"We found strong indicators that Nimbus Manticore used AI tools to write malware faster," Sergey Shykevich, threat intelligence group manager at Check Point Research, told The Hacker News.
Nimbus Manticore and the pattern of targets
The Iranian state‑sponsored group known as Nimbus Manticore (aka Screening Serpens and UNC1549) has been tied to a wave of espionage campaigns that increased after the joint U.S.‑Israeli military campaign against Iran in late February 2026, according to reporting based on Check Point and Palo Alto Networks Unit 42 research. The actor has focused on organizations and employees in aviation, software, defense and telecommunications sectors across the U.S., Europe and the Middle East, with previously observed targets including entities in Saudi Arabia, Australia, Israel and the United Arab Emirates. Unit 42 said the group deployed two families of RAT variants across entities in up to five different countries, and that among those targeted was a U.S. oil and gas firm.
MiniFast: a backdoor with signs of AI‑assisted development
Check Point described a newly observed backdoor, MiniFast (aka MiniUpdate), as a "fully featured backdoor designed for long‑term persistence and remote command execution." The malware communicates over HTTP to fetch tasks, upload results, exfiltrate files, and download additional payloads, and it beacons basic system information to an operator before entering its tasking loop.
Check Point highlighted several technical markers it interpreted as evidence of AI assistance during development: excessive error handling and defensive programming logic; repetitive function and method naming patterns with descriptive or verbose identifiers; a number of detailed error‑reporting strings and debug‑style status messages; and modular code organization despite overall simplicity.
MiniFast's capabilities, as enumerated in the reporting, include file operations, directory listings, process enumeration, command execution via "cmd.exe", process termination by PID, DLL loading, ZIP archive creation, establishing persistence through scheduled tasks, privilege escalation using the "runas" command, and the ability to update beacon polling intervals and jitter to randomize communications.
Attack chains: AppDomain hijacking, trojanized installers and SEO poisoning
The group has shifted techniques across three waves spanning February through April 2026. In February, attackers used AppDomain hijacking to deliver a remote access trojan called MiniJunk by tricking victims into running a benign executable inside a ZIP file hosted on OnlyOffice; that benign executable then launched a rogue MiniJunk DLL.
In March, the actor repeated the AppDomain hijacking technique but introduced a trojanized Zoom installer as part of the sequence. The trojanized installer launched a binary that then used AppDomain hijacking to deploy MiniFast. Check Point said the March activity is suspected to have come from phishing that used fake meeting invitations.
April marked the group's first observed use of search‑engine optimization abuse to deliver malware. Check Point reported a fake download page built to impersonate Oracle's SQL Developer; the attackers registered dozens of domains linking to the bogus site (getsqldeveloper[.]com) to manipulate link‑based reputation signals and increase the page's visibility on Bing and DuckDuckGo. Visitors who reached the page via SEO poisoning were duped into downloading a weaponized installer that delivered MiniFast.
MiniJunk V2, MiniUpdate, and tailored social engineering
Palo Alto Networks Unit 42 tracked related tooling, reporting use of MiniUpdate (an alternative name for MiniFast) and an updated MiniJunk called MiniJunk V2. Unit 42 stressed that a defining characteristic of recent campaigns is "the deep personalization of the attackers' lures," using fake job requisitions and spoofed video‑conferencing meeting invitations to trick individuals into initiating the infection chain.
Unit 42 also noted an operational tempo increase after the February 2026 regional conflict began, saying "the group has increased its operations since the regional conflict that started in February 2026, deploying two families of RAT variants across entities in up to five different countries."
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: Expect multipart attack chains that blend social engineering (career lures, spoofed meeting invites) with both traditional hijacking techniques (AppDomain hijacking) and web‑based distribution (trojanized installers and SEO‑poisoned download pages). Monitoring for anomalous scheduled tasks, unusual HTTP beaconing, and unexpected DLL loading were highlighted behaviors tied to MiniFast.
- Policymakers and regulators: The campaigns show a cross‑border targeting pattern and the use of non‑traditional distribution such as manipulated search‑engine visibility. Unit 42's and Check Point's findings point to an acceleration of operations following regional conflict, a dynamic that may shape how authorities prioritize threat intelligence sharing and incident response coordination.
- Affected enterprises (aviation, software, energy): The campaign's lure personalization — fake job offers and meeting invitations — means employee‑facing controls and verification of download sources remain critical. Unit 42 and Check Point both highlighted that developers and other technical staff are attractive targets precisely because they search for common software and may land poisoned pages.
Beyond data theft or persistent access, the reporting also tied broader Iranian‑linked activity to attempts to tamper with operational systems. CNN reported, citing unnamed sources, that Iranian hackers are suspected of exploiting automatic tank gauge systems at U.S. gas stations that were online and unprotected by passwords, in some cases altering display readings though not the actual fuel levels.
Taken together, the three documented waves — AppDomain hijacking to drop MiniJunk, the March introduction of MiniFast via a trojanized Zoom installer, and April's SEO‑poisoned SQL Developer page — show a group iterating quickly on delivery methods while expanding capabilities. As Check Point observed, the conflict did not pause operations; the actor built and deployed new tooling "mid‑conflict" and experimented with different playbooks to reach its targets.
Source: The Hacker News — Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning




