Back

Nimbus Manticore APT Targets Aerospace Sector with Fake Job Schemes

Severity: High (Score: 72.5)

Sources: Gbhackers, Cybersecuritynews

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: nimbus, manticore, fake, custom, malware, group, recruitment

Severity indicators: apt, malware

Summary

The Iranian-aligned threat group Nimbus Manticore has launched a cyber campaign targeting aerospace and defense organizations. This operation utilizes a fake recruitment portal to distribute custom malware via a sophisticated sideloading technique. The group, also known as UNC1549 and Smoke Sandstorm, has a history of targeting professionals in the aerospace and defense sectors, particularly across the Middle East and Europe. The attack leverages social engineering tactics to deceive victims into executing malware. Specific details about the malware's capabilities and the exact number of affected organizations have not been disclosed. The campaign is ongoing, and organizations in the targeted sectors are advised to remain vigilant against such deceptive tactics. Key Points: • Nimbus Manticore uses fake job offers to deliver custom malware to aerospace firms. • The group is linked to Iran and has a history of targeting defense sectors in the Middle East and Europe. • The attack employs sophisticated sideloading techniques and social engineering.

Detailed Analysis

**Impact** The campaign targets aerospace and defense organizations primarily across the Middle East and Europe. Professionals in these sectors are the main victims, with potential exposure of sensitive corporate and defense-related information. The scope of damage includes unauthorized access and possible data exfiltration via custom malware delivered through fake job recruitment schemes. **Technical Details** The attack vector involves a deceptive recruitment workflow using a fake recruitment portal to deliver custom malware via a sophisticated sideloading chain. The threat actor is identified as Nimbus Manticore (UNC1549/Smoke Sandstorm), known for social engineering and stealthy execution techniques. No specific CVEs, malware names, or infrastructure details were disclosed in the articles. **Recommended Response** Defenders should monitor for suspicious recruitment-related communications and verify the legitimacy of job portals and offers. Deploy detections for sideloading behaviors and custom malware signatures associated with this actor if available. Enhance user awareness training on social engineering risks and restrict execution of unauthorized software. No patch or specific IOC details were provided to inform immediate blocking actions.

Source articles (2)

  • Nimbus Manticore APT Uses Fake Jobs to Deliver Custom Malware — Gbhackers · 2026-06-02
    A newly observed cyber campaign linked to the Iran-aligned threat group Nimbus Manticore (also tracked as UNC1549 and Smoke Sandstorm) is targeting aerospace and defense organizations using a deceptiv…
  • Nimbus Manticore APT Abuses Fake Recruitment Portal to Deliver Custom Malware — Cybersecuritynews · 2026-06-02
    A state-linked hacking group has been caught running a carefully crafted fake recruitment operation to push custom malware onto unsuspecting victims. The group, known as Nimbus Manticore and also trac…

Timeline

  • 2026-06-02 — Nimbus Manticore cyber campaign identified: The group is using a fake recruitment portal to deliver malware to aerospace and defense organizations.
  • 2026-06-02 — Fake recruitment operation reported: Nimbus Manticore's operation targets professionals in the aerospace sector, leveraging social engineering tactics.

Related entities

  • Nimbus Manticore (Apt Group)
  • Smoke Sandstorm (Apt Group)
  • Unc1549 (Apt Group)
  • Malware (Attack Type)
  • Iran (Country)
  • Aerospace (Industry)
  • Defense (Industry)
  • T1574 - Hijack Execution Flow (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed