An Iranian cyber-espionage group has adopted a novel approach to deploying malware by manipulating search engine results rather than relying on traditional phishing methods. The group, known as Nimbus Manticore, set up a counterfeit website designed to mimic an official database software download page, successfully using search engine optimization (SEO) techniques to ensure high visibility in search results.
Search Engine Manipulation Strategy
Nimbus Manticore, also identified as UNC1549, operates under the aegis of Iran’s Islamic Revolutionary Guard Corps (IRGC). Traditionally known for targeting industry professionals with phishing emails, the group’s current strategy marks a shift toward using SEO as a means to distribute malware. By ranking their fake site prominently in search results, they increase the chances of victims inadvertently downloading malware.
In a report shared by Check Point Research, researchers documented the group’s activities across three distinct phases from February to April 2026, during and after the U.S. military initiative against Iran named Operation Epic Fury. The analysis highlights the group’s adeptness at quickly adapting tools and maintaining their infrastructure even amidst military conflicts.
Details of the Malware Campaign
The recent campaign, called the “SQL Developer” campaign, unfolded in April 2026. The attackers registered a deceptive domain—getsqldeveloper[.]com—imitating a legitimate download page for Oracle’s SQL Developer. Users who accessed the site and attempted to download the software received a malicious installer, which surreptitiously deployed a backdoor known as MiniFast.
To boost the fake site’s search ranking, the attackers registered numerous domains that all redirected back to their main page. This tactic, combined with the repetitive use of phrases like “Download SQL Developer,” effectively manipulated search engines. Consequently, the fake site often appeared at the top of search results on platforms like Bing and DuckDuckGo.
Technical Aspects of the Attack
This campaign represents a strategic evolution for Nimbus Manticore, as previous efforts primarily involved direct phishing with job-related lures. By creating a seemingly legitimate download page, the group intercepted users actively seeking trusted software, exploiting a technique known as AppDomain hijacking. This method allows the malicious software to operate within the context of a genuine process, thereby avoiding immediate detection.
The MiniFast backdoor is a comprehensive tool designed for sustained remote access, communicating with command-and-control servers through structured HTTP endpoints. It disguises its network traffic using a Chrome browser User-Agent string and can execute various commands, manage files, and escalate privileges.
There is evidence suggesting the malware’s development was aided by AI tools, as seen in the code’s error handling and verbose function names typical of AI-generated code. This adoption of AI technologies enables the group to accelerate tool updates, maintaining their operational effectiveness even under the pressures of wartime.
Security experts recommend vigilant monitoring for unusual task changes and anomalous DLL loading behaviors as these are indicative of the group’s tactics. Additionally, downloading software directly from official vendor sites is advised to avoid falling victim to SEO poisoning attacks, which can deceptively position fake pages ahead of legitimate ones.
