IRGC-Linked Nimbus Manticore Targets Saudi Arabia and UAE Aviation Sector with AI-Built MiniFast Backdoor
Iran's IRGC-linked Nimbus Manticore has launched three espionage campaigns since February 2026. It deploys an AI-assisted backdoor, MiniFast, against aviation and software employees in the US, Saudi Arabia, and the UAE via fake job offers, trojanized Zoom installers, and SEO poisoning.

Aviation control tower at a Gulf airport at dusk with a digital phishing and backdoor overlay representing the Nimbus Manticore IRGC cyber espionage campaign
Iran's Islamic Revolutionary Guard Corps-affiliated threat actor Nimbus Manticore, also tracked as Screening Serpens and UNC1549, has significantly accelerated its espionage operations since the joint US-Israeli military campaign against Iran in late February 2026. In the three months that followed, the group executed three successive and structurally distinct attack waves against aviation, software, and energy sector targets in Saudi Arabia, the UAE, the United States, Israel, and Europe. Two new malware families were deployed and an entirely new delivery technique was introduced, with no operational pause between campaigns.
The findings were published simultaneously by Check Point Research and Palo Alto Networks Unit 42, providing dual-source confirmation of both the campaign scope and the actor's development pace. The disclosure represents one of the most detailed publicly available pictures of an Iranian state-sponsored threat actor operating at sustained speed during an active geopolitical conflict. For broader context on how geopolitical pressure is reshaping the GCC threat landscape in 2026, the pattern is consistent with a broader regional escalation that security teams across the Gulf must factor into their defensive posture.
Who Is Nimbus Manticore
Nimbus Manticore has been active since at least 2022, with a well-documented history of targeting defence, aviation, and telecommunications organisations across the Middle East, the United States, and Europe. The group is affiliated with Iran's Islamic Revolutionary Guard Corps and has previously been linked to campaigns targeting Israeli shipping companies, US aerospace and defence contractors, and Gulf-based telecommunications operators.
The group's signature approach has historically centred on career-themed phishing. Fake job offers crafted to appeal to professionals in defence, engineering, and aviation have been the primary lure, a technique that mirrors the North Korean Lazarus Group's playbook. What makes the February to April 2026 campaign cycle significant is the speed with which the group ran three operationally distinct campaigns in parallel, each with a different delivery mechanism and a different target profile. This level of operational parallelism aligns with what MENA Cyber Wire has previously documented as a broader pattern of state-linked actors accelerating activity in response to regional conflict.
Wave One: AppDomain Hijacking via Fake Job Offers
The first campaign, observed before the onset of the US-Israeli military action in February 2026, targeted employees at software and aviation companies in Saudi Arabia and Australia using bogus career opportunities. Victims received phishing communications directing them to download a ZIP archive hosted on OnlyOffice, a legitimate collaboration platform chosen deliberately to reduce the perceived risk of the download.
Inside the archive was a benign-looking executable alongside supporting documents. Opening the executable triggered a technique known as AppDomain hijacking, which abuses the .NET Common Language Runtime to load a rogue DLL into memory by exploiting the way .NET applications search for configuration assemblies. In this case, the rogue DLL was MiniJunk, loaded entirely in memory without writing additional files to disk, reducing the forensic footprint of the intrusion significantly.
AppDomain hijacking bypasses many application whitelisting controls because the malicious code executes within the context of a legitimate, trusted process. For organisations whose endpoint detection relies primarily on file-based scanning rather than behavioural analysis of process memory, it is highly effective and difficult to detect without purpose-built telemetry. As AI-assisted vulnerability detection tools continue to mature, the expectation is that behavioural anomaly detection will become the baseline standard rather than the exception.
Wave Two: MiniFast Arrives via Trojanised Zoom
The second campaign, observed in March 2026, retained the broad structure of career-themed phishing but introduced two significant changes. The delivery mechanism shifted to a trojanised Zoom installer, consistent with fake meeting invitation lures, and the final payload was no longer MiniJunk but a brand-new backdoor: MiniFast, also tracked by Unit 42 as MiniUpdate.
The use of a weaponised Zoom installer is operationally deliberate. Zoom has become embedded in enterprise workflows to the same degree as email. Employees receive installation prompts, version update notifications, and meeting invitations with download links on a daily basis. The implicit trust that professionals extend to Zoom-related downloads is high, making it an effective social engineering vehicle that requires minimal pressure or explanation to succeed. The email and communication channel threat remains the dominant entry point for GCC cyberattacks, and trojanised collaboration tools extend that problem beyond the inbox.
Once the trojanised installer executes, it again leverages AppDomain hijacking to load MiniFast into memory. Check Point researchers identified several characteristics in MiniFast's code structure that are strongly consistent with AI-assisted development. These include excessive and systematic error handling throughout functions where it is not operationally necessary, repetitive and highly descriptive function naming conventions unusual in manually written malware, detailed debug-style status messages embedded in production code, and modular code organisation disproportionate to the malware's overall functional complexity. Taken together, these patterns suggest the malware was developed at least in part using a large language model as a coding assistant. AI is already demonstrably accelerating threat actor capabilities in ways that compress development timelines and lower the expertise threshold for producing functional, sophisticated malware.
MiniFast: Full Capability Breakdown
MiniFast is a fully featured remote access trojan designed for long-term persistence and comprehensive remote control of compromised endpoints. Its command set covers the full range of post-exploitation requirements.
