Infographic of Nimbus Manticore attack chain: spear-phishing email to fake job portal, DLL side-loading via Setup.exe and Windows Defender, MiniJunk/MiniBrowse payloads with C2 servers, targeting icons for defense/telecom in Europe, and evasion tactics li

Check Point Research has revealed an ongoing campaign by Iranian-aligned APT Nimbus Manticore (aka UNC1549, Smoke Sandstorm, "Iranian Dream Job"), targeting defense, telecom, and aviation firms in Western Europe—focusing on Denmark, Sweden, and Portugal—for IRGC interests. Since early 2025, spear-phishing emails from fake HR recruiters direct victims to custom React-based job portals mimicking Boeing, Airbus, and flydubai, hosted behind Cloudflare with unique URLs and credentials for tracking. Post-login via /login-user API, a malicious ZIP downloads.

Infographic of Nimbus Manticore attack chain: spear-phishing email to fake job portal, DLL side-loading via Setup.exe and Windows Defender, MiniJunk/MiniBrowse payloads with C2 servers, targeting icons for defense/telecom in Europe, and evasion tactics liInfographic of Nimbus Manticore attack chain: spear-phishing email to fake job portal, DLL side-loading via Setup.exe and Windows Defender, MiniJunk/MiniBrowse payloads with C2 servers, targeting icons for defense/telecom in Europe, and evasion tactics li

The infection uses advanced multi-stage DLL side-loading: Setup.exe (legitimate) sideloads malicious userenv.dll, then invokes Windows Defender's SenseSampleUploader.exe to load xmllite.dll via manipulated DllPath in low-level APIs. Persistence occurs in %AppData%\Local\Microsoft\MigAutoPlay with renamed files and scheduled tasks. Obfuscation via compiler tricks, bloated binaries, and valid signatures yields zero VirusTotal detections.

Infographic of Nimbus Manticore attack chain: spear-phishing email to fake job portal, DLL side-loading via Setup.exe and Windows Defender, MiniJunk/MiniBrowse payloads with C2 servers, targeting icons for defense/telecom in Europe, and evasion tactics liInfographic of Nimbus Manticore attack chain: spear-phishing email to fake job portal, DLL side-loading via Setup.exe and Windows Defender, MiniJunk/MiniBrowse payloads with C2 servers, targeting icons for defense/telecom in Europe, and evasion tactics li

Payloads feature MiniJunk backdoor—hooking ExitProcess, using redundant HTTPS C2 servers (3-5), and handling commands like file reads via encoded schemas—and MiniBrowse stealer, injecting into Chrome/Edge for credential exfiltration over HTTP or pipes. Evolving from 2022's Minibike/SlugResin, it stresses stealth. Targets should bolster phishing filters, monitor DLL side-loading, and inspect signed binaries with layered defenses.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security