{ "id": "1478e0ed-dcfe-4b33-ba9d-4d43c6c39ff0", "created_at": "2026-04-06T00:18:03.557274Z", "updated_at": "2026-04-10T03:33:29.006815Z", "deleted_at": null, "sha1_hash": "ccfcfddfa6bf3224d437dae9a4195083516d0263", "title": "Nimbus Manticore Deploys New Malware Targeting Europe - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 139710, "plain_text": "Nimbus Manticore Deploys New Malware Targeting Europe -\r\nCheck Point Research\r\nBy samanthar@checkpoint.com\r\nPublished: 2025-09-22 · Archived: 2026-04-05 13:06:19 UTC\r\nNimbus Manticore Deploys New Malware Targeting Europe\r\nKey Findings\r\nCheck Point Research is tracking a long‑running campaign by the Iranian threat actor Nimbus Manticore,\r\nwhich overlaps with UNC1549, Smoke Sandstorm, and the “Iranian Dream Job” operations. The ongoing\r\ncampaign targets defense manufacturing, telecommunications, and aviation that are aligned with IRGC\r\nstrategic priorities.\r\nNimbus Manticore’s recent activity indicates a heightened focus on Western Europe, specifically\r\nDenmark, Sweden, and Portugal. The threat actor impersonates local and global aerospace, defense\r\nmanufacturing, and telecommunications organizations.\r\nThe threat actor uses tailored spear‑phishing from alleged HR recruters directing victims to fake career\r\nportals. Each target receives a unique URL and credentials, enabling tracking and controlled access of each\r\nvictim. This approach demonstrates strong OPSEC and credible pretexting.\r\nThe attacker uses previously undocumented low-level APIs to establish a multi-stage DLL side-loading\r\nchain. This causes a legitimate process to sideload a malicious DLL from a different location and override\r\nthe normal DLL search order.\r\nThe Nimbus Manticore toolset includes the MiniJunk backdoor and the MiniBrowse stealer. The tools\r\ncontinuously evolve to remain covert, leveraging valid digital signatures, inflate binary sizes, and use\r\nmulti-stage sideloading and heavy, compiler‑level obfuscation that renders samples be “irreversible” for\r\nregular advanced static analysis.\r\nOverall, the campaign reflects a mature, well‑resourced actor prioritizing stealth, resiliency, and\r\noperational security across delivery, infrastructure, and payload layers, an approach consistent with\r\nnation‑state tradecraft.\r\nIntroduction\r\nSince early 2025, Check Point Research (CPR) has tracked waves of Nimbus Manticore activity. Known\r\nas UNC1549 or Smoke Sandstorm, Nimbus Manticore is a mature Iran-nexus APT group that primarily targets\r\naerospace and defense organizations in the Middle East and Europe. Some of its operations were also previously\r\ndescribed as the Iranian DreamJob campaign.\r\nNimbus Manticore’s activity is characterized by highly targeted phishing campaigns leading to the deployment of\r\ncustom implants, including Minibike. First reported by Mandiant in June 2022, Minibike, also known\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 1 of 16\n\nas SlugResin, has evolved steadily since its creation. Sample analysis over the years shows its progress, including\nthe addition of obfuscation techniques to evade detection and static analysis, a modular architecture, and the\nintroduction of redundant command-and-control (C2) servers.\nThe most recent Minibike variants suggest a significant increase in the actor’s abilities, including using a novel\n(and previously undocumented) technique to load DLLs from alternate paths by modifying process execution\nparameters. This variant has new TTPs such as size inflation, junk code, obfuscation, and code signing to lower\ndetection rates.\nIn this article, we highlight the evolution of Minibike into a new variant dubbed MiniJunk. We also examine a\ndistinct cluster within the Nimbus Manticore umbrella that targets different sectors and employs unique domain\nnaming conventions, while continuing to use similar spear-phishing techniques and share malware resources.\nWhile we were finalizing this publication, PRODAFT has released a comprehensive report on Subtle Snail, an\nespionage group with connections to Iran. In this publication, we address Subtle Snail in the chapter entitled\n‘Separate Cluster of Activity”. While this cluster employs tactics, techniques, and procedures (TTPs) that broadly\nalign with those observed in Nimbus Manticore operations, it is differentiated by its unique malware capabilities,\ncommand-and-control (C2) infrastructure, and targeting preferences.\nMalware Delivery websites\nThe attack starts with a phishing link that directs the victim to a fake job-related login page:\nFigure 1 - Websites used to deliver malicious archives after successful login.\nFigure 1 – Websites used to deliver malicious archives after successful login.