Nimbus Manticore is a highly sophisticated threat actor group, assumed to be aligned with Iranian state interests. The group has operational overlap with UNC1549, Smoke Sandstorm, and the "Iranian Dream Job" campaigns, and primarily targets defence contractors, aerospace suppliers, and telecommunications organizations across Europe and the Middle East.
The group is known for using highly realistic fake job portals to lure victims, delivering ZIP archives that executes DLL side-loading to run hidden malware such as MiniJunk (a highly obfuscated backdoor) and MiniBrowse (a credential stealer). Once inside, they persist quietly, collect credentials, and exfiltrate sensitive data.
To initiate initial access, Nimbus Manticore group conducts spear-phishing campaigns that impersonate legitimate recruiters and redirect selected individuals to convincing fake career portals. Each target receives a unique URL and a set login credentials, allowing the attackers to monitor engagement and control who receives the payload. This delivery method, combined with detailed reconnaissance and social engineering pretexts, demonstrates a high level of OPSEC and sophistication.
Organizations in defense and telecom sectors manage classified projects, research, and sensitive operational data. If such information is compromised it can lead to a number of incidents, which includes:
Nimbus Manticore is a strategic intelligence-gathering threat, one that prioritizes stealth and persistence over quick financial gain and benefits. Their approach demonstrate how social engineering and low-level system abuse can bypass even mature security defenses.
Initial access begins with highly targeted phishing campaigns using career-themed social engineering. Threat actors use multiple pretexting methods, including professional recruitment impersonation via LinkedIn
and fake HR specialists who direct victims to alternative communication platforms. The attacker establishes fake job portals made to appear as legitimate hiring sites for major aerospace and defence companies including Boeing, Airbus, Rheinmetall, and flydubai.
These fraudulent career portals are usually built using React templates and hosted behind Cloudflare to obfuscate the actual server infrastructure. The domains often follow predictable naming patterns with "career" themed subdomains. Once the victim logs in using
credentials that were shared earlier by the fake recruiter, the site sends encoded login details through a /login-user API endpoint. Shortly after this, the victim is prompted to download a ZIP file that is presented as hiring-related software.
In reality, this archive contains malicious payloads that lead to further compromise of the system.
Given below an example fake website imitating Boeing Careers, which deliver malicious archive/ZIP files after user authentication:
The real innovation in Nimbus Manticore's attack chain is its use of multi-stage DLL sideloading, an execution technique that abuses the Windows DLL search order by placing a malicious Dynamic Link Library (DLL) alongside a legitimate executable so it is loaded first.
The attack follows these steps:
Below is the sample of ZIP file, that represents the initial payload delivered through fake hiring portals. The archive contains a legitimate executable (setup.exe) together with malicious DLLs such as xmllite.dll and iviewers.dll, enabling DLL side-loading during execution.
The technical sophistication lies in how the malware modifies process execution parameters using undocumented low-level API functions. By manipulating the DllPath field during process creation via RtlCreateProcessParameters and RtlCreateUserProcess, the threat actor forces the Windows loader to search for DLLs rather than standard system paths. This technique bypasses traditional DLL search order protections and leverages legitimate system executables in the attack chain.
To better understand the operational context of the xmllite.dll payload, we analyzed its relationship graph in VirusTotal. The graph highlights execution parents, dropped files, contacted infrastructure, and association with other Nimbus Manticore artifacts.
Following successful DLL loading, the xmllite.dll payload establishes persistence through multiple methods.
This persistence strategy ensures continued access even after system restarts and provides multiple execution pathways to avoid removal attempts.
MiniJunk is a heavily obfuscated backdoor written in C++. Upon loading, it dynamically resolves required Windows APIs and collects system IDs - the hostname name and the DOMAIN\username string for that host.
If running as MigAutoPlay.exe, it immediately hooks the ExitProcess API so that calls to terminate are diverted to a sleep loop. A main thread is then spawned to handle networking and there comes the Command and control logic.
MiniJunk's network communication is not exactly unencrypted but encoded. It encodes outbound data by reversing bytes and then reversing the string. Static strings and URLs within the binary are encrypted per-string with XOR, each string is XORed with a per-string key.
The code also contains extensive junk instructions and bogus branches (inserted via custom LLVM-based obfuscation) to inflate the size and confuse disassembly. This sample is also code-signed with a legitimate SSL.com certificate and
padded with inert data, tactics that dramatically reduce Anti-Virus detection by hitting scanner time and size limits.
