Check Point Research says Nimbus Manticore has returned with fake software lures and a previously undocumented backdoor called MiniFast. The group, also tracked as UNC1549, is described as IRGC-affiliated and focused on defense, aviation, telecommunications, and software targets during the recent Iran conflict activity.
The useful part for defenders is the delivery shift. Check Point says the campaign used SEO poisoning as an extra infection route, then abused a Zoom installer execution flow to make malware staging look closer to normal setup activity. That is the same false comfort many users have around installer windows: if the file looks like software onboarding, the DLLs beside it get less attention.
What changed in the campaign
Check Point describes three important changes: malicious lures aimed at aviation and software organizations, SEO poisoning for fake software downloads, and a new MiniFast backdoor. The SEO angle matters because it moves the attack from email-only targeting into search behavior. A user looking for a legitimate tool can land on a fake download page and still feel like they initiated the process safely.
The fake installer route also makes the infection chain quieter for a victim. In one described flow, the archive included setup files and DLLs that allowed the malware to abuse expected installer behavior. The user sees installation activity; the malware gets a chance to stage components around legitimate-looking binaries.
What makes MiniFast worth watching
MiniFast matters because it shows the actor changing tooling while the operation is active. Check Point says the backdoor is a 64-bit Windows PE DLL with an export named CheckForUpdates, and that it can communicate with command-and-control infrastructure through structured HTTP endpoints.
The reported capabilities include host registration, task polling, command execution, file upload/download, process enumeration, directory listing, ZIP creation, and persistence through a scheduled task named WindowsSecurityUpdate. That makes MiniFast a long-term access tool, not just a downloader.
What to hunt for
- Fake download pages for developer or productivity tools, especially pages ranking through suspicious SEO patterns.
- Archives that combine a legitimate-looking installer with nearby DLLs and configuration files.
- Unexpected
Setup.exe.configorUpdateConfig.xmlfiles used for AppDomain hijacking. - Suspicious scheduled tasks related to updater names or
WindowsSecurityUpdate. - Outbound traffic that imitates browser activity while using API-style C2 endpoints.
Users should treat fake software archives as more than a generic phishing problem. Look at the surrounding file set, especially companion DLLs and config files launched by a trusted-looking setup binary. We covered the same defensive habit in our guide on malware impersonating familiar software: the name of the installer is often the bait, not the evidence.
References
- Check Point Research, “Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict,” published May 22, 2026. Research
New related news: fake GitHub and SourceForge software downloads are now being used to distribute DinDoor and a Deno-based RAT. Read the Deno RAT fake downloads news.