\nThe infrastructure used by the attacker to lure job seekers is based on the React template, which varies depending\non the impersonated brand, such as Boeing, Airbus, Rheinmetall and flydubai.\nThe domain naming convention is usually “career” themed and registered behind Cloudflare, most likely to\nkeep the real server IP confidential.\nThe credentials for these login panels are pre-shared with the victim together with a link to the login page. After\nentering credentials and clicking the login button, a post request is sent to /login-user api. If the credentials are\nnot correct, a 401 Unauthorized response is returned. Otherwise, the user downloads a malicious archive with\nthe malware.\nInfection Chain\nA malicious archive downloaded by the victim often masquerades as legitimate hiring process-related software. In\nthe following example, a ZIP archive named Survey.zip starts an elaborated infection chain. The execution\nchain leverages a unique technique which we call multi-stage sideloading:\nFigure 2 - The infection chain.\n\nThe infection chain includes the following stages:\nFigure 2 – The infection chain.The infection chain includes the following stages:\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\nPage 2 of 16\n\nUser Execution: The victim runs  Setup.exe  from the archive. This is a legitimate Windows executable,\r\nwhich sideloads  userenv.dll  from the same archive.\r\nMalware setup:  Setup.exe  starts another benign binary, a Windows Defender component\r\ncalled  SenseSampleUploader.exe . This executable in turn sideloads the malware loader,  xmllite.dll ,\r\nfrom the archive’s directory.\r\nPersistence: The loader copies  Setup.exe  under its original name,  MigAutoPlay.exe , and the\r\nmalicious  userenv.dll  that it sideloads, to the malware working\r\ndirectory  %AppData%\\Local\\Microsoft\\MigAutoPlay\\.  It creates a scheduled task to run the executable.\r\nFigure 3 - The contents of malicious ZIP archive downloaded from the fake recruiting website.\r\nFigure 3 – The contents of malicious ZIP archive downloaded from the fake recruiting website.\r\nUserenv.dll in the malware setup stage\r\nOnce the initial Setup executable runs, it sideloads the  userenv.dll  from the same folder. The DLL first checks\r\nthe name of the executing PE module to determine the current stage of the infection chain. This way, if the DLL\r\ndoes not run from  MigAutoPlay.exe  (meaning the setup of the backdoor did not occur yet), it will load the\r\nLoader DLL in a special way, exploiting undocumented low-level API to hijack the DLL loading path.\r\nuserenv.dll  uses low-level ntdll API calls to execute a Windows Defender binary located at  C:\\Program\r\nFiles\\Windows Defender Advanced Threat Protection\\SenseSampleUploader.exe . The Windows Defender\r\nexecutable is vulnerable to DLL hijacking due to using the relative path to  xmllite.dll . This flaw is abused to\r\nsideload the  xmllite.dll . However, the actor manages to sideload it from the same folder as the malicious\r\narchive as part of a unique multi-stage sideloading attack chain.\r\nNormally, a legitimate Windows Defender executable does not load random DLLs from folders outside the\r\nWindows DLL search order path. So, what’s happening here?\r\nWhen using low-level NT API calls to create a process, a call to  RtlCreateProcessParameters  is mandatory to\r\nbuild a process parameter struct  RTL_USER_PROCESS_PARAMETERS  which is then handed\r\nto  RtlCreateUserProcess . A key field in this structure is the  DllPath  parameter, which defines the search path\r\nthat the process loader uses to locate and resolve imported modules. If set, it specifies the location where the\r\nloader should search for a DLL if it is not found in the application directory.\r\nThe malware abuses this undocumented feature by using  GetModuleHandle  to get a path to  Setup.exe  and then\r\nprovides it as a  DllPath  parameter. As setup.exe and xmllite.dll are next to each other in the malicious archive,\r\nwhen the dll is not found next to  SenseSampleUploader.exe , it will be loaded from the archive directory:\r\nFigure 4 - Windows Defender SenseSampleUploader.exe component search for xmllite.dll,\r\nresulted in it loading from the archive folder.\r\nFigure 4 – Windows Defender SenseSampleUploader.exe component search for xmllite.dll, resulted\r\nin it loading from the archive folder.\r\nOnce the  xmllite.dll  is loaded, its actions are pretty straightforward. It creates a working folder under the\r\npath  AppData\\Local\\Microsoft\\MigAutoPlay\\ . It copies the backdoor  userenv.dll  to it, also places the\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 3 of 16\n\nlegitimate executable there as  MigAutoPlay.exe , and then adds an auto-run registry key to execute the benign\r\nexecutable.\r\nFigure 5 - Sideloading of userenv.dll.