Nimbus Manticore Returns With MiniFast, an AI-Assisted Backdoor Hitting Aviation and Aerospace

Iran's geopolitical pressure did not slow Nimbus Manticore — it accelerated the group, and the toolkit the group came back with is, by Check Point's assessment, visibly AI-assisted.

TEL AVIV — On May 26, 2026, Check Point Research published "Fast and Furious — Nimbus Manticore Operations During the Iranian Conflict," documenting a three-wave campaign that ran from February through April 2026 by Nimbus Manticore — the Iran-nexus APT The CyberSignal covered last week as Screening Serpens, and also tracked as UNC1549.

The campaign accelerated through the late-February joint US-Israeli military operation against Iran rather than going quiet, and it brought new tradecraft: a backdoor codenamed MiniFast (aka MiniUpdate) that Check Point assesses was developed with AI assistance, an SEO-poisoned fake SQL Developer download page, and a trojanized Zoom installer — all aimed at aviation, aerospace, defense, software, and telecommunications targets across the United States, Europe, and the Middle East.

What Happened

Check Point Research published "Fast and Furious — Nimbus Manticore Operations During the Iranian Conflict" on May 26, 2026, documenting three waves of activity by the Iran-nexus group across February, March, and April 2026. The most consequential observation in the disclosure is not any single artifact but the operational tempo: the campaign accelerated, rather than paused, through the joint US-Israeli military operation against Iran in late February. The intuitive expectation that a state-aligned cyber unit would go quiet under direct military pressure did not hold here, and that is itself the strategic finding.

On the tooling side, Check Point documented a new backdoor codenamed MiniFast — also tracked as MiniUpdate — alongside the AppDomain-hijacking technique The CyberSignal covered last week in the Screening Serpens piece. MiniFast is a 64-bit Windows DLL that functions as a full-featured implant: shell execution, file transfer, process control, and scheduled-task persistence, with command-and-control traffic carried over JSON disguised as Chrome browser traffic. Check Point's assessment, preserved here as an assessment rather than a flat finding, is that MiniFast was developed with the assistance of artificial intelligence. The campaign's delivery vectors included an SEO-poisoned fake SQL Developer download page that served a weaponized installer, and — in the March wave — a trojanized Zoom installer that used AppDomain hijacking to load MiniFast onto victim machines.

An Explicit Extension of the Screening Serpens Coverage

This brief is an explicit extension of the Screening Serpens piece The CyberSignal published on May 22, which documented Nimbus Manticore's use of AppDomain hijacking to disable the defenses of legitimate .NET applications and load remote-access tooling. The Screening Serpens, Nimbus Manticore, and UNC1549 labels all point to the same Iran-nexus group; Check Point's new disclosure layers on top of that prior work rather than replacing it. The AppDomain-hijacking technique is unchanged and shows up again in the March 2026 trojanized Zoom installer. What is new is the rest of the kit: MiniFast as a fresh backdoor, the SEO-poisoning delivery vector, and the expanded sector list. Readers who tracked the earlier piece should treat this as the same actor, returning with a refreshed toolset and a wider target aperture.

MiniFast and the AI-Assisted Malware Pattern

Check Point's assessment that MiniFast was developed with AI assistance is the disclosure's most forward-looking line, and the one most easily overstated. The hedge matters: Check Point assesses, on the basis of its analysis, that AI tooling was used during development — that is an assessment, not a confession from the operator, and Check Point's published methodology does not detail the exact forensic basis. Preserve the hedge. What the assessment is worth saying, however, is that MiniFast does not arrive in a vacuum. It joins Kimsuky's PebbleDash, which CyberSignal covered as the first documented LLM-developed malware family in the defense sector, as the second documented state-aligned case in this cluster. The "AI-built malware" thesis that was mostly intellectual through early 2026 is now an operational pattern on at least two adversary sides. Read that alongside Google GTIG's reporting of the first AI-developed zero-day used in mass exploitation and Germany's public warning about Chinese AI-augmented superhacker tooling tied to Project Glasswing and Mythos, and the through-line is hard to miss: AI assistance is now a documented input to the offensive supply chain.

Geopolitical Tempo: The Conflict Accelerated, Not Slowed, Operations

The single strategic input from this disclosure is the timing. Cyber activity by an Iran-nexus group rose, not fell, during the joint US-Israeli military operation against Iran in late February 2026. That inverts the intuitive read — that direct military pressure would push a state cyber unit toward silence — and it lines up with the broader threat picture the UK's NCSC chief named when he identified Iran, Russia, and China as the primary drivers of UK cyber threats. It also fits the longer Iranian operational pattern The CyberSignal has tracked through 2026, alongside MuddyWater's Chaos-ransomware false-flag campaign against Microsoft Teams users and Symantec's FAST16 reconstruction of pre-Stuxnet nuclear-simulation sabotage work tied to the same broader region of activity. The defender implication is concrete: future regional escalations involving Iran should be treated as a leading indicator of Iranian cyber tempo, not a quieting one.

Scope and Impact

Organizations in the documented target sectors — aviation, aerospace, defense, software, and telecommunications, across the US, Europe, and the Middle East — should treat Nimbus Manticore as an active threat, not a historical one. The campaign's three-wave shape from February through April 2026 means the group's tempo has been sustained for the full quarter; nothing in the disclosure suggests it has stopped. The lure surface that Check Point documented is concretely actionable for awareness work: brief recruiting, business-development, and engineering staff on fake job requisitions, spoofed conference invitations, fake software-download pages for developer tools (SQL Developer being the named example), and trojanized common-application installers (Zoom being the named example).

