Iran-Linked Hackers Target Europe With New Malware
Summary
Check Point Software warns that an Iran-linked cyber-espionage group tracked as “Nimbus Manticore” (overlapping with UNC1549/Smoke Sandstorm) has broadened operations into Western Europe. The campaign targets defence manufacturing, telecommunications and aviation firms in Denmark, Portugal and Sweden using updated implants — MiniJunk (a persistent, obfuscated backdoor) and MiniBrowse (browser credential stealers) — plus sophisticated obfuscation and code signing to evade detection.
Key Points
- Nimbus Manticore is deploying upgraded malware (MiniJunk and MiniBrowse) against organisations in Denmark, Portugal and Sweden.
- MiniJunk offers persistent access, file upload/download, process execution, payload loading and data exfiltration and communicates with multiple HTTPS C2 servers.
- Both tools use compiler-level obfuscation, junk code, control-flow tricks and encrypted strings to hinder static analysis and detection.
- Attackers have been digitally signing malware using SSL.com certificates that masquerade as legitimate European IT organisations.
- Intrusions begin with highly tailored spear-phishing recruiter lures and fake job portals (Airbus, Boeing, Flydubai, Rheinmetall themes), using multi-stage sideloading to install malware.
- Check Point provides indicators of compromise (IOCs) for defenders to hunt and remediate infections.
Content Summary
Researchers observed Nimbus Manticore expanding beyond the Middle East to target critical infrastructure and defence-related companies in Western Europe. The group employs a refined toolkit: MiniJunk — an evolution of Minibike — is a heavily obfuscated backdoor with new DLL/file loading techniques, and MiniBrowse is a lightweight credential stealer for Chrome and Edge. Each malware generation shows incremental improvements, indicating active development and stronger evasion techniques.
Attack chains rely on convincing spear-phishing recruitment messages that direct victims to unique, fraudulent job pages. Victims who log in download a ZIP that appears harmless but begins a multi-stage sideloading process to deploy the implants. The actor also uses multiple C2 servers and digitally signed binaries to make detection and attribution harder.
Context and Relevance
Author’s take (punchy): This isn’t just another phishing wave — it’s a well-resourced, state-aligned campaign sharpening its toolset and moving into Europe. The combination of credible social engineering, compiler-level obfuscation and forged code-signing certificates raises the bar for defenders.
The activity reflects a broader trend of state-associated Iranian groups targeting organisations outside the Middle East, especially in critical infrastructure, telecoms and aviation. For security teams in those sectors, the tactics here — recruiter lures, multi-stage sideloading, signed malware and strong obfuscation — are red flags that require immediate attention and proactive hunting using provided IOCs.
Why should I read this
If you look after security in aviation, telecoms, defence or any critical infrastructure in Europe — read this. The attackers are using very believable job lures, stealthy implants and signed binaries, so ordinary detection might miss them. It’s short, sharp and tells you what to check now.