Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict

What Happened

A cyber espionage group linked to Iran, known as Nimbus Manticore, launched a series of attacks targeting the aviation and software industries in the US, Europe, and the Middle East. The attackers used fake job offers, bogus Zoom meeting invites, and a fake software download website to trick victims into installing a new malicious program called MiniFast. This matters because the group is rapidly improving its tactics, potentially using AI to write code, allowing them to steal sensitive data or maintain hidden access to corporate networks. Organizations should educate employees on identifying fake software downloads and monitor their systems for unusual application behaviors.

Key Takeaways

• Nimbus Manticore deployed a new backdoor named MiniFast, replacing the older MiniJunk malware, utilizing AI-assisted development practices.
• The threat actor heavily abused AppDomain Hijacking to execute malicious DLLs via legitimate .NET applications.
• A novel infection vector involved SEO poisoning to distribute a trojanized SQL Developer installer via a fake website.
• The campaign abused a legitimate Zoom installer's execution flow to hijack scheduled tasks for persistence.
• MiniFast communicates via JSON over HTTP and uses base64-encoded serialized task structures for command execution.

Affected Systems

• Windows OS
• .NET Framework
• Zoom Desktop Client

Attack Chain

The attack begins with victims downloading a ZIP archive via phishing links or SEO-poisoned search results. Execution relies heavily on AppDomain Hijacking, where a legitimate executable loads a malicious DLL (e.g., uevmonitor.dll or InitInstall.dll) via a crafted .config file. In the Zoom lure campaign, the malware hijacks a legitimate Zoom scheduled task for persistence before using AppDomain Hijacking again to load the final MiniFast backdoor. MiniFast then communicates with its C2 server via JSON over HTTP to receive and execute base64-encoded commands.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide ready-to-use detection rules, but offers detailed behavioral indicators, C2 URI structures, and file paths suitable for custom rule creation.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect AppDomain Hijacking by monitoring for unexpected module loads by .NET applications, as well as the creation or modification of scheduled tasks and unusual child processes spawned by update.exe. Network Visibility: Medium — While the C2 traffic uses standard HTTP POST/GET requests, the specific URI patterns (/rg, /agent/init, /agent/poll?token=) and the hardcoded Chrome User-Agent can be fingerprinted if SSL inspection is enabled. Detection Difficulty: Moderate — The use of legitimate signed binaries and AppDomain Hijacking helps the malware blend in, but the specific process ancestry checks (svchost.exe -> update.exe) and predictable C2 URIs provide solid detection opportunities.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Image Loaded (Sysmon 7)
• Scheduled Task Creation/Modification (Event ID 4698, 4702)
• Network Connections (Sysmon 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Hunt for legitimate .NET executables loading unexpected DLLs from the same directory, particularly when accompanied by a .config file.	Image Loaded (Sysmon Event ID 7) and File Creation (Sysmon Event ID 11)	Execution / Defense Evasion	Low to Medium
Hunt for modifications to the 'ZoomUpdateTaskUser-<SID>' scheduled task where the executed binary is changed or points to a non-standard location.	Scheduled Task Logs (Event ID 4702)	Persistence	Low
Hunt for network connections to URIs ending in '/rg', '/agent/init', or '/agent/poll?token=' originating from processes named update.exe.	Proxy/Web Gateway Logs or EDR Network Events	Command and Control	Low

Control Gaps

• Lack of SSL inspection may hide C2 URI patterns
• Over-reliance on digital signatures for execution trust

Key Behavioral Indicators

• Process ancestry: svchost.exe spawning update.exe
• Presence of .config files named after legitimate executables in user directories
• Hardcoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking the provided domains and IP addresses at your perimeter firewalls and web proxies.
• Evaluate whether to search endpoint telemetry for the presence of the identified SHA256 hashes and file names (e.g., uevmonitor.dll, UpdateChecker.dll).

Infrastructure Hardening

• If supported by your proxy, consider implementing SSL inspection to detect specific C2 URI patterns.
• Evaluate restricting the execution of unsigned or untrusted DLLs from user-writable directories.

User Protection

• Consider deploying EDR rules to monitor for AppDomain Hijacking indicators, such as unexpected .config files alongside executables.
• If applicable, restrict users from downloading software from unverified third-party websites to mitigate SEO poisoning risks.

Security Awareness

• Consider updating security awareness training to highlight the risks of downloading software from search engine results rather than official vendor sites.
• Evaluate reminding employees to be cautious of unsolicited job offers or meeting invitations containing ZIP attachments.

