\r\nmalicious attachments at the email and collaboration level, stopping initial lures.\r\n▪ Harmony Endpoint: To secure devices against advanced malware once it lands, providing protection even if\r\nthe initial email defense is bypassed.\r\n▪ Quantum Network Security: To stop malicious traffic at the network perimeter, creating a barrier against\r\ndownload of malicious files, C2 communications and data exfiltration.\r\nCheck Point Research will continue to track Nimbus Manticore’s operations and share insights that strengthen\r\ncustomer resilience against nation‑state campaigns.\r\nhttps://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-expands-campaigns-into-europe-with-advanced-malware-and-fake-job-lures/\r\nPage 4 of 5\n\nFor more details, read the comprehensive technical analysis published by Check Point Research:\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nSource: https://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-expands-campaigns-into-europe-with-advanced-malware-and-fake-job-lures/\r\nhttps://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-expands-campaigns-into-europe-with-advanced-malware-and-fake-job-lures/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-expands-campaigns-into-europe-with-advanced-malware-and-fake-job-lures/"
	],
	"report_names": [
		"iranian-threat-actor-nimbus-manticore-expands-campaigns-into-europe-with-advanced-malware-and-fake-job-lures"
	],
	"threat_actors": [],
	"ts_created_at": 1776046907,
	"ts_updated_at": 1776046993,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2c50856eed4bfa330ec817343006621baa489bb3.pdf",
		"text": "https://archive.orkl.eu/2c50856eed4bfa330ec817343006621baa489bb3.txt",
		"img": "https://archive.orkl.eu/2c50856eed4bfa330ec817343006621baa489bb3.jpg"
	}
}