A threat actor associated with the Iranian government is conducting a long-term espionage campaign that targets defense manufacturing, telecommunications, and aviation that are aligned with IRGC strategic priorities.
Tracked as Nimbus Manticore by Check Point Research, the threat activity overlaps with UNC1549, Smoke Sandstorm, and the “Iranian Dream Job” operations. More recently, the group has increased its focus on Western Europe, particularly on Denmark, Sweden, and Portugal. The group is imitating well-known companies in the aerospace, defense, and telecommunications industries to trick victims into downloading malware.
The threat actor sends highly targeted phishing emails that look like job offers from HR recruiters. The emails lead to fake job application websites, with each victim getting a unique login link. This helps the hackers track who visits the site, the researchers explain.
Once a victim downloads the files, a multi-step infection process begins. The threat actors use a rare method that tricks real software into running a malicious file, allowing them to take control of the system.
The group uses several custom-made tools in their attacks, including:
MiniJunk – A hidden backdoor that allows ongoing access to infected systems. It uses tricks like bloating file sizes and hiding code to avoid being detected.
MiniBrowse – A tool designed to steal saved passwords from browsers like Chrome and Edge. It runs silently inside the browser.
Minibike (also called SlugResin) – A powerful spying tool first discovered in 2022. It has become more advanced over time, adding stronger stealth capabilities, new features, and backup ways to communicate with hacker-controlled servers.
In recent attacks, the group used ZIP files disguised as hiring documents, such as one called Survey.zip, to start the infection chain. The fake websites the attackers use often copy the design of real companies like Boeing, Airbus, Rheinmetall, and flydubai, and are built using the React web framework.
“In May, Nimbus Manticore started to use the service SSL.com to sign their code. This led to a drastic decrease in detections, with many samples remaining undetectable by multiple malware engines,” the report notes. “Based on the signing dates and our analysis of samples signed by this certificate, we determined that they were generated by the threat actor, masquerading as existing IT organizations in Europe.”
Check Point says it has also observed a separate but closely related activity cluster first reported by cybersecurity firm Prodaft, which tracks it as Subtle Snail. Also known as UNC1549, the treat actor is believed to be an Iran-linked espionage group tied to Unyielding Wasp (Tortoiseshell) and the broader Charming Kitten network.
Active since at least June 2022, the group recently shifted its focus to European telecom, aerospace, and defense sectors. In a recent campaign, Subtle Snail compromised 34 devices across 11 organizations using fake LinkedIn recruitment tactics. The threat actor impersonated HR personnel to target employees and deployed a variant of the Minibike backdoor, which uses Azure cloud services for stealthy Command and Control (C2) communication.