Iranian APT “Nimbus Manticore” Intensifies Cyber Espionage in Europe

Check Point Research (CPR) has published new findings on Nimbus Manticore, an Iranian state-aligned APT group overlapping with UNC1549, Smoke Sandstorm, and the infamous “Iranian Dream Job” operations. The campaign, active since early 2025, has intensified its focus on Western Europe, targeting telecommunications, aerospace, and defense manufacturers in line with IRGC strategic priorities.

According to CPR, “Nimbus Manticore’s recent activity indicates a heightened focus on Western Europe, specifically Denmark, Sweden, and Portugal. The threat actor impersonates local and global aerospace, defense manufacturing, and telecommunications organizations.”

As with earlier Dream Job campaigns, Nimbus Manticore relies on highly tailored spear-phishing. Victims receive messages from supposed HR recruiters directing them to fake career portals.

The report highlights, “Each target receives a unique URL and credentials, enabling tracking and controlled access of each victim. This approach demonstrates strong OPSEC and credible pretexting.”

These portals are built on React templates that mimic well-known defense and aerospace firms such as Boeing, Airbus, Rheinmetall, and Flydubai. Once victims log in, they are prompted to download a malicious archive, often disguised as Survey.zip, which triggers the infection chain.

The infection chain uses a previously undocumented low-level API abuse to establish persistence:

1. The victim runs Setup.exe, a legitimate Windows binary.
2. It sideloads userenv.dll from the malicious archive.
3. This DLL launches SenseSampleUploader.exe, a legitimate Windows Defender component.
4. That component sideloads xmllite.dll, the malware loader.
5. Persistence is established by copying the files into %AppData%\Local\Microsoft\MigAutoPlay\ and creating a scheduled task.

By abusing NTDLL APIs to modify the DllPath parameter, the attackers trick Windows into loading their malicious DLLs from the archive directory rather than the standard system path.

Once persistence is achieved, the MiniJunk backdoor activates.

CPR describes it as, “a heavily obfuscated backdoor that collects the computer name and domain name with the username… it supports typical commands such as reading, writing, and deleting files, process execution, DLL loading, and file exfiltration.”

The malware relies on multiple C2 servers for redundancy and encodes its traffic rather than encrypting it, making static detection harder. Obfuscation techniques include junk code insertion, opaque predicates, control-flow manipulation, and encrypted strings.

In parallel, Nimbus Manticore deploys MiniBrowse, a stealer injected into Chrome and Edge processes.

According to the report, “MiniBrowse is a lightweight stealer… it collects username and domain name, then exfiltrates Chrome or Edge stored passwords via POST requests or named pipes.”

A notable feature is its C2 logic: the malware continues execution only if the C2 returns any HTTP code other than 200, a stealthy method to evade basic monitoring.

The group’s malware has grown increasingly sophisticated:

• Compiler-level obfuscation using custom LLVM passes.
• Code signing through SSL.com to reduce detection.
• Binary size inflation to evade antivirus engines that cap deep analysis.

The report notes, “Large malware files often have lower endpoint detection… Nimbus Manticore exploits this by inflating binaries with inert junk code blocks.”

While Israel and the UAE remain frequent targets, recent operations show a pivot toward Europe. CPR found correlations between fake telecom job portals and spear-phishing attempts against European satellite providers, defense contractors, and airlines.

This aligns with Iran’s long-term intelligence-gathering objectives. As CPR concludes, “Overall, the campaign reflects a mature, well-resourced actor prioritizing stealth, resiliency, and operational security across delivery, infrastructure, and payload layers, an approach consistent with nation-state tradecraft.”

Related Posts:

• Iranian APT “Educated Manticore” Unleashes AI-Powered Phishing & Keylogging Against Critics
• Void Manticore: Iranian State-Sponsored Cyber Warfare Exposed
• Ransomware Gangs’ New Tactic: Weaponizing Legitimate Entities
• Outdated and Unblocked: Legacy Driver Vulnerability Exploited in Widespread Attack
• Pro-Russian Hacktivists Escalate 2025 Cyber Offensive: Targeting Western Critical Infrastructure & ICS