Iranian Hackers Target US Aviation with New Malware and SEO Poisoning

Iranian Hackers Target US Aviation with New Malware and SEO Poisoning

First seen 26 May 2026, 09:35 UTC OodaloopSecurityaffairs.CoInfosecurity-MagazineIndustrialcyber.CoEplaneai+1 80% similarity 77.9

Article Content

Browse articles
ThreatCluster

Iranian state-aligned hackers, known as Nimbus Manticore (UNC1549), have intensified cyberattacks against the US aviation sector amid the ongoing US-Iran military conflict. Utilizing career-themed phishing and a novel method of SEO poisoning, the group has successfully deployed a new backdoor named MiniFast, which replaces the previously used MiniJunk framework. The campaign, which began in February 2026, coincided with Operation Epic Fury, and involved impersonating legitimate software providers to distribute malicious downloads. Attack vectors included fake Zoom installers and AppDomain hijacking techniques. The group’s operations have been characterized by AI-assisted malware development, allowing for rapid adaptation and deployment of new tools. The attacks have targeted organizations across the US, Europe, and the Middle East, raising concerns about the security of critical infrastructure in the aviation sector. Check Point Research has documented multiple waves of activity, with the most significant changes occurring in April 2026.

Key Points: • Nimbus Manticore has launched targeted cyberattacks against the US aviation sector. • The group has introduced a new backdoor, MiniFast, and utilized SEO poisoning techniques. • AI-assisted malware development has enabled rapid adaptation of attack methods.

ThreatCluster AI

Timeline

2026-02-28
Operation Epic Fury launched
The US military initiated Operation Epic Fury against Iran, coinciding with increased cyber activity from Iranian hackers.
Infosecurity-Magazine
2026-03-01
Nimbus Manticore phishing campaign begins
The group initiated a series of phishing attacks targeting the aviation sector, using career-themed lures.
Oodaloop
2026-04-01
Introduction of SEO poisoning
Nimbus Manticore shifted tactics to include SEO poisoning, creating counterfeit download pages for malicious software.
Infosecurity-Magazine
2026-05-25
Check Point Research reports on new techniques
Check Point published findings on Nimbus Manticore's use of AI-assisted malware and AppDomain hijacking.
Oodaloop
2026-05-26
MiniFast backdoor identified
The new MiniFast backdoor was documented, showcasing advanced capabilities and AI-assisted development.
Infosecurity-Magazine

Community

Browse all →