\r\nFigure 5 – Sideloading of userenv.dll.\r\nAfter persistence is completed, the malware is launched through the  MigAutoPlay.exe , which\r\nsideloads  userenv.dll  and shows the victim a fake error pop-up about network issues blocking the lure program\r\nfrom running.\r\nFigure 6 - Fake error at the end of the malware setup process.\r\nFigure 6 – Fake error at the end of the malware setup process.\r\nThe Backdoor: MiniJunk\r\nIn the last year, the actor introduced a lot of changes to the backdoor, first documented by Mandiant as\r\n“Minibike.” We chose to track this sample as “MiniJunk.”\r\nThe  userenv.dll  backdoor core logic starts from the DLLMain function. The backdoor first resolves many\r\nimports needed for it to function, but oddly enough, when it wants to use a function that was already resolved, it\r\nresolves it again. This behavior is unusual, but it might have been leveraged in the development cycle to identify\r\nAPI resolution issues. The backdoor then collects two identifiers from the infected system: the computer\r\nname and the domain name with the username.\r\nAlthough the sample employs a substantial amount of obfuscation (which is discussed in detail in the next\r\nsection), it does not encrypt the network data. Instead, it encodes it. We saw similar samples in the past that used a\r\nsimple encryption on the network data, such as XOR with a few bytes. In this case, however, it uses a simple\r\nencoding algorithm: data is collected in a wide string, then converted to bytes, and the bytes are reversed. Finally,\r\nthe entire string is reversed.\r\nWhen the main logic starts, the backdoor checks if the running executable is called  MigAutoPlay.exe  (meaning\r\nthe backdoor is running after the setup from its permanent working directory) and hooks\r\nthe  ExitProcess  function to a function that sleeps, probably preventing fatal exits or allowing other threads to\r\nrun in case of a program crash:\r\nFigure 7 - ExitProcess function hook.\r\nFigure 7 – ExitProcess function hook.\r\nAfter initialization, the backdoor starts a main thread that handles networking and the remaining logic. Analyzing\r\nthe sample in this part is quite tricky: the logic is heavily branched through functions that utilize various states, for\r\nexample, a large number of classes for network requests, and obfuscations in combination with library functions.\r\nHowever, all of this ultimately masks simple backdoor functionality.\r\nCommand and Control\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 4 of 16\n\nThe backdoor variants typically utilize multiple command and control (C2) servers in rotation for redundancy.\r\nThere are several (between three to five) hardcoded C2 servers, so if one C2 goes down, the next one in the list\r\nwill be used. The backdoor uses regular HTTPS requests using the Windows API. When the C2 responds, a thread\r\nis created to parse the C2 request. The C2 responds using encoded strings, similar to the initial network data. The\r\nresponse structure consists of a string separated by  ## . It is parsed by the backdoor and split into a vector of\r\nstrings. Most C2 commands need 3 values:\r\nCommand settings\r\nCommand ID\r\nCommand argument\r\nFor example, a “read file” command looks like this:\r\n##[chunks size]##[read file command id]##[file path]\r\nAfter parsing the command, in this case, the backdoor sends the file from the specified path via several network\r\nrequests, based on the chunk size provided as an argument. The backdoor supports the following commands:\r\nCommand\r\nId\r\nDescription Arguments\r\n0\r\nCollect computer name, domain\r\nname with the username\r\nNone\r\n1 Get computer name None\r\n2 Read a file and send it back File path / chunks\r\n3 Create file File path, URL to the fille on the C2\r\n4\r\nList hard drives / List files in a\r\nfolder\r\nString to list all hard drives or a\r\ndirectory path to list all files in\r\n5 Delete file File path\r\n6\r\nCreate a process and use a named\r\npipe for its output\r\nProcess path\r\n7 Load DLL DLL path\r\n8 / 9 Do nothing / Placeholder None\r\n10 Move / Rename file File target, File destination\r\n11 Not implemented None\r\nAs can be seen by the functions, these are pretty standard for a backdoor. The real complexity in the samples\r\ncomes from their obfuscations which make the samples harder to analyze.\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 5 of 16\n\nMiniBrowse – Stealer component\r\nMiniBrowse is a lightweight stealer used by Nimbus Manticore. We observed two variants, one to steal Chrome\r\ncredentials and another which targets Edge. Both versions are DLL designed to be injected into browsers to steal\r\nthe stored passwords.