Nimbus Manticore Uses Fake Zoom Installers and SEO Poisoning to Deploy Malware Against US Firms

Iran’s Nimbus Manticore Uses Fake Zoom Installers and SEO Poisoning to Target US Firms

Cybersecurity researchers have uncovered a campaign by the Iranian threat group Nimbus Manticore, also tracked as UNC1549 and linked to the Islamic Revolutionary Guard Corps (IRGC), that used trojanized Zoom installers and other deceptive methods to deploy malware against organizations in the United States and other regions.

According to Check Point Research, the group was most active between February and April 2026, a period marked by heightened geopolitical tension following Operation Epic Fury. During this time, the attackers expanded their operations beyond Israel and the UAE, targeting aviation and software companies in the US.

In the early stages of the campaign, Nimbus Manticore used fake job offers distributed through platforms like OnlyOffice. Victims who downloaded ZIP archives were exposed to an attack technique known as AppDomain hijacking. By combining a legitimate Microsoft executable with a malicious configuration file, the attackers were able to silently execute malware components, including a loader that deployed MiniJunk malware.

By March 2026, the group shifted tactics and began distributing fake Zoom meeting invitations. These included ZIP files that appeared to contain legitimate Zoom installers. While a genuine Zoom executable was used to reduce suspicion, hidden components were executed through AppDomain hijacking to deploy a new backdoor known as MiniFast.

To maintain persistence, the malware leveraged legitimate Windows scheduled tasks, including ZoomUpdateTaskUser, allowing it to remain hidden on infected systems.

Researchers noted that MiniFast showed signs of rapid and possibly AI-assisted development, including clean modular code structure and detailed error handling even for simple functions. Once installed, the malware provided attackers with full remote access via cmd.exe while disguising its network traffic as legitimate Google Chrome activity.

In April 2026, the group shifted again, moving away from email-based lures toward SEO poisoning campaigns. They created fake websites impersonating trusted software, including a site mimicking Oracle’s SQL Developer. By using multiple connected domains and keyword manipulation, they successfully boosted the fake site in search engine rankings on platforms like Bing and DuckDuckGo.

Victims who downloaded software from these spoofed sites were directly infected with the MiniFast backdoor, giving attackers persistent access and control over compromised systems.

Overall, researchers say Nimbus Manticore’s campaign demonstrates a mix of social engineering, software impersonation, and search engine manipulation to distribute malware and maintain long-term access to targeted systems.