Home News Nimbus Manticore Uses Fake Zoom Installers and SEO Poisoning to Deploy Malware Against US Firms
News

Nimbus Manticore Uses Fake Zoom Installers and SEO Poisoning to Deploy Malware Against US Firms

55

Iran’s Nimbus Manticore Uses Fake Zoom Installers and SEO Poisoning to Target US Firms

Cybersecurity researchers have uncovered a campaign by the Iranian threat group Nimbus Manticore, also tracked as UNC1549 and linked to the Islamic Revolutionary Guard Corps (IRGC), that used trojanized Zoom installers and other deceptive methods to deploy malware against organizations in the United States and other regions.

According to Check Point Research, the group was most active between February and April 2026, a period marked by heightened geopolitical tension following Operation Epic Fury. During this time, the attackers expanded their operations beyond Israel and the UAE, targeting aviation and software companies in the US.

In the early stages of the campaign, Nimbus Manticore used fake job offers distributed through platforms like OnlyOffice. Victims who downloaded ZIP archives were exposed to an attack technique known as AppDomain hijacking. By combining a legitimate Microsoft executable with a malicious configuration file, the attackers were able to silently execute malware components, including a loader that deployed MiniJunk malware.

By March 2026, the group shifted tactics and began distributing fake Zoom meeting invitations. These included ZIP files that appeared to contain legitimate Zoom installers. While a genuine Zoom executable was used to reduce suspicion, hidden components were executed through AppDomain hijacking to deploy a new backdoor known as MiniFast.

To maintain persistence, the malware leveraged legitimate Windows scheduled tasks, including ZoomUpdateTaskUser, allowing it to remain hidden on infected systems.

Researchers noted that MiniFast showed signs of rapid and possibly AI-assisted development, including clean modular code structure and detailed error handling even for simple functions. Once installed, the malware provided attackers with full remote access via cmd.exe while disguising its network traffic as legitimate Google Chrome activity.

In April 2026, the group shifted again, moving away from email-based lures toward SEO poisoning campaigns. They created fake websites impersonating trusted software, including a site mimicking Oracle’s SQL Developer. By using multiple connected domains and keyword manipulation, they successfully boosted the fake site in search engine rankings on platforms like Bing and DuckDuckGo.

Victims who downloaded software from these spoofed sites were directly infected with the MiniFast backdoor, giving attackers persistent access and control over compromised systems.

Overall, researchers say Nimbus Manticore’s campaign demonstrates a mix of social engineering, software impersonation, and search engine manipulation to distribute malware and maintain long-term access to targeted systems.

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles

News

23andMe Agrees to $18 Million Settlement Over 2023 Genetic Data Breach

Genetic testing company 23andMe, now operating as Chrome Holding Co., has agreed...

News

Two Scattered Spider Hackers Sentenced to Prison Over Major TfL Cyberattack

Two members of the Scattered Spider cybercrime group have been sentenced to...

News

Dutch Police Bust International Investment Fraud Ring Linked to Over €100 Million in Monthly Scams

Dutch police have arrested multiple suspects believed to be part of an...

News

Spanish Police Dismantle €140 Million Cyber Fraud Network, Four Arrested

Spanish police have dismantled a major cybercrime and money-laundering network that allegedly...