\r\nAfter it’s executed, MiniBrowse first collects two identifiers from the system, username and domain name, and\r\nthen connects to a predefined endpoint on the C2 server sending data in JSON payload.\r\nFigure 8 - MiniBrowse sends victim data.\r\nFigure 8 – MiniBrowse sends victim data.\r\nWe identified a unique network communication behavior, as the C2 needs to respond with any HTTP response\r\nexcept for 200. If it does, the backdoor continues its execution looking for several files related to Edge login data.\r\nEach of those files is then exfiltrated to the C2, using a simple POST request:\r\nFigure 9 - MiniBrowse exfiltrating data stolen from Edge browser.\r\nFigure 9 – MiniBrowse exfiltrating data stolen from Edge browser.\r\nAnother method of sending those files is through connecting and sending the JSONs to a named pipe. We\r\nidentified multiple MiniBrowse versions with support for this functionality.\r\nObfuscation\r\nThe MiniJunk and MiniBrowse samples that we investigated exhibit heavy compiler‑level code obfuscation,\r\npossibly implemented via custom LLVM passes. We had to address several obfuscation techniques to facilitate\r\nanalysis, including junk code insertion, control‑flow obfuscation, opaque predicates, obfuscated function calls,\r\nand encrypted strings. The attacker invested significant effort in developing these LLVM passes and continues to\r\nrefine them; each “generation” of samples shows improvements over the previous one, typically introduced\r\nbetween campaigns. The actor appears to be targeting a substantial number of victims, and these obfuscations help\r\nthe malware remain undetected while at the same time slowing down researchers trying to determine the samples’\r\nbehavior. As with most obfuscation, no single tool addresses all cases: off‑the‑shelf tools often fail unless the\r\nscheme matches a generic framework such as OLLVM – which is not the case here. This underscores the\r\nattacker’s willingness to invest in their toolset and, conversely, benefits researchers by exposing new techniques.\r\nWe invested considerable effort to make the samples sufficiently “reversible” for analysis.\r\nFunction call obfuscations\r\nThe backdoors contain compiler-level obfuscation. As a result, almost all function calls are obfuscated. The\r\ndecision on what function to call is based on several arithmetic operations, which are then stored in the RAX\r\nregister. Here is an example of a DLL’s primary function:\r\nFigure 10 - DLL’s primary function with obfuscated function calls.\r\nFigure 10 – DLL’s primary function with obfuscated function calls.\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 6 of 16\n\nObfuscated Control Flow\r\nNot only are function calls obfuscated, but there are also obfuscated branches inside functions.\r\nIn this next example, there is a JMP RAX instruction, but it’s not a single JMP. Depending on various conditions\r\nthat are met when the code is running, the JMP can lead to two different places, just like a conditional JMP, but\r\nmasked as a single JMP.\r\nFigure 11 - Obfuscated branch.\r\nFigure 11 – Obfuscated branch.\r\nString encryption\r\nEach string is individually encrypted with its own key. The encrypted bytes are stored in memory with the key\r\nplaced at the end of each string. Each string gets its own decryption function, adding another layer of complexity.\r\nTo top it off, the decryption routines are each overloaded with opaque predicates:\r\nFigure 12 - String encryption.\r\nFigure 12 – String encryption.\r\nWe used LLM to simplify the function mentioned above. Eventually the encryption algorithm is just  string[i] ^\r\nkey[i % key_length] . Once we established that, we were able to automate and decrypt all strings.\r\nJunk code\r\nThe samples contain a bit of unused junk code:\r\nFigure 13 - Functions with junk code.\r\nFigure 13 – Functions with junk code.\r\nDistinct patterns helped us deduce that a “block” of instructions can be classified as junk code, highly repetitive in\r\nthe code. Then we can exclude it in the decompile view, and continue with static analysis:\r\nFigure 14 - The same function without junk code.\r\nFigure 14 – The same function without junk code.\r\nThe evolution of MiniJunk\r\nOver the past year, MiniJunk has undergone many changes and incorporated a variety of techniques. In this\r\nsection, we describe the most significant.\r\nSigning\r\nIn May, Nimbus Manticore started to use the service SSL.com to sign their code. This led to a drastic decrease in\r\ndetections, with many samples remaining undetectable by multiple malware engines.\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 7 of 16\n\nBased on the signing dates and our analysis of samples signed by this certificate, we determined that they were\r\ngenerated by the threat actor, masquerading as existing IT organizations in Europe.\r\nCommand and control\r\nIn June, the actor re‑architected C2 to combine Cloudflare and Azure App Service. This improved the resiliency so\r\nexecution could continue even if a provider or domain was suspended.\r\nFile Size and detections\r\nLarge malware files often have lower endpoint detection, as many Antivirus engines enforce time, size, and\r\nresource limits that truncate deep unpacking, emulation, and heuristic layers on oversized inputs. Nimbus\r\nManticore exploits this by inflating binaries with inert junk code blocks. Feature extraction and ML models\r\nfrequently cap analysis to the first portion of a file, so padding pushes discriminative byte patterns past those\r\nlimits, while some engines simply skip or downgrade scanning of large files to avoid false positives and\r\nperformance hits. The combination of obfuscations, size, and codesigning result in lower endpoint detection. As\r\nyou can see, some of the largest samples remained with zero detections on VirusTotal:\r\nFigure 15 - MiniJunk with zero detection in VirusTotal.\r\nFigure 15 – MiniJunk with zero detection in VirusTotal.\r\nSeparate Cluster of Activity\r\nIn addition to the operations involving the MiniJunk backdoor we described earlier in this blog, we observed a\r\nseparate but closely related activity cluster. This cluster, first reported by PRODAFT, employs TTPs that broadly\r\nalign with those documented above, but is distinguished by much smaller payloads and a lack of sophisticated\r\nobfuscation.\r\nSpear phishing emails\r\nCheck Point Harmony Email \u0026 Collaboration platform identified and blocked a spear-phishing attack against a\r\ntelecommunication provider in Israel.\r\nAs documented in past intrusions, the attacker uses professional social media such as LinkedIn, masquerades as an\r\nHR specialist, then asks the target to move to another platform such as email.\r\nA malicious email sent from an Outlook account with a job application invitation:\r\nFigure 16 – Malicious email sent by Nimbus Manticore.\r\nFigure 16 – Malicious email sent by Nimbus Manticore.\r\nAs previously observed in other Nimbus Manticore campaigns, the link leads to a React-based fake recruiting\r\nlogin page:\r\nFigure 17 - Fake page delivering malware after login.\r\nFigure 17 – Fake page delivering malware after login.\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 8 of 16\n\nPayload\r\nThe malware used in this operation is delivered through DLL hijacking of  dxgi.dll :\r\nFigure 18 - Contents of the malware folder.\r\nFigure 18 – Contents of the malware folder.\r\nThe malware strings were obfuscated by using simple one-byte XOR with  0x55 .\r\nThe execution started by decrypting 5 predefined C\u0026C servers:\r\nservices-update-check.azurewebsites[.]net\r\nsend-feedback.azurewebsites[.]net\r\nsend-feedback-413.azurewebsites[.]net\r\nsend-feedback-838.azurewebsites[.]net\r\nsend-feedback-296.azurewebsites[.]net\r\nservices-update-check.azurewebsites[.]net send-feedback.azurewebsites[.]net send-feedback-413.azurewebsites[.]net send-feedback-838.azurewebsites[.]net send-feedback-296.azurewebsites[.]net\r\nservices-update-check.azurewebsites[.]net\r\nsend-feedback.azurewebsites[.]net\r\nsend-feedback-413.azurewebsites[.]net\r\nsend-feedback-838.azurewebsites[.]net\r\nsend-feedback-296.azurewebsites[.]net\r\nFigure 19 - C2 domain encryption.\r\nFigure 19 – C2 domain encryption.\r\nDespite overlapping infection chain steps and infrastructure,  dxgi  and  MiniJunk  implement different command\r\nsets. At the same time,  dxgi  does not exhibit evasion or obfuscation techniques. All this indicates parallel\r\nactivity that could be conducted by more than one actor.\r\nCommand ID Behavior (high-level)\r\n0 Do nothing\r\n1 Get computer name\r\n2 Get username\r\n3 List files and folders in a directory\r\n4 Delete a file\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 9 of 16\n\nCommand ID Behavior (high-level)\r\n5 Move / rename a file\r\n6 Enumerate hard drives\r\n7 Upload a file\r\n8 Get a list of running processes\r\n9 Kill a process\r\n10 Execute a bat/exe/cmd command/load dll\r\n11 Create a process and use a named pipe for its output\r\n12 Load a DLL\r\nComparison to MiniJunk\r\ndxgi.dll  and MiniJunk samples overlap in multiple details: they hook the exit process in a very similar way,\r\nand they both collect the username and desktop name (but the new sample also collects adapter information).\r\nIn terms of C2 communication, the key similarities lie in two areas: the parsing of network responses from C2\r\nserver, and the set of C2 commands.\r\nThe responses from C2 to MiniJunk use various separators for the data, such as  ###  or  --- .\r\nThe  dxgi.dll  backdoor includes an additional verification of the request by hashing one of the parameters with\r\nFNV and comparing the result with a generated value. Overall, the C2 communication between these backdoors is\r\nnot identical but is still quite similar.