Nimbus Manticore Targets Aviation via MiniFast and MiniJunk V2

A sophisticated Iranian state-sponsored APT known as Nimbus Manticore (also tracked as Screening Serpens and UNC1549) has initiated a new wave of cyber operations. According to The Hacker News, this campaign leverages highly specific lures to target organizations within the aviation and software sectors across the United States, Europe, and the Middle East. This activity is reportedly a retaliatory or intelligence-gathering response to joint military actions occurring in late February 2026.

Delivery Mechanisms: Phishing and SEO Poisoning

Nimbus Manticore has refined its TTP by combining traditional Phishing with the more aggressive tactic of search engine optimization (SEO) poisoning. By manipulating search results, the attackers ensure that malicious links appear at the top of results for industry-specific queries. When employees at aviation or software firms search for technical documentation or specialized tools, they are directed to attacker-controlled sites. These sites serve as a jumping-off point for initial compromise, often tricking users into downloading malicious archives.

Simultaneously, the group employs targeted email lures that impersonate legitimate industry entities. These emails typically contain malicious attachments or links to external infrastructure designed to initiate the deployment of the group’s custom malware arsenal. The dual-path approach increases the probability of successful penetration, bypassing standard email filters through the use of high-reputation web results.

Detection Strategies: How to Detect MiniFast Malware

The primary objective of these initial intrusions is the deployment of custom malware families: MiniFast and MiniJunk V2. MiniFast functions as a lightweight backdoor designed for stealthy C2 communication. Identifying this threat requires a combination of network and endpoint analysis. When security teams research how to detect MiniFast malware, they should focus on identifying unusual HTTP/S traffic directed toward newly registered domains or IP addresses that exhibit heartbeat patterns typical of beaconing behavior.

MiniJunk V2, an updated version of the actor’s previously observed junk-code-laden downloader, serves as a primary stager. This tool is specifically engineered to evade signature-based detection by incorporating significant amounts of obfuscated code and non-functional data. This ensures that the actual malicious payload remains hidden from automated sandbox analysis. Defenders should monitor for suspicious PowerShell executions or the unexpected creation of scheduled tasks, which are often used to maintain persistence after the initial infection.

Impact on the Global Aviation Infrastructure

The Nimbus Manticore aviation sector targeting represents a significant threat to global logistics and national security. By gaining access to software firms that support the aviation industry, the threat actor could potentially facilitate a Supply Chain Attack. The information sought likely includes sensitive engineering data, flight telemetry protocols, and internal communications that could provide Iran with a strategic advantage in the ongoing regional conflict.

Mitigation and Defense Recommendations

To effectively prevent SEO poisoning attacks and mitigate the risk of Nimbus Manticore intrusions, organizations should implement the following security controls:

• Enhanced Web Filtering: Deploy advanced web gateway solutions that categorize and block newly registered domains (NRDs) and sites with low reputation scores.
• Endpoint Monitoring: Utilize an EDR solution to detect post-exploitation activities such as Privilege Escalation and Lateral Movement. Particular attention should be paid to child processes spawned by web browsers or document readers.
• User Training: Conduct industry-specific simulation exercises to help employees recognize sophisticated phishing lures that may reference current geopolitical events.
• Network Segmentation: Restrict the ability of workstations to communicate directly with the internet, routing all traffic through inspected proxies to identify IoC markers associated with Iranian infrastructure.

By mapping these observations to the MITRE ATT&CK framework, SOC teams can better visualize the attack lifecycle and deploy targeted detections at the delivery and exploitation stages.