An Iranian Advanced Persistent Threat (APT) group, known as Nimbus Manticore, has updated its strategies and tools in recent attacks targeting aviation and software companies, according to a report by Check Point. This group, also referred to as Bohrium or Smoke Sandstorm, is associated with the larger Charming Kitten (APT35) group and is believed to be connected to Iran’s Islamic Revolutionary Guard Corps (IRGC).
Evolution of Targeting Techniques
Initially observed targeting the aerospace, aviation, and defense sectors in the Middle East and Europe, Nimbus Manticore has employed backdoors like MiniBike and MiniBus in previous operations. Notably, in November 2024, the group was accused of adopting tactics from North Korea’s Lazarus Group in a campaign against the aerospace industry. The use of fake job offers has been a recurring theme, with Google warning about their continuous targeting of defense organizations earlier this year.
Amidst escalating geopolitical tensions in the Middle East, Nimbus Manticore has shifted tactics, now utilizing AppDomain hijacking instead of the more traditional DLL sideloading for payload execution. This method manipulates a trojanized XML .config file within the target .NET application directory to load malicious DLLs upon application launch.
Phishing Campaigns and Malware Deployment
The group’s phishing campaigns have targeted employees of aviation and software firms in Saudi Arabia and Australia, enticing them to download compressed ZIP archives from the OnlyOffice platform. This leads to infections with a new variant of the MiniJunk backdoor. In another operation, the group used job lures impersonating a US airline to deploy a trojanized Zoom installer, resulting in the installation of the MiniFast backdoor.
Designed as a 64-bit Windows PE DLL, MiniFast masquerades as a Chrome browser and supports long-term persistence and remote command execution. It allows the attackers to manipulate and exfiltrate files, manage processes, create scheduled tasks, and deploy additional payloads.
Adapting to New Technologies
Check Point highlights Nimbus Manticore’s swift adaptation and infrastructure maintenance, potentially aided by LLM-based tools and AI-assisted development techniques. In April, the group was observed using a fake SQL Developer website to spread MiniFast, leveraging search engine optimization strategies to boost the site’s visibility for users searching for legitimate downloads.
Historically focusing on the Middle East, Europe, and Africa, with an emphasis on Israel and the UAE, the group’s latest campaigns show a deliberate shift towards US organizations. Check Point notes the use of fraudulent hiring portals impersonating US airlines, indicating a specific focus on US-based targets in the aviation sector.
The evolving tactics of Nimbus Manticore underscore the dynamic nature of cyber threats and the importance for organizations to remain vigilant and proactive in their cybersecurity measures.