\r\nThe C2 commands in both versions closely resemble each other, with very similar logic and an identical order of\r\noperations within the functions themselves. While the command ID varies, the underlying code base appears to be\r\nthe same.\r\nRegarding significant differences, for network communications,  dxgi.dll  adds a layer of encryption. In\r\naddition, the backdoor utilizes the WinHTTP API, but unlike MiniJunk which employs classes and branching on\r\nnetwork requests, this current backdoor handles all network logic within a single function. Finally, it appears the\r\nbackdoor developer didn’t bother changing the user agent, instead keeping it as is  WinHTTP Example:\r\nFigure 20 - Network communications using WinHTTP API and a sample user agent.\r\nFigure 20 – Network communications using WinHTTP API and a sample user agent.\r\nThe findings above suggest  dxgi.dll  shares a common code base with MiniJunk versions. Both of the activity\r\nclusters may have access to the code base, and can modify the code as needed, adding compiler passes, and\r\naltering the logic slightly. At the same time, the programming paradigm remains similar. This is hard to notice\r\nat first, due to MiniJunk obfuscations, the different layout of the HTTP request method (classes vs non-classes),\r\nand other variations. But once the obfuscations are addressed, it becomes clear that they share the same code base.\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 10 of 16\n\nInfrastructure\r\nMiniJunk campaigns use long, concatenated health-themed subdomains of azurewebsites[.]net. Notably, the\r\ndomain naming convention in this campaign is different: the unique domain pattern is  [a-z]-[a-z]+-[a-z]+-[0-\r\n9]{3}.azurewebsites.net  combining multiple words joined by hyphen separators.\r\nWhile hunting for these domain naming conventions, we observed a distinct set of domains used to target Europe\r\nwhich featured the following sequence of malicious domains:\r\n1. telespazio-careers[.]com  – Lure website\r\n2. update-health-service[.]azurewebsites[.]net  – First observed Azure app service domain (mentioned\r\nby PRODAFT)\r\nWe were able to capture the following domain block, which we believe is unique for each sample:\r\ncheck-backup-service.azurewebsites[.]net\r\ncheck-backup-service-288.azurewebsites[.]net\r\ncheck-backup-service-179.azurewebsites[.]net\r\ncheck-backup-service-736.azurewebsites[.]net\r\ncheck-backup-service.azurewebsites[.]net check-backup-service-288.azurewebsites[.]net check-backup-service-179.azurewebsites[.]net check-backup-service-736.azurewebsites[.]net\r\ncheck-backup-service.azurewebsites[.]net\r\ncheck-backup-service-288.azurewebsites[.]net\r\ncheck-backup-service-179.azurewebsites[.]net\r\ncheck-backup-service-736.azurewebsites[.]net\r\nC2 Infrastructure based on azurewebsites allows the attacker flexibility and redundancy; if one C2 goes down,\r\nthey can easily set up a new one.\r\nVictimology\r\nWhile Nimbus Manticore consistently targets the Middle East, especially Israel and the UAE, recent operations\r\nshow increased interest in Western Europe. We found a correlation between the malware delivery websites and the\r\ntargeted sectors. For example, a fake hiring portal of a telecommunication company will target an employee and\r\norganizations in this sector. Our findings point to similar targets in several key sectors: telecommunications,\r\nespecially satellite providers, defense contractors, aerospace and airlines. These sectors align with the IRGC’s\r\nstrategic intelligence collection efforts.\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 11 of 16\n\nFigure 21 – Geographic distribution of targeted organizations.\r\nThe deployment of Minibike samples in June suggests “business as usual”, occurring as it did against the\r\nbackdrop of the twelve-day conflict between Israel and Iran. The identified samples indicate that Israel was the\r\nprimary focus at that time.\r\nConclusion\r\nIn our research, we uncovered the elusive operations of the Iranian threat actor known as Nimbus Manticore.\r\nOver the last year, this threat actor adopted a new set of techniques that allowed them to remain under the radar\r\nand continue operating even during the twelve-day Israeli-Iranian conflict.\r\nNimbus Manticore also expanded its interest in European targets, particularly in the telecommunications,\r\ndefense, aerospace, satellite and airline sectors. We analyzed the evolution of the Minibike implant, which has\r\nincorporated multi-layered obfuscation and increasingly relies on legitimate cloud services to remain stealthy and\r\ndifficult to detect.