Oodaloop
Iranian Hackers Target US Aviation with New Malware and SEO Poisoning
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Iranian state-aligned hackers, known as Nimbus Manticore (UNC1549), have intensified cyberattacks against the US aviation sector amid the ongoing US-Iran military conflict. Utilizing career-themed phishing and a novel method of SEO poisoning, the group has successfully deployed a new backdoor named MiniFast, which replaces the previously used MiniJunk framework. The campaign, which began in February 2026, coincided with Operation Epic Fury, and involved impersonating legitimate software providers to distribute malicious downloads. Attack vectors included fake Zoom installers and AppDomain hijacking techniques. The group’s operations have been characterized by AI-assisted malware development, allowing for rapid adaptation and deployment of new tools. The attacks have targeted organizations across the US, Europe, and the Middle East, raising concerns about the security of critical infrastructure in the aviation sector. Check Point Research has documented multiple waves of activity, with the most significant changes occurring in April 2026.
Key Points: • Nimbus Manticore has launched targeted cyberattacks against the US aviation sector. • The group has introduced a new backdoor, MiniFast, and utilized SEO poisoning techniques. • AI-assisted malware development has enabled rapid adaptation of attack methods.