File operations include reading, writing, moving, and deleting files across the local filesystem. Directory listing allows operators to enumerate folder structures and identify files of interest for exfiltration. Process enumeration provides a complete view of running processes, enabling the operator to identify security tools, monitoring agents, and competing implants. Command execution is supported via cmd.exe, giving operators the ability to run arbitrary shell commands within the victim environment. Process termination by PID allows the operator to kill processes, including security software, without interacting with the filesystem directly.
DLL loading enables the deployment of additional capability modules without dropping new executables to disk. ZIP archive creation supports the packaging of targeted files prior to exfiltration. Persistence is established through scheduled tasks, ensuring MiniFast survives reboots without requiring a separate persistence mechanism. Privilege escalation is supported via the Windows runas command.
Communication with command-and-control infrastructure occurs over HTTP. The backdoor beacons basic system information to the operator before entering its main tasking loop. Critically, MiniFast supports remote adjustment of its polling interval and jitter values. This allows operators to reduce the regularity of network communications and evade detection systems that look for periodic and predictable beaconing patterns. The Middle East telecom C2 infrastructure landscape has already been documented as heavily compromised for exactly this type of covert command-and-control traffic.
Wave Three: SEO Poisoning Marks a Tactical Departure
The third campaign wave, observed in April 2026, represented a complete departure from career-themed phishing and marks a significant expansion of the group's delivery repertoire. Rather than targeting specific individuals with tailored lures, Nimbus Manticore built a fake download page impersonating the official Oracle SQL Developer tool, a widely used database management client installed by developers, database administrators, and data engineers across the enterprise sector.
The group then manipulated Bing and DuckDuckGo search rankings through SEO poisoning, registering dozens of domains linking to the fraudulent page to artificially inflate its search visibility through link-based reputation signals. Developers searching for SQL Developer on those search engines were presented with the fraudulent site in prominent positions. Visitors who proceeded to download the software received a trojanised installer that silently deployed MiniFast.
Check Point confirmed this is the first documented instance of Nimbus Manticore using SEO poisoning as a primary delivery vector. The tactical significance is considerable. Career phishing requires identifying and targeting specific individuals, which is operationally intensive. SEO poisoning is passive. The attacker builds the trap and waits for victims to walk into it through their own search behaviour, with no direct targeting required. The pool of potential victims is broader, the operational overhead is lower, and the technique is harder to attribute in real time because there is no initial phishing email to report. This approach mirrors tactics seen in supply chain attacks targeting developer ecosystems, where legitimate-looking downloads have become a primary infection vector.
Unit 42 Findings: Five Countries, Energy Sector Added
Palo Alto Networks Unit 42's parallel investigation confirmed that MiniFast and MiniJunk V2 were deployed against targets across up to five countries, including the United States, Israel, the UAE, and other Middle Eastern nations. Among the confirmed targets was a US oil and gas firm, a significant expansion of the group's traditional aviation and defence focus into the energy sector.
Unit 42 described the campaign's social engineering as deeply personalised, with fake job requisitions and spoofed video conferencing meeting invitations crafted to mirror the specific professional context of each target. "The group has increased its operations since the regional conflict that started in February 2026, deploying two families of RAT variants across entities in up to five different countries," Unit 42 researchers stated.
The GCC Threat Context
Sergey Shykevich, threat intelligence group manager at Check Point Research, described the operational tempo as exceptional. "They built and deployed a brand-new backdoor mid-conflict while operations were actively underway. We also tracked a third campaign wave using a completely different playbook. They built a fake SQL Developer download page and pushed it to the top of Bing and DuckDuckGo. No spearphishing, no fake job offer, just waiting for a developer to search for common software. And when you map all three waves together, February through April, there was no pause. The conflict did not slow them down. It actually accelerated them."
This pattern is not isolated. Iranian-linked actors have a well-documented track record of targeting GCC organisations specifically. MuddyWater previously breached an Oman Ministry and a UAE port using Microsoft Teams as a delivery mechanism in a false flag operation, and Iran-linked hackers have been suspected in US critical infrastructure attacks targeting fuel monitoring systems. For security teams across the GCC and MENA region, Nimbus Manticore represents an active, escalating, and technically sophisticated threat.
Recommended Actions for GCC Security Teams
Security teams across the region should take the following steps as an immediate priority.
First, audit environments for evidence of AppDomain hijacking activity, specifically unusual DLL loading events within .NET application processes, particularly those associated with productivity and collaboration software. Second, review all instances of Zoom, Oracle SQL Developer, or other common enterprise software installed or updated in the past 90 days and verify the integrity of those installers against official vendor checksums.
Third, inspect scheduled tasks across managed endpoints for entries created by non-administrative user accounts or referencing unusual executable paths, a common persistence indicator for MiniFast. Fourth, review outbound HTTP traffic logs for periodic beaconing patterns to previously unseen external infrastructure, particularly from endpoints in aviation, software development, or energy business units. Finally, treat any career opportunity email arriving from an external sender as a potential phishing lure until verified, particularly those referencing aviation roles, engineering positions, or meeting invitations from unfamiliar contacts.
The Middle East cyber risk and operational resilience guidance published earlier this month outlines the broader defensive posture that GCC organisations should have in place to respond to exactly this category of threat.
Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA RegionOmar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.