\r\nIOCs:\r\nHashes:\r\n23c0b4f1733284934c071df2bf953a1a894bb77c84cff71d9bfcf80ce3dc4c16- malicious zip\r\n0b2c137ef9087cb4635e110f8e12bb0ed43b6d6e30c62d1f880db20778b73c9a - malicious zip\r\n6780116ec3eb7d26cf721607e14f352957a495d97d74234aade67adbdc3ed339 - malicious zip\r\n41d60b7090607e0d4048a3317b45ec7af637d27e5c3e6e89ea8bdcad62c15bf9 - malicious zip\r\n4260328c81e13a65a081be30958d94b945fea6f2a483d051c52537798b100c69 -malicious zip\r\na37d36ade863966fb8520ea819b1fd580bc13314fac6e73cb62f74192021dab9- malicious zip\r\n5d832f1da0c7e07927dcf72d6a6f011bfc7737dc34f39c561d1457af83e04e70- malicious zip\r\nffeacef025ef32ad092eea4761e4eec3c96d4ac46682a0ae15c9303b5c654e3e\r\nc22b12d8b1e21468ed5d163efbf7fee306e357053d454e1683ddc3fe14d25db5\r\n4da158293f93db27906e364a33e5adf8de07a97edaba052d4a9c1c3c3a7f234d\r\n061c28a9cf06c9f338655a520d13d9b0373ba9826a2759f989985713b5a4ba2b\r\nbc9f2abce42141329b2ecd0bf5d63e329a657a0d7f33ccdf78b87cf4e172fbd1\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 12 of 16\n\ne69c7ea1301e8d723f775ee911900fbf7caf8dcd9c85728f178f0703c4e6c5c0\r\ne77b7ec4ace252d37956d6a68663692e6bde90cdbbb07c1b8990bfaa311ecfb2\r\nb43487153219d960b585c5e3ea5bb38f6ea04ec9830cca183eb39ccc95d15793\r\n1b629042b5f08b7460975b5ecabc5b195fcbdf76ea50416f512a3ae7a677614a\r\nf8a1c69c03002222980963a5d50ab9257bc4a1f2f486c3e7912d75558432be88\r\n954de96c7fcc84fb062ca1e68831ae5745cf091ef5fb2cb2622edf2358e749e0\r\nafe679de1a84301048ce1313a057af456e7ee055519b3693654bbb7312083876\r\n9ec7899729aac48481272d4b305cefffa7799dcdad88d02278ee14315a0a8cc1\r\n3b4667af3a3e6ed905ae73683ee78d2c608a00e566ae446003da47947320097f\r\na4f5251c81f080d80d1f75ad4cc8f5bc751e7c6df5addcfca268d59107737bd0\r\ncf0c50670102e7fc6499e8d912ce1f5bd389fad5358d5cae53884593c337ac2e\r\n3b58fd0c0ef8a42226be4d26a64235da059986ec7f5990d5c50d47b7a6cfadcd\r\n7c77865f27b8f749b7df805ee76cf6e4575cbe0c4d9c29b75f8260210a802fce\r\nd2db5b9b554470f5e9ad26f37b6b3f4f3dae336b3deea3f189933d007c17e3d8\r\nb9b3ba39dbb6f4da3ed492140ffc167bde5dee005a35228ce156bed413af622d\r\n53ff76014f650b3180bc87a23d40dc861a005f47a6977cb2fba8907259c3cf7a\r\nb405ae67c4ad4704c2ae33b2cf60f5b0ccdaff65c2ec44f5913664805d446c9b\r\n5985bf904c546c2474cbf94d6d6b2a18a4c82a1407c23a5a5eca3cd828f03826\r\n0e4ff052250ade1edaab87de194e87a9afeff903695799bcbc3571918b131100\r\n8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d\r\nf54fccb26a6f65de0d0e09324c84e8d85e7549d4d04e0aa81e4c7b1ae2f3c0f8\r\n054483046c9f593114bc3ddc3613f71af6b30d2e4b7e7faec1f26e72ae6d7669\r\n95d246e4956ad5e6b167a3d9d939542d6d80ec7301f337e00bb109cc220432cf - Minibrowse\r\n9b186530f291f0e6ebc981399c956e1de3ba26b0315b945a263250c06831f281 - Minibrowse\r\nDomains:\r\nasylimed[.]azurewebsites[.]net\r\nclinichaven[.]azurewebsites[.]net\r\nhealsanctum[.]azurewebsites[.]net\r\nmediasylum[.]azurewebsites[.]net\r\ntherashelter[.]azurewebsites[.]net\r\narabiccountriestalent[.]com\r\narabiccountriestalenthr[.]azurewebsites[.]net\r\narabiccountriestalents[.]azurewebsites[.]net\r\narabiccountriestalentshr[.]azurewebsites[.]net\r\ntalenthumanresourcestalent[.]com\r\ncarebytesolutions[.]azurewebsites[.]net\r\nmedicoreit[.]azurewebsites[.]net\r\nsmartmediq[.]azurewebsites[.]net\r\nvitatechlink[.]azurewebsites[.]net\r\nbiolinksystems[.]azurewebsites[.]net\r\ndigicura[.]azurewebsites[.]net\r\nhealthcarefluent[.]com\r\nhivemedtech[.]azurewebsites[.]net\r\nneurocloudhq[.]azurewebsites[.]net\r\nmarsoxygen[.]azurewebsites[.]net\r\nnanobreathe[.]azurewebsites[.]net\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 13 of 16\n\nturbulencemd[.]azurewebsites[.]net\r\nzerogmed[.]azurewebsites[.]net\r\nvirgomarketingsolutions[.]com\r\nvirgomarketingsolutions[.]comtions[.]com\r\nairtravellog[.]com\r\nmasterflexiblecloud[.]azurewebsites[.]net\r\nstoragewiz[.]co[.]azurewebsites[.]net\r\nthecloudappbox[.]azurewebsites[.]net\r\narabiccountriestalent[.]azurewebsites[.]net\r\nfocusfusion[.]eastus[.]cloudapp[.]azure[.]com\r\nframeforward[.]azurewebsites[.]net\r\ntacticalsnap[.]eastus[.]cloudapp[.]azure[.]com\r\nthetacticstore[.]com\r\nlensvisionary[.]azurewebsites[.]net\r\nwellnessglowluth[.]azurewebsites[.]net\r\nactivehealthlab[.]azurewebsites[.]net\r\nehealthpsuluth[.]com\r\ngrownehealth[.]eastus[.]cloudapp[.]azure[.]com\r\nactivespiritluth[.]eastus[.]cloudapp[.]azure[.]com\r\ncreateformquestionshelper[.]com[.]net\r\ncollaboromarketing[.]com\r\ncloudaskquestioning[.]eastus[.]cloudapp[.]azure[.]com[.]net\r\ncloudaskquestionanswers[.]com[.]net\r\ncloudaskquestionanswers[.]azurewebsites[.]net[.]net\r\ncloudaskingquestions[.]eastus[.]cloudapp[.]azure[.]com[.]net\r\ncloudaskingquestions[.]azurewebsites[.]net[.]net\r\ncloudaskingquestioning[.]azurewebsites[.]net[.]net\r\nvitatechlinks[.]azurewebsites[.]net\r\nmojavemassageandwellness[.]com\r\nairmdsolutions[.]azurewebsites[.]net\r\nventilateainest[.]azurewebsites[.]net\r\naeroclinicit[.]azurewebsites[.]net\r\nexchtestcheckingapijson[.]azurewebsites[.]net\r\nexchtestcheckingapihealth[.]com\r\nexchtestchecking[.]azurewebsites[.]net\r\nmaydaymed[.]azurewebsites[.]net\r\ntraveltipspage[.]com\r\nsmartapptools[.]azurewebsites[.]net\r\ncreateformquestionshelper[.]com\r\ncloudaskquestioning[.]eastus[.]cloudapp[.]azure[.]com\r\ncloudaskquestionanswers[.]com\r\ncloudaskquestionanswers[.]azurewebsites[.]net\r\ncloudaskingquestions[.]eastus[.]cloudapp[.]azure[.]com\r\ncloudaskingquestioning[.]azurewebsites[.]net\r\nhealthbodymonitoring[.]azurewebsites[.]net\r\nhealthcare-azureapi[.]azurewebsites[.]net\r\nhealthdataanalyticsrecord[.]azurewebsites[.]net\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 