From the Middle East to Europe: Nimbus Manticore’s Expanding Cyber-Espionage Operations

Check Point Research has identified a major new campaign by Nimbus Manticore, a sophisticated Iranian threat actor. The group has historically focused on the Middle East, but its latest wave of activity demonstrates a strategic expansion into Western Europe. The campaign leverages career-themed spear-phishing lures to deliver advanced malware through multi-stage DLL sideloading chains. This evolution underscores the actor’s investment in stealth, resilience, and persistence while exploiting legitimate cloud services to evade detection.

Severity: High

Threat Details

1.Threat Actor

• Name: Nimbus Manticore
• Aliases: UNC1549, Smoke Sandstorm, Iranian Dream Job
• Attribution: Iran-nexus, likely aligned with IRGC objectives
• Objective: Cyber espionage focused on strategic sectors in Europe

2. Attack Vectors & Delivery

• Spear-phishing: Poses as HR recruiters via LinkedIn/email, directing victims to fake job portals (career-themed domains).
• Malware delivery: Victims receive malicious ZIP archives (e.g., Survey.zip) containing Setup.exe and sideloading DLLs.
• Persistence: Establishes foothold by installing executables under %AppData%\Local\Microsoft\MigAutoPlay\ with scheduled tasks.

3. Malware Families

• MiniJunk (Backdoor): Successor to Minibike/SlugResin, supports file theft, process execution, DLL loading. Heavy obfuscation, code signing via SSL.com, oversized binaries for AV evasion.
• MiniBrowse (Stealer): Targets Chrome/Edge to exfiltrate stored credentials.
• dxgi.dll (Cluster): Related but less obfuscated backdoor with overlapping functionality.

4. Infrastructure Abuse

• Uses Cloudflare, Google Cloud, and Azure App Service for redundancy.
• Domains follow career-themed or health-themed naming conventions (e.g., boeing-careers[.]com, check-backup-service[.]azurewebsites[.]net).

5. TTP Evolution

• Adoption of undocumented Windows APIs for DLL hijacking.
• Compiler-level obfuscation (junk code, control-flow manipulation, string encryption).
• Code-signing with fraudulent certificates.
• Inflated file sizes to bypass endpoint scanning.

Recommendations

1. Educate staff on LinkedIn and email impersonation techniques used by attackers posing as HR recruiters.
2. Detect and alert on DLLs loaded from non-standard paths, especially those with names like userenv.dll or xmllite.dll
3. Prevent execution of .exe or .dll files from %AppData% and %LocalAppData% via GPO or endpoint rules.
4. Hunt for scheduled tasks & autorun entries linked to %AppData%\Local\Microsoft\MigAutoPlay.
5. Patch all instances of Microsoft Defender ATP to reduce DLL hijacking risk.
6. Ensure Edge and Chrome are updated, reducing exposure to browser-injected stealers.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/58f5704826612f6a63bb0a3868ff9a4105ad4b419d5c49c0635e02368af4919e/iocs

Source:

• https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.