This is a sample of the MiniJunk backdoor, iviewers.dll. When analyzed on VirusTotal, 40 out of 72 security vendors flagged the file as malicious, with most detections classifying it as a trojan and associating it with Nimbus Manticore related activity.
Evasion and Anti-Analysis: MiniJunk avoids detection by multiple means. It uses valid digital signatures (SSL.com issued certificates) and bloated code to slip past AV engines. The string obfuscation and control-flow tricks make static analysis extremely difficult.
In addition, hooking ExitProcess keeps the process alive longer. Other typical evasion (like detecting debuggers or disabling services) was not explicitly reported, most evasion here depends on stealth (signed binaries, living in memory) and not tripping detections.
MiniBrowse is a lightweight credential stealer delivered alongside MiniJunk. It comes in two variants (targeting Chrome or Edge) as a DLL meant to be injected into the browser process. Once executed, it first collects system identifiers (username and domain)
and sends them to C2 server as a JSON payload.
Unusually, the malware requires the C2 to respond with a non 200 HTTP status for it to proceed, if the response code is 200, MiniBrowse aborts. Upon receiving a satisfying response, MiniBrowse scans for the browser's local credential stores (e.g. Chrome's "Login Data" SQLite
file and Edge's equivalent, located under %LOCALAPPDATA%\Google\Chrome\User Data\ or %LOCALAPPDATA%\Microsoft\Edge\User Data\).
It opens these files and reads the encrypted passwords, typically it would use the Windows CryptoAPI (DPAPI) to decrypt Chrome/Edge credentials.
The stolen credential entries (usernames, URLs, passwords) are then exfiltrated.
MiniJunk maintains redundancy through multiple hardcoded C2 servers, usually between three to five servers per sample. If one C2 endpoint becomes unavailable, the malware automatically fails over to the next server in the list. Communication occurs via standard HTTPS requests using the Windows API, with responses encoded in a similar manner to outbound data.
Understanding why Nimbus Manticore operates helps clarify how dangerous they truly are. Primarily, this Iran-aligned threat group is motivated by espionage and intelligence gathering - targeting the defense, aerospace, and telecommunications sectors that hold sensitive national and industrial information. Their objective is not quick profit, it's a long-term strategic advantage. They aim for persistent, covert access to victim environments, allowing them to continuously monitor communications, steal data, and observe operations over time.
Most of their campaigns appear to be aligned with Iranian IRGC priorities, especially during periods of geopolitical tension. Additionally, we must recognize the similarity between Nimbus Manticore's tactics and state-sponsored motivations, focused on acquiring defense knowledge, proprietary technology advancements, and access to organizations who are regionally significant.
The risks are severe:
In short, Nimbus Manticore's motivation and tactics show they are not after headlines, they are after influence, access, and information dominance.
| Area | Recommendations |
|---|---|
| Phishing | Train employees to identify phishing emails. Deploy proper email security controls. |
| Web Sites and Downloads | Be cautious with login pages and job portals. Avoid downloading files from unverified sources. Strengthen EDR and Web security products to detect malicious ZIPs and installers. |
| Endpoint Protection / Malware Detection | Use next-gen antivirus or endpoint detection and response (EDR) tools that detect behavior. Look for abnormal DLL loading, execution via unauthorized paths. Monitor for side-loaded DLLs. |
| System and Application Hardening | Implement least privilege, users should not run as admin. Limit what programs can load DLLs from where. Use application whitelisting. Monitor and control scheduled tasks. |
| Network Monitoring | Watch outbound connections to unknown C2 servers. Monitor for unusual HTTPS traffic. Check for anomalies in HTTP responses (eg: when HTTP responses are used unconventionally, as MiniBrowse uses some checks on responses not being 200). |
| Code Signing / Certificate Management | Be aware that just because software is signed does not mean it's safe. Checking the validity and trust of certificates is important. |
| Threat Intelligence / Sharing | Use intelligence feeds to keep up with new malware variants, domains, hashes. Share with peers or CERTs. |
Nimbus Manticore demonstrates how modern APTs are using deception and technical exploitation to achieve strategic objectives. By impersonate as recruiters, abusing trusted Windows mechanisms, and deploying stealthy malware, this threat actor group highlights the importance of behavior-based detection, strong user awareness, and proactive threat intelligence.
Organizations in the targeted sectors should strengthen their defensive posture, implement comprehensive threat intelligence monitoring, and maintain rapid incident response capabilities to mitigate the risks posed by this highly capable and persistent adversary group.
Domain names:
Malware Hashes:
We have a document here with high-levl pointers on Nimbus Manticore.
Download Full Report (PDF)