Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Iranian APT Intensifies Attacks on Aviation and Software Sectors

Iranian APT Intensifies Attacks on Aviation and Software Sectors

Posted on May 26, 2026 By CWS

An Iranian Advanced Persistent Threat (APT) group, known as Nimbus Manticore, has updated its strategies and tools in recent attacks targeting aviation and software companies, according to a report by Check Point. This group, also referred to as Bohrium or Smoke Sandstorm, is associated with the larger Charming Kitten (APT35) group and is believed to be connected to Iran’s Islamic Revolutionary Guard Corps (IRGC).

Evolution of Targeting Techniques

Initially observed targeting the aerospace, aviation, and defense sectors in the Middle East and Europe, Nimbus Manticore has employed backdoors like MiniBike and MiniBus in previous operations. Notably, in November 2024, the group was accused of adopting tactics from North Korea’s Lazarus Group in a campaign against the aerospace industry. The use of fake job offers has been a recurring theme, with Google warning about their continuous targeting of defense organizations earlier this year.

Amidst escalating geopolitical tensions in the Middle East, Nimbus Manticore has shifted tactics, now utilizing AppDomain hijacking instead of the more traditional DLL sideloading for payload execution. This method manipulates a trojanized XML .config file within the target .NET application directory to load malicious DLLs upon application launch.

Phishing Campaigns and Malware Deployment

The group’s phishing campaigns have targeted employees of aviation and software firms in Saudi Arabia and Australia, enticing them to download compressed ZIP archives from the OnlyOffice platform. This leads to infections with a new variant of the MiniJunk backdoor. In another operation, the group used job lures impersonating a US airline to deploy a trojanized Zoom installer, resulting in the installation of the MiniFast backdoor.

Designed as a 64-bit Windows PE DLL, MiniFast masquerades as a Chrome browser and supports long-term persistence and remote command execution. It allows the attackers to manipulate and exfiltrate files, manage processes, create scheduled tasks, and deploy additional payloads.

Adapting to New Technologies

Check Point highlights Nimbus Manticore’s swift adaptation and infrastructure maintenance, potentially aided by LLM-based tools and AI-assisted development techniques. In April, the group was observed using a fake SQL Developer website to spread MiniFast, leveraging search engine optimization strategies to boost the site’s visibility for users searching for legitimate downloads.

Historically focusing on the Middle East, Europe, and Africa, with an emphasis on Israel and the UAE, the group’s latest campaigns show a deliberate shift towards US organizations. Check Point notes the use of fraudulent hiring portals impersonating US airlines, indicating a specific focus on US-based targets in the aviation sector.

The evolving tactics of Nimbus Manticore underscore the dynamic nature of cyber threats and the importance for organizations to remain vigilant and proactive in their cybersecurity measures.

Security Week News Tags:AppDomain hijacking, APT35, aviation sector, Cybersecurity, Iranian APT, IRGC, MiniFast backdoor, Nimbus Manticore, phishing campaigns, software companies

Post navigation

Previous Post: Critical SharePoint Flaw Allows Remote Code Execution
Next Post: NightSpire Ransomware Exploits RDP for Covert Operations

Related Posts

Navia Data Breach Affects Millions Navia Data Breach Affects Millions Security Week News
Coinbase Rejects M Ransom After Rogue Contractors Bribed to Leak Customer Data Coinbase Rejects $20M Ransom After Rogue Contractors Bribed to Leak Customer Data Security Week News
In Other News: Microsoft Finds AMD CPU Flaws, ZuRu macOS Malware Evolves, DoNot APT Targets Govs In Other News: Microsoft Finds AMD CPU Flaws, ZuRu macOS Malware Evolves, DoNot APT Targets Govs Security Week News
Palo Alto Networks Vulnerability Under Active Exploitation Palo Alto Networks Vulnerability Under Active Exploitation Security Week News
ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Rockwell, Schneider ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Rockwell, Schneider Security Week News
Palo Alto Networks Vulnerability Under Active Exploitation Zero-Day Vulnerability in Gogs Allows Remote Code Execution Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • FastNetMon Unveils Netomics for Enhanced Routing Control
  • Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks
  • Top Unified Threat Management Solutions in 2026
  • Study Reveals Security Flaws in Free Android VPN Apps
  • WhatsApp Exploit Turns OpenClaw into Hacker Tool

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • FastNetMon Unveils Netomics for Enhanced Routing Control
  • Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks
  • Top Unified Threat Management Solutions in 2026
  • Study Reveals Security Flaws in Free Android VPN Apps
  • WhatsApp Exploit Turns OpenClaw into Hacker Tool

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark