The technique relies on a trojanized XML .config file placed in the target .NET application’s directory to load a malicious DLL at launch time.Nimbus Manticore used a phishing lure resembling previous campaigns, targeting employees at aviation and software companies in Saudi Arabia and Australia to download a compressed ZIP archive from the OnlyOffice platform, leading to infections with a new version of the MiniJunk backdoor.In another campaign, the APT used job lures masquerading as a US-based airline, leading to a trojanized Zoom installer. Using AppDomain hijacking, the infection chain led to the deployment of a new backdoor, named MiniFast.Deployed as a 64-bit Windows PE DLL, the backdoor impersonates a Chrome browser and was designed for long-term persistence and remote command execution.It also allows attackers to manipulate files, exfiltrate files, enumerate processes, terminate processes, manipulate directories, create scheduled tasks, and deploy additional payloads.“Nimbus Manticore demonstrated a strong ability to rapidly adapt, maintain infrastructure, and develop new tooling. We assess that this capability was likely supported, at least in part, by LLM-based tools and AI-assisted development techniques,” Check Point notes.In April, Nimbus Manticore was seen using a fake SQL Developer download website to distribute the MiniFast backdoor. The campaign abused search engine optimization techniques, relying on dozens of domains linking to the fake website to increase its reputation.“At the time of our analysis, the malicious domain ranked high in the results returned by multiple search engines, such as Bing and DuckDuckGo, for the query ‘sql developer’. This increased the likelihood that users searching for legitimate SQL Developer downloads would encounter the site,” Check Point notes.While typical Nimbus Manticore operations have focused on the Middle East, Europe, and Africa, mainly targeting Israel and the United Arab Emirates, the fresh campaigns also revealed a shift towards US organizations.“Fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonating US domestic airlines suggests a deliberate focus on US-based targets,” Check Point notes.Related:Iranian APT Intrusion Masquerades as Chaos Ransomware AttackRelated:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
Nimbus Manticore used a phishing lure resembling previous campaigns, targeting employees at aviation and software companies in Saudi Arabia and Australia to download a compressed ZIP archive from the OnlyOffice platform, leading to infections with a new version of the MiniJunk backdoor.In another campaign, the APT used job lures masquerading as a US-based airline, leading to a trojanized Zoom installer. Using AppDomain hijacking, the infection chain led to the deployment of a new backdoor, named MiniFast.Deployed as a 64-bit Windows PE DLL, the backdoor impersonates a Chrome browser and was designed for long-term persistence and remote command execution.It also allows attackers to manipulate files, exfiltrate files, enumerate processes, terminate processes, manipulate directories, create scheduled tasks, and deploy additional payloads.“Nimbus Manticore demonstrated a strong ability to rapidly adapt, maintain infrastructure, and develop new tooling. We assess that this capability was likely supported, at least in part, by LLM-based tools and AI-assisted development techniques,” Check Point notes.In April, Nimbus Manticore was seen using a fake SQL Developer download website to distribute the MiniFast backdoor. The campaign abused search engine optimization techniques, relying on dozens of domains linking to the fake website to increase its reputation.“At the time of our analysis, the malicious domain ranked high in the results returned by multiple search engines, such as Bing and DuckDuckGo, for the query ‘sql developer’. This increased the likelihood that users searching for legitimate SQL Developer downloads would encounter the site,” Check Point notes.While typical Nimbus Manticore operations have focused on the Middle East, Europe, and Africa, mainly targeting Israel and the United Arab Emirates, the fresh campaigns also revealed a shift towards US organizations.“Fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonating US domestic airlines suggests a deliberate focus on US-based targets,” Check Point notes.Related:Iranian APT Intrusion Masquerades as Chaos Ransomware AttackRelated:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
In another campaign, the APT used job lures masquerading as a US-based airline, leading to a trojanized Zoom installer. Using AppDomain hijacking, the infection chain led to the deployment of a new backdoor, named MiniFast.Deployed as a 64-bit Windows PE DLL, the backdoor impersonates a Chrome browser and was designed for long-term persistence and remote command execution.It also allows attackers to manipulate files, exfiltrate files, enumerate processes, terminate processes, manipulate directories, create scheduled tasks, and deploy additional payloads.“Nimbus Manticore demonstrated a strong ability to rapidly adapt, maintain infrastructure, and develop new tooling. We assess that this capability was likely supported, at least in part, by LLM-based tools and AI-assisted development techniques,” Check Point notes.In April, Nimbus Manticore was seen using a fake SQL Developer download website to distribute the MiniFast backdoor. The campaign abused search engine optimization techniques, relying on dozens of domains linking to the fake website to increase its reputation.“At the time of our analysis, the malicious domain ranked high in the results returned by multiple search engines, such as Bing and DuckDuckGo, for the query ‘sql developer’. This increased the likelihood that users searching for legitimate SQL Developer downloads would encounter the site,” Check Point notes.While typical Nimbus Manticore operations have focused on the Middle East, Europe, and Africa, mainly targeting Israel and the United Arab Emirates, the fresh campaigns also revealed a shift towards US organizations.“Fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonating US domestic airlines suggests a deliberate focus on US-based targets,” Check Point notes.Related:Iranian APT Intrusion Masquerades as Chaos Ransomware AttackRelated:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
