INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Nimbus Manticore Exploits Zoom with AI-Assisted Trojan Installers
| 2026-05-27 18:08 MEDIUM HIGHExecutive Summary AI-generated
The threat actor, known as Nimbus Manticore, has been quietly expanding its targets beyond Israel and the UAE to hit aviation and software firms in the US. The group's most recent campaign began on May 27, 2026, when it launched a real Zoom installer (Zoom_cm.exe) to hide an attack that had already compromised devices from unofficial sites earlier this year. This malware hijacked a Windows scheduled task (ZoomUpdateTaskUser), allowing hackers full remote control via cmd.exe while hiding its traffic by impersonating a Google Chrome browser. The threat actor's tactics, including AppDomain hijacking and fake job offers on OnlyOffice, have been used to target workers in Saudi Arabia and Australia with fake Zoom invites.
Technical Mitigations AI-generated
* Use a reputable antivirus software: Install and regularly update an anti-virus program to protect against malware, including the Nimbus Manticore Trojanized Zoom installers.
* Keep your operating system and browser up-to-date: Ensure that all operating systems, browsers, and plugins are current with the latest security patches to prevent exploitation of known vulnerabilities.
* Use strong passwords and enable two-factor authentication (2FA): Create unique, complex passwords for all accounts, and consider enabling 2FA whenever possible to add an extra layer of security against unauthorized access.
* Be cautious when clicking on links or opening attachments: Avoid suspicious emails, links, or attachments that may contain malware or phishing scams. Instead, verify the authenticity of the link before clicking on it.
* Regularly back up your data: Make sure you have a recent backup of important files and data to prevent loss in case of an attack or system failure.
Additionally, consider implementing additional security measures such as:
* Monitoring network traffic for suspicious activity
* Using a firewall to block unauthorized access
* Regularly scanning systems for malware using anti-virus software
It's also essential to stay informed about the latest threat intelligence and best practices for cybersecurity.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation Epic FuryOperation Epic Fury
Target & Sectors
GCC
GCC
AFRICA
AFRICA
NORTH_AMERICA
NORTH_AMERICA
EUROPE
EUROPE
telecommunicationstelecommunications
aviationaviation
defensedefense
Incident Timeline
February 2026
Threat actors used a Trojanized Zoom installer to target aviation and software firms in the US.
Click on any entity below to view its context and source!
target_region
Saudi Arabia
Fake Job Offers and Zoom Invites
According to CPR’s
blog post
, in February 2026, the hackers targeted workers in Saudi Arabia and Australia with
fake job offers
on OnlyOffice.
target_region
Australia
Fake Job Offers and Zoom Invites
According to CPR’s
blog post
, in February 2026, the hackers targeted workers in Saudi Arabia and Australia with
fake job offers
on OnlyOffice.
organisation
Fake Job Offers
Fake Job Offers and Zoom Invites
According to CPR’s
blog post
, in February 2026, the hackers targeted workers in Saudi Arabia and Australia with
fake job offers
on OnlyOffice.
organisation
CPR
Fake Job Offers and Zoom Invites
According to CPR’s
blog post
, in February 2026, the hackers targeted workers in Saudi Arabia and Australia with
fake job offers
on OnlyOffice.
organisation
OnlyOffice
Fake Job Offers and Zoom Invites
According to CPR’s
blog post
, in February 2026, the hackers targeted workers in Saudi Arabia and Australia with
fake job offers
on OnlyOffice.
organisation
UAE
Reportedly, the group has expanded its targets beyond Israel and the UAE to hit aviation and software firms in the US.
organisation
Setup.exe
By placing a malicious configuration file (
Setup.exe.config
) with a safe Microsoft binary (
Setup.exe
), they tricked the system into running a malicious file (uevmonitor.dll) to launch MiniJunk malware.
organisation
Microsoft
By placing a malicious configuration file (
Setup.exe.config
) with a safe Microsoft binary (
Setup.exe
), they tricked the system into running a malicious file (uevmonitor.dll) to launch MiniJunk malware.
organisation
ZIP
When victims downloaded a ZIP archive, the group used a technique called AppDomain hijacking.
organisation
AppDomain
When victims downloaded a ZIP archive, the group used a technique called AppDomain hijacking.
