A group of Iranian hackers, identified as Nimbus Manticore, is broadening its activities with a new focus on major enterprises across Europe. Recent findings from cybersecurity firm Check Point Research (CPR) indicate that this group is particularly targeting organizations within the defense, telecommunications, and aerospace sectors to obtain sensitive data.
Also known by the designations UNC1549 or Smoke Sandstorm, Nimbus Manticore has been under scrutiny since early 2025 and previously orchestrated the Iranian Dream Job campaign. Such operations align with the strategic intelligence-gathering objectives of Iran’s Islamic Revolutionary Guard Corps (IRGC), especially during periods of increased geopolitical strain.
Understanding the Attack Flow
The attack methodology begins with a seemingly genuine email invitation for a job application. This communication redirects victims to a counterfeit website that is skillfully crafted using a React template to resemble that of reputable companies, including Boeing, Airbus, and flydubai.
To enhance legitimacy, recipients are provided with unique login credentials for site access. These career-oriented websites are registered through Cloudflare to obscure the actual server location. Upon logging in, unsuspecting users are misled into downloading a malicious file that initiates a series of complex actions designed to infect their system.
Research from CPR illustrates that the downloaded file—packaged as a compressed ZIP archive—contains a seemingly harmless program (setup.exe). However, this program discreetly installs and executes additional malicious components, including a backdoor, thus enabling the attackers to gain control of the system and establish communication with their servers.
Innovative Tools and Expanding Targets
Within the downloaded package, the attackers incorporate advanced malware, an evolved variant of the older Minibike malware (also referred to as SlugResin). Recent developments indicate a notable increase in sophistication with a new version called MiniJunk, showcasing the group’s intent to avoid detection. Another tool, MiniBrowse, is specifically designed to capture critical data, such as passwords, stealthily.
While Nimbus Manticore has historically focused on the Middle East, particularly Israel and the UAE, its newfound emphasis on European targets marks a significant shift. Notably, the group has been detected in nations such as Denmark, Sweden, and Portugal.
Additionally, the report highlights a parallel and less sophisticated campaign, with attackers impersonating HR recruiters, likely initiating contact through platforms like LinkedIn before transitioning to email. This separate set of activities, previously detailed by another firm, employs spear-phishing tactics using simpler tools but maintains the same goal of acquiring unauthorized access.
As Check Point Research continues to monitor Nimbus Manticore’s operations, the firm advises that organizations must bolster their defenses proactively. Preventative measures should focus on thwarting these attacks before fake emails or malicious files can reach unsuspecting employees, emphasizing the need for robust cybersecurity strategies.
