In a concerning development, Iranian state-backed hackers have expanded their operations into the American aviation sector amid ongoing tensions related to the US-Iran military conflict. The group, known as Nimbus Manticore or UNC1549, has conducted three waves of cyber activities between February and April 2026, coinciding with the US military's Operation Epic Fury, which commenced on February 28.
For the first time, the attackers employed search engine poisoning alongside their usual career-themed phishing tactics. In April, they shifted from fake job offers to a counterfeit download page mimicking Oracle's SQL Developer tool, manipulating search keywords to enhance the bogus site's visibility on platforms like Bing and DuckDuckGo. This innovative approach marks a significant evolution in their strategy.
The campaign also introduced a new backdoor called MiniFast, replacing the previously used MiniJunk family. This 64-bit Windows DLL functions as a sophisticated implant, capable of communicating with its command-and-control server while masquerading as legitimate traffic. Check Point Research noted that the coding and design of both the backdoor and its loaders exhibit signs of AI-assisted development, indicating an advanced level of technical proficiency.