Several specifics are deliberately not in this account because Check Point's disclosure does not confirm them. The specific named victims, the number of organizations actually compromised, whether MiniFast has been observed exfiltrating data successfully and what data, and the precise forensic basis for the AI-assisted-development assessment are not public. Whether US, EU, or Israeli government cyber agencies have published parallel advisories is also not confirmed. The relationship between Nimbus Manticore and other named Iranian APTs — MuddyWater and others — is not formally specified beyond the shared regional sponsorship implied by the Iran-nexus framing.

The Iran-nexus framing is the safer attribution language for this article and the one used throughout. Industrial Cyber's coverage describes the group as IRGC-linked; that is one outlet's framing, preserved here as Industrial Cyber's characterization rather than asserted as fact. The labels Nimbus Manticore, Screening Serpens, and UNC1549 all point to the same actor and should be consolidated in threat-intelligence tracking — duplicating tickets under the three names is a common hygiene failure that this disclosure makes a good moment to fix.

Response and Attribution

For SOC and detection teams, the immediate hunt scope is AppDomain hijacking and MiniFast: anomalous .config modifications on legitimate .NET applications, unsigned AppDomainManager assemblies loaded by trusted processes, 64-bit Windows DLLs producing JSON-over-HTTPS traffic that mimics Chrome from processes that are not Chrome, and outbound connections from non-browser processes that look like browser sessions. Baseline which processes legitimately produce Chrome-shaped traffic in your environment; MiniFast's C2 disguise is detectable precisely because the baseline is short. Add SEO-poisoning to the phishing-detection scope — consider DNS-layer blocks on freshly registered domains that impersonate well-known developer tools, and restrict installer downloads to vendor-direct sources at the gateway and proxy layer.

For asset-management and IT teams, the trojanized Zoom installer is the concrete fleet-wide check: verify Zoom installer integrity across managed devices and confirm installer hashes against Zoom's published versions. The same posture should be applied to any commonly downloaded developer tool — SQL Developer is the named lure in this campaign, but the technique generalizes. The SEO-poisoning vector means the attacker can appear in legitimate search results for legitimate tool names; downloads should be restricted to vendor-direct URLs rather than search-driven discovery.

On attribution, the discipline is to hold the line on what Check Point actually said. Iran-nexus is the supportable formulation; the IRGC-linked language belongs to Industrial Cyber's framing, not to Check Point's primary report, and should be quoted with attribution if used. The AI-assisted-development line is an assessment, not a flat finding; preserve "Check Point assesses" or "Check Point's assessment" on every reference. For CISOs, the strategic input is that AI-assisted state malware development is now a documented pattern rather than a single-case curiosity — MiniFast joining Kimsuky's PebbleDash makes that point, and the Project Glasswing / Mythos cluster that Germany publicly warned about reinforces it. The operational risk model now has to assume that malware-development velocity is a function of available compute and model access rather than headcount.

The CyberSignal Analysis

Signal 01 — The AI-Assisted Malware Pattern Is Now Operational on Two State Sides

MiniFast is the second documented state-aligned case in The CyberSignal's cluster — Kimsuky's PebbleDash was the first — and that changes the shape of the AI-developed-malware conversation. A single observation is a curiosity; a second from a different state is a pattern. Check Point's assessment is hedged and should stay hedged, but the implication for forward forecasting is real: if the assessment holds, and if it replicates again, then malware-development velocity becomes a function of available compute and model access rather than the size of an offensive engineering team. That re-prices the threat. A small unit with access to capable models can field tooling that previously required a much larger payroll, and the cycle from idea to working implant compresses. Defenders should plan, at the level of capability assumptions, for adversaries whose tooling cadence is no longer rate-limited by headcount.

Signal 02 — Geopolitical Pressure Is a Tempo Multiplier, Not a Damper

The intuitive reading of late-February 2026 — that a joint US-Israeli military operation would push Iranian cyber units toward silence — did not survive contact with the evidence. Nimbus Manticore's tempo rose through the operation and stayed elevated into April. That is the strategic input most worth carrying out of this disclosure. The implication for security leaders is that future regional escalations involving Iran are leading indicators of cyber tempo, not quieting events, and the same logic likely generalizes to other state actors whose cyber programs are integrated with their broader national posture. Sector-specific exposure increases when geopolitical pressure rises; planning otherwise is planning against the data.

Signal 03 — The Same Actor, a Refreshed Kit, a Wider Aperture

The most useful framing for the operational defender is the simplest one: this is the same actor The CyberSignal covered as Screening Serpens, returning with a refreshed kit and a wider target aperture. The AppDomain-hijacking technique that defined the prior coverage is still present and still relevant, but the kit now includes MiniFast as a new backdoor, SEO poisoning as a delivery vector, and a trojanized Zoom installer that pulls a high-volume consumer-grade application into the lure surface. The sector list has widened from a defense-sector lean to include aviation, aerospace, software, and telecom across three regions. Consolidate Nimbus Manticore, Screening Serpens, and UNC1549 in your threat-intel tracking under a single watchlist, and treat the May 22 coverage and this May 26 disclosure as two halves of the same threat picture rather than separate stories.

Sources