Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: mini-fast (1 article)Clear

Iran's Nimbus Manticore (UNC1549) accelerated wartime ops with AI-assisted MiniFast backdoor, trojanized Zoom installers, and SEO poisoning of SQL Developer

Check Point has documented Iranian APT Nimbus Manticore (also tracked as UNC1549) accelerating its operations during US Operation Epic Fury rather than going quiet. The campaign hits aviation, software, and defense organizations in the US, Europe, and the Middle East via three waves: career-themed phishing using AppDomain hijacking to deploy MiniJunk (February), a trojanized Zoom installer that hijacks legitimate scheduled tasks to deliver the new MiniFast backdoor (March), and the group's first SEO poisoning campaign distributing a weaponized Oracle SQL Developer installer via getsqldeveloper[.]com (April). MiniFast shows signs of AI-assisted development: defensive coding patterns, verbose error strings, and modular structure.

Check
Search EDR for AppDomain hijacking patterns spawning unsigned DLLs from Microsoft-signed executables. Hunt for trojanized Zoom installers and visits to getsqldeveloper[.]com via DNS logs.
Affected
Aviation, software, defense, and telecom organizations in the US, Europe, and Middle East. Nimbus Manticore targets employees via fake career offers, fake Zoom meetings, and SEO poisoning.
Fix
Apply Check Point IoCs. Block getsqldeveloper[.]com and known Nimbus Manticore C2 infrastructure. Train staff against unsolicited career or meeting-invitation downloads. Strengthen endpoint allowlisting against unsigned DLL sideloading.