MITRE ATT&CK Mapping

• T1574.014 - Hijack Execution Flow: AppDomain Manager Hijacking
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1566.001 - Phishing: Spearphishing Attachment
• T1189 - Drive-by Compromise
• T1071.001 - Application Layer Protocol: Web Protocols
• T1140 - Deobfuscate/Decode Files or Information
• T1562.001 - Impair Defenses: Disable or Modify Tools

Additional IOCs

• Domains:
  • business-startup[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • businessstartup[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • buisness-centeral[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • buisness-centeral-transportation[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • buisness-centeral-transportation[[.]]com - Attacker-controlled domain.
  • licencemanagers[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • licencesupporting[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • peerdistsvcmanagers[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • nanomatrix[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • PremierHealthAdvisory[[.]]com - Attacker-controlled domain.
  • PremierHealthAdvisory[[.]]azurewebsites[.]net - Attacker-controlled subdomain.
  • Premier-HealthAdvisory[[.]]azurewebsites[.]net - Attacker-controlled subdomain.
  • ramiltonsfinance[[.]]com - Attacker-controlled domain.
  • ramiltonsfinance[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • ramiltons-finance[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • globalitconsultants[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • globalit-consultants[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • global-it-consultants[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • global-it-checkers[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • global-it-checkbusiness[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • global-check-itbusiness[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • global-check-business-it[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
  • globalbusiness-checkers-it[.]azurewebsites[[.]]net - Attacker-controlled subdomain.
• File Hashes:
  • 10fd541674adadfbba99b54280f7e59732746faf2b10ce68521866f737f1e46d (SHA256) - Malware payload associated with Nimbus Manticore.
  • eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71 (SHA256) - Malware payload associated with Nimbus Manticore.
  • 781605ce9d4a9869e846f6c9657d71437cb6240ab27ffbc4cd550c0e06996690 (SHA256) - Malware payload associated with Nimbus Manticore.
  • 2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc (SHA256) - Malware payload associated with Nimbus Manticore.
  • f08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03 (SHA256) - Malware payload associated with Nimbus Manticore.
  • a57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf (SHA256) - Malware payload associated with Nimbus Manticore.
  • 63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4 (SHA256) - Malware payload associated with Nimbus Manticore.
  • 74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27 (SHA256) - Malware payload associated with Nimbus Manticore.
  • bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad (SHA256) - Malware payload associated with Nimbus Manticore.
  • ecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e (SHA256) - Malware payload associated with Nimbus Manticore.
  • 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250 (SHA256) - Malware payload associated with Nimbus Manticore.
  • 0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864 (SHA256) - Malware payload associated with Nimbus Manticore.
  • 485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3 (SHA256) - Malware payload associated with Nimbus Manticore.
  • 64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c (SHA256) - Malware payload associated with Nimbus Manticore.
  • 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17 (SHA256) - Malware payload associated with Nimbus Manticore.
  • 9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1 (SHA256) - Malware payload associated with Nimbus Manticore.
  • 43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa (SHA256) - Malware payload associated with Nimbus Manticore.
  • 8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b (SHA256) - Malware payload associated with Nimbus Manticore.
  • 5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8 (SHA256) - Malware payload associated with Nimbus Manticore.
  • 0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40 (SHA256) - Malware payload associated with Nimbus Manticore.
  • d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2 (SHA256) - Malware payload associated with Nimbus Manticore.
  • 38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d (SHA256) - Malware payload associated with Nimbus Manticore.
  • f54cd38632ac9da3af3533ae93e92625cbcb04df521dbf1b6acfaa81218f9e8c (SHA256) - Malware payload associated with Nimbus Manticore.
  • b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4 (SHA256) - Malware payload associated with Nimbus Manticore.
  • 9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84 (SHA256) - Malware payload associated with Nimbus Manticore.
  • a13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441 (SHA256) - Malware payload associated with Nimbus Manticore.
  • dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee (SHA256) - Malware payload associated with Nimbus Manticore.
• File Paths:
  • C:\Users\<USER>\AppData\Local\Packages\ - Directory where the first-stage loader extracts and deploys the next-stage payload.
  • C:\Users\<USER>\AppData\Local\Zoom\bin\update\ - Directory where the second-stage files are copied during the Zoom installer infection chain.
• Command Lines:
  • Purpose: Execute shell commands received from the C2 server | Tools: cmd.exe | Stage: Execution | cmd.exe /c
• Other:
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 - Hardcoded User-Agent string used by the MiniFast backdoor for C2 communication.