Deployed as a 64-bit Windows PE DLL, the backdoor impersonates a Chrome browser and was designed for long-term persistence and remote command execution.It also allows attackers to manipulate files, exfiltrate files, enumerate processes, terminate processes, manipulate directories, create scheduled tasks, and deploy additional payloads.“Nimbus Manticore demonstrated a strong ability to rapidly adapt, maintain infrastructure, and develop new tooling. We assess that this capability was likely supported, at least in part, by LLM-based tools and AI-assisted development techniques,” Check Point notes.In April, Nimbus Manticore was seen using a fake SQL Developer download website to distribute the MiniFast backdoor. The campaign abused search engine optimization techniques, relying on dozens of domains linking to the fake website to increase its reputation.“At the time of our analysis, the malicious domain ranked high in the results returned by multiple search engines, such as Bing and DuckDuckGo, for the query ‘sql developer’. This increased the likelihood that users searching for legitimate SQL Developer downloads would encounter the site,” Check Point notes.While typical Nimbus Manticore operations have focused on the Middle East, Europe, and Africa, mainly targeting Israel and the United Arab Emirates, the fresh campaigns also revealed a shift towards US organizations.“Fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonating US domestic airlines suggests a deliberate focus on US-based targets,” Check Point notes.Related:Iranian APT Intrusion Masquerades as Chaos Ransomware AttackRelated:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
It also allows attackers to manipulate files, exfiltrate files, enumerate processes, terminate processes, manipulate directories, create scheduled tasks, and deploy additional payloads.“Nimbus Manticore demonstrated a strong ability to rapidly adapt, maintain infrastructure, and develop new tooling. We assess that this capability was likely supported, at least in part, by LLM-based tools and AI-assisted development techniques,” Check Point notes.In April, Nimbus Manticore was seen using a fake SQL Developer download website to distribute the MiniFast backdoor. The campaign abused search engine optimization techniques, relying on dozens of domains linking to the fake website to increase its reputation.“At the time of our analysis, the malicious domain ranked high in the results returned by multiple search engines, such as Bing and DuckDuckGo, for the query ‘sql developer’. This increased the likelihood that users searching for legitimate SQL Developer downloads would encounter the site,” Check Point notes.While typical Nimbus Manticore operations have focused on the Middle East, Europe, and Africa, mainly targeting Israel and the United Arab Emirates, the fresh campaigns also revealed a shift towards US organizations.“Fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonating US domestic airlines suggests a deliberate focus on US-based targets,” Check Point notes.Related:Iranian APT Intrusion Masquerades as Chaos Ransomware AttackRelated:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
“Nimbus Manticore demonstrated a strong ability to rapidly adapt, maintain infrastructure, and develop new tooling. We assess that this capability was likely supported, at least in part, by LLM-based tools and AI-assisted development techniques,” Check Point notes.In April, Nimbus Manticore was seen using a fake SQL Developer download website to distribute the MiniFast backdoor. The campaign abused search engine optimization techniques, relying on dozens of domains linking to the fake website to increase its reputation.“At the time of our analysis, the malicious domain ranked high in the results returned by multiple search engines, such as Bing and DuckDuckGo, for the query ‘sql developer’. This increased the likelihood that users searching for legitimate SQL Developer downloads would encounter the site,” Check Point notes.While typical Nimbus Manticore operations have focused on the Middle East, Europe, and Africa, mainly targeting Israel and the United Arab Emirates, the fresh campaigns also revealed a shift towards US organizations.“Fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonating US domestic airlines suggests a deliberate focus on US-based targets,” Check Point notes.Related:Iranian APT Intrusion Masquerades as Chaos Ransomware AttackRelated:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
In April, Nimbus Manticore was seen using a fake SQL Developer download website to distribute the MiniFast backdoor. The campaign abused search engine optimization techniques, relying on dozens of domains linking to the fake website to increase its reputation.“At the time of our analysis, the malicious domain ranked high in the results returned by multiple search engines, such as Bing and DuckDuckGo, for the query ‘sql developer’. This increased the likelihood that users searching for legitimate SQL Developer downloads would encounter the site,” Check Point notes.While typical Nimbus Manticore operations have focused on the Middle East, Europe, and Africa, mainly targeting Israel and the United Arab Emirates, the fresh campaigns also revealed a shift towards US organizations.“Fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonating US domestic airlines suggests a deliberate focus on US-based targets,” Check Point notes.Related:Iranian APT Intrusion Masquerades as Chaos Ransomware AttackRelated:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
“At the time of our analysis, the malicious domain ranked high in the results returned by multiple search engines, such as Bing and DuckDuckGo, for the query ‘sql developer’. This increased the likelihood that users searching for legitimate SQL Developer downloads would encounter the site,” Check Point notes.While typical Nimbus Manticore operations have focused on the Middle East, Europe, and Africa, mainly targeting Israel and the United Arab Emirates, the fresh campaigns also revealed a shift towards US organizations.“Fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonating US domestic airlines suggests a deliberate focus on US-based targets,” Check Point notes.Related:Iranian APT Intrusion Masquerades as Chaos Ransomware AttackRelated:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
While typical Nimbus Manticore operations have focused on the Middle East, Europe, and Africa, mainly targeting Israel and the United Arab Emirates, the fresh campaigns also revealed a shift towards US organizations.“Fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonating US domestic airlines suggests a deliberate focus on US-based targets,” Check Point notes.Related:Iranian APT Intrusion Masquerades as Chaos Ransomware AttackRelated:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
“Fraudulent hiring portals impersonating aviation companies were used to target employees and organizations operating within that industry. In the current campaign, impersonating US domestic airlines suggests a deliberate focus on US-based targets,” Check Point notes.Related:Iranian APT Intrusion Masquerades as Chaos Ransomware AttackRelated:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
Source: SecurityWeek