14 of 16\n\nmedical-deepresearch[.]azurewebsites[.]net\r\nmedicalit-imaging[.]azurewebsites[.]net\r\nmentalhealth-support-portal[.]azurewebsites[.]net\r\npatient-azureportal[.]azurewebsites[.]net\r\npharmainfo[.]azurewebsites[.]net\r\nsymptom-recordchecker[.]azurewebsites[.]net\r\nsystemmedicaleducation[.]azurewebsites[.]net\r\nacupuncturebentonville[.]com\r\ncardiomedspecialists[.]azurewebsites[.]net\r\ndigithealthplatform[.]azurewebsites[.]net\r\nmedicpathsolutions[.]azurewebsites[.]net\r\nnextgenhealthtrack[.]azurewebsites[.]net\r\nsulumorbusinessservices[.]com\r\ntelehealthconnectpro[.]azurewebsites[.]net\r\ntotalcaremedcenter[.]azurewebsites[.]net\r\ntrustedcarehub360[.]azurewebsites[.]net\r\nvirtualcliniczone[.]azurewebsites[.]net\r\nwellnessfirstgroup[.]azurewebsites[.]net\r\nyourfamilymdclinic[.]azurewebsites[.]net\r\ndoctorconsult-app.azurewebsites[.]net\r\nmanagetools-platform.azurewebsites[.]net\r\nmsnotetask-insights.azurewebsites[.]net\r\nmstrakcer-tools.azurewebsites[.]net\r\nolemanage-dashboard.azurewebsites[.]net\r\noletask-tracker.azurewebsites[.]net\r\npatientcare-portal.azurewebsites[.]net\r\nSimilar activity cluster:\r\nrpcconnection.azurewebsites[.]net\r\nbacksrv66.azurewebsites[.]net\r\nbacksrv74.azurewebsites[.]net\r\ndatasheet96.azurewebsites[.]net\r\nmainrepo10.azurewebsites[.]net\r\nservices-update-check[.]azurewebsites[.]net\r\nsend-feedback[.]azurewebsites[.]net\r\nsend-feedback-413[.]azurewebsites[.]net\r\nsend-feedback-838[.]azurewebsites[.]net\r\nsend-feedback-296[.]azurewebsites[.]net\r\ncheck-backup-service[.]azurewebsites[.]net\r\ncheck-backup-service-288[.]azurewebsites[.]net\r\ncheck-backup-service-179[.]azurewebsites[.]net\r\ncheck-backup-service-736[.]azurewebsites[.]net\r\nboeing-careers[.]com\r\nrheinmetallcareer[.]org\r\nrheinmetallcareer[.]com\r\nairbus[.]global-careers[.]com\r\nairbus[.]careersworld[.]org\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 15 of 16\n\nairbus[.]usa-careers[.]com\r\nairbus[.]germanywork[.]org\r\nairbus[.]careers-portal[.]org\r\nrheinmetall[.]careersworld[.]org\r\nrheinmetall[.]careers-hub[.]org\r\nrheinmetall[.]theworldcareers[.]com\r\nrheinmetall[.]gocareers[.]org\r\nflydubaicareers[.]ae[.]org\r\nglobal-careers[.]com\r\ncareers-hub[.]org\r\ncareersworld[.]org\r\nusa-careers[.]com\r\ngermanywork[.]org\r\ncareers-portal[.]org\r\ntheworldcareers[.]com\r\ngocareers[.]org\r\nSource: https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nhttps://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe" ], "report_names": [ "nimbus-manticore-deploys-new-malware-targeting-europe" ], "threat_actors": [ { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0f91a2f-ae05-4658-a6df-14938355eecb", "created_at": "2024-03-02T02:00:03.833721Z", "updated_at": "2026-04-10T02:00:03.598612Z", "deleted_at": null, "main_name": "UNC1549", "aliases": [ "Nimbus Manticore" ], "source_name": "MISPGALAXY:UNC1549", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "786139da-4139-49d0-9685-e249c5f89f25", "created_at": "2024-12-30T02:01:48.731055Z", "updated_at": "2026-04-10T02:00:04.763086Z", "deleted_at": null, "main_name": "TA455", "aliases": [ "Bohrium", "DEV-0056", "Operation Iranian Dream Job", "Smoke Sandstorm", "TA455", "UNC1549", "Yellow Dev 13" ], "source_name": "ETDA:TA455", "tools": [ "LIGHTRAIL", "MINIBIKE", "SlugResin", "SnailResin" ], "source_id": "ETDA", "reports": null }, { "id": "0dc20eeb-81e3-48ef-9a12-7b38fdcf07b1", "created_at": "2025-09-20T02:04:46.693616Z", "updated_at": "2026-04-10T02:00:03.735806Z", "deleted_at": null, "main_name": "COBALT SMOKEY", "aliases": [ "Nimbus Manticore ", "Smoke Sandstorm ", "Subtle Snail ", "TA455 ", "UNC1549 " ], "source_name": "Secureworks:COBALT SMOKEY", "tools": [ "LIGHTRAIL", "MINIBIKE", "MINIBUS" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434683, "ts_updated_at": 1775792009, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ccfcfddfa6bf3224d437dae9a4195083516d0263.pdf", "text": "https://archive.orkl.eu/ccfcfddfa6bf3224d437dae9a4195083516d0263.txt", "img": "https://archive.orkl.eu/ccfcfddfa6bf3224d437dae9a4195083516d0263.jpg" } }