An Iran-linked hacking group is using fake job offers and trojanized software downloads to break into aviation and software companies, including targets in Saudi Arabia, Australia, and the United States. Check Point says Nimbus Manticore (also known as Bohrium, TA455, and UNC1549) switched from DLL sideloading to AppDomain hijacking, using malicious .NET configuration files to load payloads, and deployed updated MiniJunk malware plus a new Windows DLL backdoor called MiniFast through ZIP files on OnlyOffice, a fake Zoom installer, and a fake SQL Developer site boosted with search-engine optimization.
Why it matters: This campaign shows continued state-linked targeting of sensitive industries during heightened regional tensions, with lures that can fool both job seekers and employees downloading familiar tools. Organizations in aviation, defense-adjacent, and software sectors should warn staff about recruiter and installer lures, review detections for MiniJunk and MiniFast, and hunt for suspicious .config-based AppDomain hijacking activity.
Ionut Arghire
2026.05.26
100% relevant
The article establishes a distinct new campaign and tooling update for Nimbus Manticore, including a new backdoor, new execution technique, and an apparent expansion toward U.S. targets rather than simply re-reporting a previously tracked event.
← Back to all stories