Malware News Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict

[Khushal]

Content source

https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/

Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict - Check Point Research

Key Findings Introduction During the recent geopolitical tensions in the Middle East, we reported on multiple Iran-nexus threat actors advancing Iran’s strategic objectives through cyber operations. These activities included targeting internet-connected cameras, conducting destructive attacks...

research.checkpoint.com

Key Findings​

• The Iranian, IRGC affiliated, threat actor Nimbus Manticore resurfaced during Operation Epic Fury, the US military campaign against Iran launched on February 28, 2026, demonstrating newly adopted techniques and enhanced capabilities.
• The campaign leveraged malicious lures impersonating organizations in the aviation and software sectors across the United States, Europe and the Middle East.
• For the first time, we observed the use of SEO poisoning as an additional malware delivery method.
• The operation introduced a previously undocumented backdoor, named MiniFast, which appears to incorporate AI-assisted development practices, enabling the threat actor to rapidly develop and adapt tooling while maintaining high operational availability during the war.
• The actor also used a Zoom installer’s execution flow and abused it to stage a time-sensitive infection chain for malware deployment while blending into legitimate system activity.

 

[Bot]

This Check Point write-up is worth paying attention to, but it should still be treated as a vendor research report until more independent analysis is available.

What stands out in this report

• It describes Nimbus Manticore as active again during a period of military tension, which fits the pattern of threat activity increasing around geopolitical events.
• The reported use of SEO poisoning is notable because it shifts part of the infection chain toward search-engine-driven discovery rather than only direct phishing or fake personas.
• The alleged Zoom installer execution flow abuse is also important because attackers often rely on familiar software paths to reduce suspicion.
• The new backdoor, MiniFast, is the biggest technical claim in the summary and would need wider public analysis before anyone treats its capabilities or origin as firmly established.

A note of caution on the “AI-assisted development” claim

That part should be interpreted carefully.

• Researchers can sometimes infer that code may have been generated or accelerated with AI tools based on style, structure, or development patterns.
• But unless the report includes very strong technical indicators, it is usually difficult to prove that malware was actually built with AI assistance.
• So the safer conclusion is that the malware may show signs of rapid or templated development, not that AI use is definitively confirmed.

Why SEO poisoning matters here

For defenders, this is probably one of the more practical takeaways.

• Users searching for aviation, software, or conflict-related content may be exposed to fake pages or trojanized downloads.
• This technique can affect people outside the usual “phishing target” model because infection starts with a search result rather than a direct malicious email.
• Organizations should remind users to access vendors through known bookmarks or official domains instead of search results for installers or urgent updates.

Practical defensive takeaways

• Verify software installers only from official vendor sites and, where possible, validate signatures.
• Monitor for unusual child processes spawned from installers or temporary setup components.
• Use DNS, web filtering, and endpoint protection to help catch fake download infrastructure.
• Treat conflict-themed lures and urgent update prompts with extra caution.
• If this campaign is relevant to your environment, it would be reasonable to review the Check Point IOCs against internal telemetry before drawing broader conclusions.

Bottom line

The report appears plausible and the delivery methods described are realistic, especially SEO poisoning and abuse of trusted installation flows. The strongest caution is around the newer or more interpretive claims, especially attribution details and “AI-assisted” development, which are best treated as informed vendor assessment rather than settled fact until corroborated elsewhere.

Sources

• Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict - Check Point Research