Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime,
Social Engineering
Iranian Hackers Pose as Online Recruiters
Recent reports reveal that Western Europeans employed in aerospace, defense manufacturing, and telecommunications are being targeted by Iranian state-sponsored hackers masquerading as online recruiters. These malicious actors are attempting to deliver backdoor malware and infostealer tools via deceptive email communications.
The phishing tactics employed by Iranian hackers closely mirror those historically utilized by North Korean cyber operatives. Some cybersecurity researchers suggest a possible exchange of techniques and methodologies between the two nations, indicating a worrying evolution of their cyber capabilities.
According to a study by Check Point, these hackers have been targeting professionals in countries including Denmark, Sweden, and Portugal. They distribute tailored phishing emails that direct recipients to counterfeit job application portals designed to mimic established companies like Airbus and Boeing.
Currently, Check Point tracks this group as “Nimbus Manticore,” which has links to other hacking collectives identified as UNC1549 and Smoke Sandstorm. Each potential victim receives a personalized URL and distinct login credentials, facilitating the attackers’ control over the infiltration process.
This latest infection campaign features ZIP files containing legitimate Windows executables that stealthily integrate malicious components. The attackers exploit a little-known Windows API vulnerability to conduct DLL hijacking, enabling the deployment of malware disguised as common system files. Persistence is maintained through scheduled tasks that mimic standard Windows functions, further disguising their activities.
The heart of this attack is the MiniJunk backdoor, an evolved iteration of previous malicious implants, characterized by extensive obfuscation techniques meant to thwart reverse engineering. Its sophisticated design allows it to collect vital system information and maintain communication with multiple covert command-and-control servers.
Simultaneously, the hackers deploy a credential-stealing tool known as MiniBrowse, which targets widely-used web browsers. By accessing stored login credentials, MiniBrowse exemplifies the attackers’ multi-faceted strategy to gather sensitive information.
Notably, Nimbus Manticore employs valid digital code-signing certificates, significantly lowering detection rates by security software. Their recent strategic shifts to integrate with platforms like Cloudflare and Microsoft Azure further enhance their operational resilience against domain suspensions.
The recent surge in related cyber activity highlights the increasing sophistication and determination of Iranian state-sponsored hacking groups. This incident underscores the importance of robust cybersecurity measures, particularly for businesses within high-risk sectors such as aerospace and defense.
