A group of Iranian hackers known as Nimbus Manticore is expanding its operations, now focusing on major companies across Europe. According to new research from the cybersecurity firm Check Point Research (CPR), the group is targeting businesses in the defense, telecommunications, and aerospace sectors to steal sensitive information.
Nimbus Manticore, also called UNC1549 or Smoke Sandstorm, has been actively tracked since early 2025 and previously ran the Iranian Dream Job campaign. These campaigns align with the strategic intelligence-gathering goals of Iran’s IRGC, especially during times of heightened geopolitical tension.[1]
Attack Flow Explained - The attack starts with a fake email invitation to a job application. This email, which looks very real, directs victims to a fraudulent website built using a React template that mimics well-known companies like Boeing, Airbus, and flydubai.
Email lure (source: CPR)
To make it seem legitimate, each person receives a unique login and password to access the site. These “career” themed websites are registered behind Cloudflare to hide the true location of the server. Once logged in, victims are tricked into downloading a malicious file. This file then begins a complex chain of events to infect their computer.
As shown in the CPR’s research flow chart, the downloaded file, which is a compressed ZIP archive, contains a legitimate-looking program (setup.exe). This program then secretly installs and runs other malicious files, including a backdoor, to take control of the system and communicate with the attackers’ servers.
Attack Chain (Source: CPR)
New Tools and Widespread Targets - Inside the downloaded file, the hackers place special malware that is are evolved variant of an older malware called Minibike (also known as SlugResin). Recent activity shows a “significant leap in sophistication” with a new variant, MiniJunk, which demonstrates the group’s efforts to evade detection. Another tool, MiniBrowse, is designed to steal important data, such as passwords, without being noticed.
While Nimbus Manticore has a history of consistently targeting the Middle East, specifically Israel and the UAE, its new focus on Europe is a significant development. Researchers noted that the group has been active in countries like Denmark, Sweden, and Portugal.
The report also notes that a parallel, simpler campaign is in use, with attackers posing as HR recruiters and likely reaching out to victims on platforms like LinkedIn before moving the conversation to email. This separate cluster of activity, previously reported by another firm, PRODAFT, also uses spear-phishing with a less complex set of tools but the same goal of stealing access.
While Check Point Research will continue to track the group’s activities, the firm suggests that companies need to be protected from these types of attacks right at the start, before the fake emails or malicious files can even reach employees.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a Notification and a Tier I Mitigation service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://hackread.com/iranian-hackers-fake-job-breach-europe-industries/
Comments