Three waves of activity between February and April 2026 — coinciding with Operation Epic Fury, launched February 28 — marked the return of an IRGC‑affiliated actor that expanded its reach into aviation by combining familiar phishing with a new turn to search engine poisoning.
Nimbus Manticore (UNC1549) resurfaces during Operation Epic Fury
Check Point Research attributed the campaign to Nimbus Manticore, a group also tracked as UNC1549 and described in the analysis as IRGC‑affiliated. The researchers observed activity across three discrete waves from February through April 2026 that targeted aviation alongside the group's historical interests in defense and telecommunications. According to Check Point, the operations impersonated aviation firms and software providers across the United States, Europe and the Middle East.
Search engine poisoning: counterfeit Oracle SQL Developer page
The most notable operational shift appeared in April, when the actor abandoned its usual job‑lure phishes and instead published a counterfeit download page impersonating Oracle's SQL Developer database tool. The attackers registered dozens of domains that redirected to the bogus site and saturated those pages with search keywords to climb rankings. At the time of Check Point’s analysis, the counterfeit site ranked highly on Bing and DuckDuckGo for searches related to the legitimate software. Check Point noted this was the first time it had observed the group using search engine poisoning rather than direct phishing to reach victims.
Phishing, trojanized installers and OnlyOffice distribution
Earlier waves in the campaign used the group's more familiar delivery methods. Check Point documented a trojanized Zoom installer distributed through fake meeting invitations and ZIP archives hosted on the OnlyOffice platform. Many of the campaign's lures adhered to the career‑themed phishing style Nimbus Manticore has historically run against defense, aviation and telecommunications targets.
MiniFast backdoor and AppDomain hijacking technique
The operation introduced a previously undocumented backdoor that Check Point named MiniFast, which replaces the MiniJunk family the group used through 2025. MiniFast is a 64‑bit Windows DLL that functions as a full‑featured implant. It communicates with its command‑and‑control server over JSON while disguising its traffic as a Chrome browser. Its opcode‑driven command set includes shell execution, file transfer, process control and scheduled‑task persistence.
Across the campaign the actor also relied on AppDomain hijacking, a technique that loads a malicious DLL into a trusted .NET application by planting a tampered configuration file beside it. Check Point’s writeup describes that combination of loader techniques and the MiniFast implant as central to the group’s ability to persist and execute in targeted environments.
AI fingerprints in tooling and implications for operational tempo
Check Point assessed that both the loaders and the MiniFast backdoor bear hallmarks of AI‑assisted development. Their indicators included excessive error handling around trivial functions, verbose and repetitive naming patterns, and debug‑style status strings scattered through the code. The researchers concluded those features likely helped the group sustain rapid tooling development and a high operational tempo even under wartime pressure.
What this means for US aviation, security teams, and Oracle
- US aviation: The campaign’s targeted impersonations of aviation firms and software providers indicate a direct effort to reach aviation‑sector personnel across the United States, Europe and the Middle East; organizations in aviation should treat both traditional phishing and poisoned search results as active threats.
- Security teams and technologists: Defenders will need telemetry capable of detecting AppDomain hijacking and DLL side‑loading, as well as behavioral C2 indicators such as JSON‑over‑HTTP traffic disguised as legitimate browser connections — traits Check Point associated with MiniFast.
- Oracle and software vendors: The use of a counterfeit Oracle SQL Developer download page underscores the risk posed by imitation download sites and SEO‑based distribution; accurate mitigation will require close monitoring of registrar activity, domain takedowns and search‑engine listings.
The campaign documented by Check Point blends old and new: familiar career‑lure phishing and trojanized installers alongside a first‑observed pivot to search engine poisoning and a reportedly AI‑assisted new backdoor. That mix appears to have delivered both breadth — via poisoned search rankings and fake downloads — and depth, through AppDomain hijacking and a feature‑rich implant. Whether other actors follow suit, or Nimbus Manticore refines MiniFast further, remains an open question anchored in the technical details Check Point published.
Source: Infosecurity Magazine — Iranian Hackers Target US Aviation




