Iranian Hackers Expand Tactics Amidst U.S.-Iran Military Tensions
In a significant escalation of cyber operations, Iranian state-aligned hackers have unveiled a new backdoor mechanism through an innovative blend of career-themed phishing strategies and, notably for the first time, search engine poisoning. This evolution in tactics appears to extend their infiltration capabilities into the American aviation sector, particularly during the recent military tensions between the United States and Iran.
According to an in-depth analysis by Check Point Research, the Iranian Revolutionary Guard Corps (IRGC)-affiliated hacking group known as Nimbus Manticore, or UNC1549, has resurfaced in multiple waves of malicious activity from February to April 2026. This activity corresponds with Operation Epic Fury, an active U.S. military campaign initiated on February 28, aimed at counterbalancing Iranian military actions.
Historically, the group has specialized in career-themed phishing attacks targeting sensitive sectors, including defense, telecommunications, and aviation. The latest operations showcased their capability to impersonate legitimate aviation firms and software providers across not only the U.S. but also Europe and the Middle East. This geographical expansion suggests a strategic intent to disrupt critical industries at a heightened level of sophistication.
Introduction of SEO Poisoning Techniques
One of the most remarkable changes in the group’s approach was noted in April, when they deviated from their long-standing practice of using enticing fake job offers. Instead, they launched a counterfeit download page masquerading as Oracle’s SQL Developer database tool. This shift in strategy marked a new chapter in their cyber operations.
The hackers registered a multitude of domain names all linking to the deceptive site while saturating its pages with carefully selected search keywords to artificially boost its prominence in search engine results. During the analysis period, this fraudulent site achieved high rankings on platforms like Bing and DuckDuckGo for queries related to the genuine software, illustrating the effectiveness of their search engine poisoning tactics.
This marked a paradigmatic shift, as researchers had now observed the group using search engine manipulation rather than relying solely on direct phishing mechanisms to ensnare victims. Earlier waves of their campaign relied on more traditional methods, such as distributing a malicious version of a Zoom installer via fake meeting invitations and hosting ZIP files on platforms like OnlyOffice.
Malicious Techniques and Tools
The hacked domains also employed AppDomain hijacking, a technique that injects harmful DLL files into trusted .NET applications by substituting a legitimate configuration file for a tampered one. This approach exemplifies the increasing sophistication of the group’s methods, illustrating their ability to adapt to evolving cybersecurity landscapes.
In conjunction with their renewed methods, the campaign unveiled a new and undocumented backdoor tool named MiniFast. This new intrusion tool replaces the previously utilized MiniJunk family of malware, reflecting an evolution in their cyber capabilities. MiniFast is a 64-bit Windows dynamic-link library (DLL) that functions as a comprehensive implant, allowing communication with its command-and-control (C2) server over JSON while camouflaging its network traffic as though it were standard Chrome browser activity.
The command set associated with MiniFast is extensive, enabling diverse functionalities, including shell execution, file transfers, process control, and maintained persistence through scheduled tasks. This versatility makes it a potent tool in the hackers’ arsenal.
Check Point has identified traits of AI-assisted development in both the loaders and the MiniFast backdoor itself. Notable characteristics include excessive error handling in minor functions, repetitive naming conventions, and debug-style status strings scattered throughout the code. These markers suggest that the group has gained access to sophisticated development tools that may help them maintain a high operational tempo and rapidly develop new tools even amidst the ongoing military pressures they face.
This new wave of cyber warfare tactics not only underscores the risks that global industries face amid international conflicts but also highlights the persistent evolution of cyber threats. As state-aligned groups like Nimbus Manticore refine their methods, the necessity for robust cybersecurity measures across vulnerable sectors becomes increasingly paramount. Governments and organizations must remain vigilant and proactive in addressing these emerging threats in an age where cyber warfare has become more commonplace and complex.