The defense, aerospace, telecommunications, and aviation industries are the targets of a sophisticated cyber-espionage campaign by Nimbus Manticore, an Iranian state-affiliated APT outfit that has recently turned its attention to Western Europe. Through fraudulent employment portals that imitate well-known corporations like Boeing and Airbus, the criminal network launches customized spear-phishing attacks. A multi-stage DLL sideloading infection chain is started when victims are duped into downloading malicious archives. The MiniJunk backdoor and MiniBrowse stealer are part of the malware toolset; they are both highly obfuscated to avoid detection.

Technical Description

Using undocumented low-level Windows APIs, Nimbus Manticore uses spear-phishing efforts to distribute malicious archives that start a multi-stage DLL sideloading chain. In order to avoid detection, the campaign uses obfuscated payloads such as MiniJunk and MiniBrowse, which make use of signed binaries and cloud-hosted C2 infrastructure. In line with sophisticated nation-state threats, this exhibits a high degree of operational security, tenacity, and stealth.

Delivery and Infection Chain:

The campaign by Nimbus Manticore initially involves targeted spear-phishing, in which the attackers pretends as HR recruiter from defense and aerospace firms. Fake career portals operated on React-based websites, frequently imitating companies like Boeing, Airbus, or flydubai, are used to attract victims. Controlled malware delivery is made possible by providing each victim with unique login credentials.

Victims download a malicious ZIP archive with malicious DLLs (userenv.dll, xmllite.dll) and a genuine program (Setup.exe) after logging in. The virus uses a DLL sideloading chain that has multiple stages:

• Step 1:dll is sideloaded by Setup.exe
• Step 2:exe is launched, taking over xmllite.dll.
• Step 3: Persistence of the backdoor through task scheduling and rename to MigAutoPlay.exe

The chain manipulates the DLL search order by abusing undocumented low-level NT APIs, which permits sideloading from directories under the control of the attacker.

‍

Technical Capabilities:

Nimbus Manticore employs a unique multi-stage DLL sideloading chain using undocumented NT APIs. As mentioned below.

Primary Backdoor: MiniJunk

• Gathers system information (computer name, domain, and username).
• Loads dlls, reads and writes files, and runs processes.
• Employs disguised https for communication between c2
• Allows command chaining using encoded strings (##cmd##arg, for example).

‍

Stealer: MiniBrowse

• Steal stored credentials by Injecting into Chrome and Edge
• Uses HTTP POST or named pipes to exfiltrate data.
• Identifies and sends the browser login information to C2

‍

Obfuscation Techniques

• Strong LLVM-level obfuscation: encrypted strings, opaque predicates, and junk code
• Obfuscation of function calls and control flows
• In order to get around antivirus heuristic thresholds, inflated binary sizes
• Binaries that have been signed (for example, using SSL.com) to lower detection rates

‍

‍

Persistence

• Autorun registry keys and scheduled tasks.
• Using fake pop-up problems to keep things secret after infection

‍

Attribution and Evolution:

This campaign is attributed to an APT group with ties to Iran that is connected to UNC1549, Smoke Sandstorm, and the “Iranian Dream Job” operations. The outfit consistently aligns itself with the intelligence goals of the IRGC and exhibits capabilities at the nation-state level. Its malware has greatly improved in terms of stealth, modularity, and obfuscation, especially MiniJunk and MiniBrowse. Advanced development maturity is demonstrated by the usage of low-level API abuse, code signing, and unique DLL sideloading. Dynamic infrastructure transitions to Azure and Cloudflare for resilience are part of the campaign’s evolution. The tooling indicates access to specialized resources and continuous development cycles, reflecting continuous improvement.

Active Campaign and Geographic Spread:

A Significant shift in attention toward Western Europe is evident in Nimbus Manticore’s most recent campaign, which specifically targets Denmark, Sweden, and Portugal. Recent spear-phishing incidents and phony recruitment websites linked to European defense and telecom businesses suggest a purposeful geographic expansion, whereas earlier operations focused mostly on the Middle East, frequently targeting Israel and the United Arab Emirates. The marketing seems to be quite targeted, frequently focusing on those who work in the airline, satellite, telecommunications, and aerospace industries. In order to attract European job searchers, delivery infrastructure—such as career-themed websites that mimic well-known firms like Airbus, Boeing, or Rheinmetall—is frequently localized.

‍

Conclusion:

With its destructive character, Nimbus Manticore’s activities closely match Iran’s strategic intelligence aims, exhibiting the characteristics of a well-funded, extremely competent nation-state APT. Its use of cloud-native infrastructure, sophisticated evasion strategies, and customized payloads suggests a mature threat actor with the ability to conduct persistent and covert cyber espionage operations across several industries and regions.

Impact

Because Nimbus Manticore targets the aerospace, defense, telecom, and aviation industries, it poses a significant threat to national security sectors. Access to user data and sensitive systems is made possible by the use of credential-stealers such as MiniBrowse. File access, persistent access, and remote command execution are all made possible by MiniJunk. Signed binaries and cloud-based infrastructure greatly lower detection rates. Their activities make data exfiltration and long-term surveillance possible. Impact affects geopolitical intelligence gathering in addition to technical compromise.

IOC and Context Details

Recommended Actions

• Implement Strict application whitelisting should be used to stop illegal DLL and executable loading.
• Update endpoint security software frequently to identify disguised malware variants such as MiniJunk and MiniBrowse.
• Increase employee awareness of fraudulent job-related lures, conduct simulated spear-phishing tests.
• Keep track on and limit access to cloud-based services, such as Azure and Cloudflare, that are frequently misused for C2 infrastructure.
• Turn on sophisticated telemetry and logging for scheduled tasks, DLL loading, and process creation.
• Use YARA and behavioral rules that are targeted at process anomalies and odd DLL sideloading chains.
• For preventing lateral movement after an infection, multi-factor authentication (MFA) should be implemented in all vital systems.
• Check DNS and HTTPS traffic for questionable names that look like subdomains connected to healthcare or career portals.

‍

References

https://www.darkreading.com/cyberattacks-data-breaches/iran-linked-hackers-europe-new-malware

‍