Threat Research

Nimbus Manticore’s Evolving Cyber Espionage Campaign

Securonix
Nimbus Manticore’s Evolving Cyber Espionage Campaign

Nimbus Manticore, an Iran-linked APT, has escalated cyberespionage using spear-phishing, fake career portals, and DLL sideloading to deliver MiniJunk backdoors and MiniBrowse stealers against defense, aerospace, and telecom targets in Western Europe and the Middle East. The actors employ heavy compiler-level obfuscation, Cloudflare/Azure-backed resilient C2 hosting, and stolen certificates to maintain stealth and persistence. #NimbusManticore #MiniJunk #MiniBrowse

Keypoints

  • Nimbus Manticore uses tailored spear-phishing that impersonates HR recruiters from companies like Boeing, Airbus, and Rheinmetall to direct victims to fake React-based career portals.
  • Malicious ZIP archives delivered from those portals initiate a multi-stage infection chain leveraging novel DLL sideloading that exploits undocumented NT APIs to manipulate the DLL search path.
  • Primary malware includes MiniJunk (an evolved Minibike backdoor) with compiler-level obfuscation and MiniBrowse (a browser credential stealer) that exfiltrates data via JSON to C2 servers.
  • Persistence is achieved by copying binaries to %AppData%LocalMicrosoftMigAutoPlay, creating scheduled tasks, and using legitimate executables to sideload malicious DLLs.
  • The group uses Cloudflare and Azure App Service (domains following patterns like [a-z]-[a-z]+-[a-z]+-[0-9]{3}.azurewebsites.net) for resilient C2 hosting and signs malware with SSL.com certificates to reduce detection.
  • Targets include defense manufacturing, telecommunications, aerospace, airlines, and satellite providers across Western Europe (Denmark, Sweden, Portugal) and the Middle East (Israel, UAE), aligning with IRGC intelligence priorities.
  • A separate cluster (Subtle Snail) shares some code with MiniJunk but deploys simpler payloads such as dxgi.dll, indicating multiple linked activity clusters.

MITRE Techniques

  • [T1192] Spearphishing Attachment – Attackers sent personalized phishing emails impersonating HR recruiters and delivered malicious ZIP archives via fake career portals (“personalized phishing emails with unique URLs and credentials directing them to fraudulent career portals”).
  • [T1193] Spearphishing Link – Victims were directed to fake React-based career portals with unique URLs hosted behind Cloudflare (“directing victims to fake career portals built on React templates… often hosted behind Cloudflare to mask server IPs”).
  • [T1553] Subvert Trust Controls – Use of valid SSL.com code-signing certificates to sign malware, reducing detection (“Nimbus Manticore signs its malware with certificates from SSL.com, reducing detection rates”).
  • [T1036] Masquerading – Malicious ZIP archives and DLLs disguised as legitimate software and DLL sideloading using legitimate executables (“deliver malicious ZIP archives disguised as legitimate software” and “a legitimate Windows executable to sideload a malicious .dll”).
  • [T1574] Hijack Execution Flow (DLL Sideloading) – Multi-stage DLL sideloading exploited undocumented low-level NT APIs to manipulate the DLL search path and cause Windows Defender to load malicious DLLs (“novel DLL sideloading technique that exploits undocumented low-level NT APIs to manipulate the DLL search path… triggers a Windows Defender component to load another malicious .dll”).
  • [T1027] Obfuscated Files or Information – MiniJunk uses junk code insertion, control-flow obfuscation, opaque predicates, and encrypted strings likely via custom LLVM passes to evade analysis (“advanced obfuscation techniques… likely implemented via custom LLVM passes”).
  • [T1053] Scheduled Task/Job – Persistence via creation of scheduled tasks to execute the sideloading .exe (“creating a scheduled task to execute an .exe, which sideloads a .dll”).
  • [T1041] Exfiltration Over C2 Channel – MiniBrowse and MiniJunk exfiltrate data and communicate with hardcoded C2 servers over HTTPS with encoded payloads (“communicating with multiple hardcoded C2 servers via HTTPS, with data encoded through byte reversal” and “MiniBrowse … exfiltrates data via JSON payloads to C2 servers”).
  • [T1105] Ingress Tool Transfer – Deployment of malicious ZIP archives and DLLs to victim systems via downloaded archives from the fake portals (“deliver malicious ZIP archives… which in turn trigger… malicious .dll from the archive directory”).

Indicators of Compromise

  • [File Hash] Sample malware hashes – 95d246e4956ad5e6b167a3d9d939542d6d80ec7301f337e00bb109cc220432cf, 9b186530f291f0e6ebc981399c956e1de3ba26b0315b945a263250c06831f281 (and 6 more hashes).
  • [File Name] DLL and EXE names used in campaigns – dxgi.dll (used by a Subtle Snail cluster), various sideloaded .dll files located in archive directories.
  • [Directory Path] Persistence paths – %AppData%LocalMicrosoftMigAutoPlay (MiniJunk copies itself here for persistence).
  • [Domain Pattern] C2 and hosting domains – Azure App Service patterns like [a-z]-[a-z]+-[a-z]+-[0-9]{3}.azurewebsites.net and Cloudflare-fronted portals used to host fake career sites.

Read more: https://blog.polyswarm.io/nimbus-manticores-evolving-cyberespionage-campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint