An Iranian APT group with ties to the Islamic Revolutionary Guard Corps has significantly stepped up operations against European and American aviation, telecommunications, and defence targets following the launch of Operation Epic Fury — the US military campaign against Iran that began on 28 February 2026. Check Point Research published detailed findings on 22 May documenting the group’s retooling, including an undocumented backdoor and two delivery techniques not previously observed in its arsenal.
Who is Nimbus Manticore
Nimbus Manticore — tracked by Mandiant as UNC1549 and linked to IRGC intelligence operations — has been active since at least 2022, historically targeting aerospace and defence contractors, telecoms, and critical infrastructure in Israel, the Gulf states, and Turkey. European operations were a secondary priority until late 2025, when the group expanded focus to Western Europe ahead of the conflict escalation. It shares infrastructure and tradecraft indicators with Smoke Sandstorm.
The group’s signature approach has been career-themed phishing: fake job offers from plausible defence industry contacts, often accompanied by documents that sideload malicious DLLs alongside legitimate signed executables. That approach remains active but has been augmented.
What changed after Epic Fury
Check Point’s analysis covers activity from February to May 2026 and identifies three changes of note.
First, Nimbus Manticore has deployed MiniFast, a previously undocumented backdoor with capabilities consistent with AI-assisted development — its code structure and documentation patterns match LLM-generated output, and the group appears to be iterating faster than prior development cycles would allow. MiniFast supports command execution, file staging, and credential collection, and has been observed in intrusions across Denmark, Sweden, and Portugal.
Second, the group has added SEO poisoning to its delivery methods. Fake download pages impersonating legitimate software — a trojanised Oracle SQL Developer installer being the most widely observed — are ranking for relevant search terms and delivering MiniFast to users who believe they are downloading a legitimate tool. This technique requires no prior relationship with the target and bypasses email security controls entirely.
Third, where the group previously relied on DLL sideloading for execution, it has shifted in some campaigns to AppDomain Hijacking — a .NET-based technique that allows malicious code to be loaded into a legitimate process by manipulating application domain configuration files. It is less likely to trigger endpoint detection rules tuned for DLL sideloading, and leaves less forensic residue.
What this means for affected sectors
Aviation is the most clearly named target. Lures have impersonated recruitment contacts at European carriers, MRO providers, and air traffic control organisations. Given IRGC priorities — intelligence collection on Western military logistics and sanctions evasion monitoring — aviation operations and flight scheduling systems are plausible collection targets beyond personnel data.
Telecommunications operators in Western Europe are at elevated risk. IRGC access to European carrier infrastructure carries potential for both signals intelligence collection and pre-positioning for future disruption, consistent with Salt Typhoon-style objectives from a different sponsor.
Defence manufacturing and supply chain organisations face the same risks as in previous Nimbus Manticore campaigns, now at scale given the active conflict context. Third-party contractors and technology suppliers to defence primes are a known pivot point.
Recommended actions
Security teams in these sectors should add Nimbus Manticore indicators from the Check Point report to endpoint and network detection. The SEO poisoning vector means user awareness training on verifying software sources should be refreshed — users searching for development tools are a realistic initial access path. AppDomain Hijacking detection should be validated in EDR coverage: test whether your tooling flags unexpected app.config or .exe.config modifications in standard application paths. And given the trojanised SQL Developer vector, any installation of database tooling on endpoints with access to sensitive systems warrants review.
IRGC-affiliated groups have historically been patient collectors before any disruption phase. The current pace of retooling — new backdoor, new delivery, expanded targeting — suggests this group is under operational pressure to accelerate collection while the conflict window is open.