{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/seo-poisoning/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Nimbus Manticore"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Setup.exe","OnlyOffice","Zoom Installer","MiniJunk"],"_cs_severities":["high"],"_cs_tags":["nimbus-manticore","irgc","appdomain-hijacking","seo-poisoning","minijunk","minifast","infostealer"],"_cs_type":"threat","_cs_vendors":["Microsoft","OnlyOffice","Accenture","Zoom"],"content_html":"\u003cp\u003eNimbus Manticore (UNC1549), an Iranian IRGC-affiliated threat actor, resurfaced during Operation Epic Fury in February 2026, targeting the defense, aviation, and telecommunication sectors. The actor employed new techniques, including AppDomain Hijacking, AI-assisted malware development for its MiniFast backdoor, and SEO poisoning, demonstrating enhanced capabilities. The campaign used phishing lures impersonating organizations in the aviation and software sectors across the United States, Europe, and the Middle East. The actor also abused a Zoom installer\u0026rsquo;s execution flow to stage a time-sensitive infection chain, blending malicious activity with legitimate system processes. This resurgence indicates the actor\u0026rsquo;s rapid adaptation and operational availability during periods of geopolitical tension.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Spear-phishing emails are sent to employees in the aviation and software sectors with fake career opportunities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLure Delivery:\u003c/strong\u003e Victims are directed to download a ZIP archive hosted on platforms like OnlyOffice.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAppDomain Hijacking:\u003c/strong\u003e The ZIP file contains a benign \u003ccode\u003eSetup.exe\u003c/code\u003e, a malicious \u003ccode\u003eSetup.exe.config\u003c/code\u003e file that hijacks the application domain, \u003ccode\u003euevmonitor.dll\u003c/code\u003e (first-stage dropper), and a benign \u003ccode\u003eInterop.TaskScheduler.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFirst Stage Execution:\u003c/strong\u003e Executing \u003ccode\u003eSetup.exe\u003c/code\u003e loads \u003ccode\u003euevmonitor.dll\u003c/code\u003e, which extracts and deploys the next-stage payload.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMiniJunk Deployment:\u003c/strong\u003e The dropper writes files into \u003ccode\u003eC:\\Users\\\u0026lt;USER\u0026gt;\\AppData\\Local\\Packages\\\u003c/code\u003e, including a legitimate executable for DLL sideloading and a malicious DLL identified as a new version of the MiniJunk backdoor.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eZoom Installer Abuse:\u003c/strong\u003e A malicious DLL is sideloaded into a legitimate Zoom installer to execute code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMiniFast Backdoor Installation:\u003c/strong\u003e The new MiniFast backdoor is installed, providing remote access and control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence and Data Exfiltration:\u003c/strong\u003e The MiniFast backdoor establishes persistence and begins exfiltrating data from the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Nimbus Manticore campaign targeted organizations in the aviation and software sectors across the United States, Europe, and the Middle East. Successful exploitation leads to the installation of the MiniFast backdoor, enabling data exfiltration and potential disruption of operations. This can compromise sensitive information, intellectual property, and critical infrastructure within the targeted sectors. The actor\u0026rsquo;s enhanced capabilities, including AI-assisted malware development, allow for rapid adaptation and increased operational effectiveness during periods of conflict.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eSetup.exe\u003c/code\u003e loading DLLs from unusual locations, specifically \u003ccode\u003euevmonitor.dll\u003c/code\u003e, to detect AppDomain Hijacking (see Sigma rule \u003ccode\u003eDetect AppDomain Hijacking via Setup.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring for connections to known malicious domains associated with Nimbus Manticore, such as those listed in the referenced Checkpoint report.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon logging for process creation and file creation events to capture the full attack chain, including the execution of \u003ccode\u003eSetup.exe\u003c/code\u003e and the creation of files in the \u003ccode\u003eC:\\Users\\\u0026lt;USER\u0026gt;\\AppData\\Local\\Packages\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect MiniJunk File Creation\u003c/code\u003e to identify files written to the user\u0026rsquo;s AppData\\Local\\Packages directory, which is indicative of MiniJunk deployment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-22T15:18:05Z","date_published":"2026-05-22T15:18:05Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nimbus-manticore/","summary":"Nimbus Manticore, an Iranian IRGC-affiliated threat actor, resurfaced during Operation Epic Fury, employing AppDomain Hijacking, SEO poisoning, and a new MiniFast backdoor while targeting the aviation and software sectors.","title":"Nimbus Manticore Resurfaces During Operation Epic Fury with New Techniques","url":"https://feed.craftedsignal.io/briefs/2026-05-nimbus-manticore/"}],"language":"en","title":"CraftedSignal Threat Feed — Seo-Poisoning","version":"https://jsonfeed.org/version/1.1"}