Nimbus Manticore Targets Defense and Telecom Industries with New Malware Attack

Check Point Research has identified a long-running campaign by the Iranian-aligned threat actor Nimbus Manticore—also known as UNC1549, Smoke Sandstorm, and the “Iranian Dream Job” operation—targeting defense manufacturers, telecommunications, and aviation entities aligned with IRGC priorities.

Recent activity demonstrates a sharpened focus on Western Europe, notably Denmark, Sweden, and Portugal, with spear-phishing lures impersonating aerospace, defense, and telecom recruiters.

Each victim receives a unique URL and credentials for a bespoke fake career portal, showcasing advanced OPSEC and credible pretexting.

The actor leverages a previously undocumented multi-stage DLL side-loading chain via low-level Windows API, causing legitimate processes to sideload malicious libraries from attacker-controlled locations.

The primary malware toolset consists of the MiniJunk backdoor and the MiniBrowse stealer, both featuring valid digital signatures, inflated binary sizes, and sophisticated compiler-level obfuscation to evade static analysis.

Overall, this campaign reflects nation-state tradecraft emphasizing stealth, resiliency, and operational security across ...