Businesses that downloaded Zoom from unofficial sources earlier this year may have inadvertently exposed their devices to malware associated with the Iranian hacking group, Nimbus Manticore.
Check Point Research (CPR) has recently highlighted a series of cyberattacks orchestrated by Nimbus Manticore, also identified as UNC1549, which is linked to the Islamic Revolutionary Guard Corps (IRGC). This group has demonstrated heightened activity from February through April 2026, coinciding with significant military tensions following Operation Epic Fury launched on February 28, 2026.
Originally targeting organizations in Israel and the UAE, Nimbus Manticore has broadened its operational scope to reach aviation and software companies in the United States. These developments suggest a strategic shift in their focus and objectives.
Fake Job Offers and Zoom Invitations
As detailed in CPR’s analysis, the group initiated its campaign in February 2026 by disseminating fraudulent job offers to individuals in Saudi Arabia and Australia via OnlyOffice. Victims who downloaded the accompanying ZIP archive unwittingly engaged in AppDomain hijacking, as the attackers replaced a legitimate configuration file with a malicious one. This ploy enabled the execution of harmful software (uevmonitor.dll), which subsequently deployed the MiniJunk malware.
By March 2026, the group adapted its tactics by sending counterfeit Zoom meeting invitations that included a ZIP file named Zoominstall64.zip. Once opened, the file triggered a legitimate Zoom installation process (Zoom_cm.exe), while concurrently implementing AppDomain hijacking to install a backdoor called MiniFast through InitInstall.dll. This backdoor even executed a real Windows scheduled task (ZoomUpdateTaskUser) to maintain its concealment.
Search Engine Manipulation
The MiniFast malware showcases characteristics indicative of AI-assisted development. Its code is notably organized, includes extensive error-handling measures for routine operations such as GetUserName, and allows rapid tool development amidst ongoing conflict. Once operational, MiniFast enables attackers to exert full remote control through cmd.exe while camouflaging its network traffic as Google Chrome browser activity.
In April, the group shifted from email-based tactics to search engine optimization (SEO) exploitation, launching a deceptive website to impersonate Oracle’s SQL Developer software. By registering multiple interconnected domains and employing keyword stuffing, they elevated the scam site in Bing and DuckDuckGo search results, effectively luring developers into downloading the MiniFast backdoor directly.
The Implications
Check Point Research suggests that the pressures of wartime have indeed accelerated Nimbus Manticore’s operational capabilities. By leveraging AI-driven coding alongside aggressive public search engine manipulation, the group has circumvented traditional email tactics to expedite system compromises, expanding its ambitions beyond regional espionage towards broader cyber warfare objectives.