28 February 2026
Nimbus Manticore exploited vulnerabilities in Zoom to install Trojanized installers on US firms targeted by Operation Epic Fury.
Click on any entity below to view its context and source!
campaign
Operation Epic Fury
Nimbus Manticore has been most active between February and April 2026- a time of major military tension after the launch of Operation Epic Fury on 28 February 2026.
the end of February 2026
Threat actors used a Trojanized Zoom installer to target US firms during Operation Epic Fury.
Click on any entity below to view its context and source!
target_region
Iran, Islamic Republic of
When the United States launched Operation Epic Fury against Iran at the end of February 2026, most analysts expected the country’s cyber apparatus to hunker down and weather the storm.
target_region
United States
When the United States launched Operation Epic Fury against Iran at the end of February 2026, most analysts expected the country’s cyber apparatus to hunker down and weather the storm.
campaign
Operation Epic Fury
When the United States launched Operation Epic Fury against Iran at the end of February 2026, most analysts expected the country’s cyber apparatus to hunker down and weather the storm.
March 2026
Threat actors used Zoominstall64.zip to target US firms, deploying a fake website getsqldevelopercom and MiniFast backdoor via InitInstall.dll.
Click on any entity below to view its context and source!
observable
Zoominstall64.zip
By March 2026, they switched to fake Zoom meeting invitations containing
Zoominstall64.zip
.
organisation
Search Engine Tricks
MiniFast
Attack chain during Operation Epic Fury (Source: Check Point Research)
Search Engine Tricks
MiniFast stands out for showing clear signs of AI-assisted development.
infrastructure
Windows
The malware even hijacked a real Windows scheduled task (ZoomUpdateTaskUser) to stay hidden on the system.
organisation
getsqldevelopercom
They built a fake website, getsqldevelopercom, to mimic Oracle’s SQL Developer software.
organisation
Oracle’s
They built a fake website, getsqldevelopercom, to mimic Oracle’s SQL Developer software.
organisation
SQL
They built a fake website, getsqldevelopercom, to mimic Oracle’s SQL Developer software.
between February and April 2026-
Nimbus Manticore exploited vulnerabilities in Zoom to install Trojanized installers on US firms' systems between February and April 2026.
Click on any entity below to view its context and source!
campaign
Operation Epic Fury
Nimbus Manticore has been most active between February and April 2026- a time of major military tension after the launch of Operation Epic Fury on 28 February 2026.
2026/05/27
Iran's Nimbus Manticore used fake Zoom installers and SEO poisoning to target US firms.
Click on any entity below to view its context and source!
organisation
Nimbus Manticore Used
Iran’s Nimbus Manticore Used Trojanized Zoom Installers Against US Firms.
organisation
APT
The APT group is affiliated with Iran’s Islamic Revolutionary Guard Corps.
organisation
Islamic Revolutionary Guard Corps
The APT group is affiliated with Iran’s Islamic Revolutionary Guard Corps.
organisation
CheckPoint
“The campaign leveraged malicious lures impersonating organizations in the aviation and software sectors across the United States, Europe and the Middle East.” reads the
report
published by CheckPoint.
organisation
Nimbus Manticore
If you installed Zoom from unofficial sites earlier this year, your device may have been exposed to malware linked to Iran’s Nimbus Manticore hackers.
Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers
Nimbus Manticore accelerated cyberattacks during wartime, using AI-assisted malware, fake Zoom installers, and SEO poisoning.
organisation
Check Point Research
Check Point Research (CPR) recently exposed a series of cyberattacks carried out by an Iranian group called
Nimbus Manticore
(also tracked as UNC1549), which is affiliated with the Islamic Revolutionary Guard Corps (IRGC).
organisation
the Islamic Revolutionary Guard Corps
Check Point Research (CPR) recently exposed a series of cyberattacks carried out by an Iranian group called
Nimbus Manticore
(also tracked as UNC1549), which is affiliated with the Islamic Revolutionary Guard Corps (IRGC).
organisation
IRGC
Check Point Research (CPR) recently exposed a series of cyberattacks carried out by an Iranian group called
Nimbus Manticore
(also tracked as UNC1549), which is affiliated with the Islamic Revolutionary Guard Corps (IRGC).
organisation
Check Point
Instead, researchers at Check Point have documented something more unsettling: the Iran-linked threat actor Nimbus Manticore (aka UNC1549) used the chaos of active conflict as cover to accelerate its operations, debut new malware, and experiment with delivery methods it had never tried before.
organisation
Fake Zoom Installers
Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers
Nimbus Manticore accelerated cyberattacks during wartime, using AI-assisted malware, fake Zoom installers, and SEO poisoning.
organisation
SEO
Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers
Nimbus Manticore accelerated cyberattacks during wartime, using AI-assisted malware, fake Zoom installers, and SEO poisoning.
organisation
UAE
Nimbus Manticore mainly targets organizations in Europe, the Middle East, and Africa, especially in Israel and the UAE, but recent campaigns expanded to the U.S. aviation sector.
organisation
OnlyOffice
Employees at software and aviation companies in Saudi Arabia and Australia received bogus career offers, luring them into downloading a ZIP archive hosted on OnlyOffice.
organisation
SecurityAffairs
“The actor’s activity during Operation Epic Fury highlights their increasing adaptability, particularly through the integration of AI-assisted malware development, novel infection vectors, and advanced stealth mechanisms.”
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Nimbus Manticore)
organisation
Microsoft
Inside was a benign Microsoft-signed executable accompanied by a malicious configuration file that exploited a technique called AppDomain hijacking, abusing the .NET runtime to silently load a rogue DLL under the cover of a trusted process.
organisation
AppDomain
Inside was a benign Microsoft-signed executable accompanied by a malicious configuration file that exploited a technique called AppDomain hijacking, abusing the .NET runtime to silently load a rogue DLL under the cover of a trusted process.
organisation
DLL
Inside was a benign Microsoft-signed executable accompanied by a malicious configuration file that exploited a technique called AppDomain hijacking, abusing the .NET runtime to silently load a rogue DLL under the cover of a trusted process.
organisation
Nimbus Manticore’s
“This malware delivery method differs from Nimbus Manticore’s usual infection chains, which typically rely on career-themed phishing lures.
organisation
Nimbus Manticore Expanded
Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers.
organisation
API
Several coding patterns and implementation details strongly suggest the use of AI-generated or AI-assisted code during development, including excessive error handling and defensive programming logic, even around simple API calls such as GetUserName.”
organisation
getsqldeveloper[.]com
In this campaign, the actor abuses search engine optimization techniques by registering dozens of domains that link to the bogus domain, getsqldeveloper[.]com.” continues the report.
organisation
Oracle’s SQL Developer
Threat actors set up a fake site impersonating a legitimate download page for Oracle’s SQL Developer, a widely used database management tool.
organisation
YARA
The cybersecurity firm provided indicators of compromise (IoCs) and YARA rules for these campaigns.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
The malware even hijacked a real Windows scheduled task (ZoomUpdateTaskUser) to stay hidden on the system.
Intelligence Sources
Security Affairs
2026-05-26
HackRead
2026-05-27
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-26T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
31x
organisation
Identified Entity
Nimbus Manticore Used
entity
6x
target region
Target Country
Iran, Islamic Republic of
country
6x
timeline
Temporal Reference
February 2026
date
3x
industry
Targeted Sector
Aviation
sector
3x
target region
Target Region
MIDDLE_EAST
region
2x
tactic
Cyber Operation Type
Phishing
tactic
Contextual Telemetry
Context Block
5 METRICS
source region
Origin Country
Iran, Islamic Republic of
country
campaign
Campaign
Operation Epic Fury
operation
infrastructure
Affected Product
Windows
software
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
attribution
Attributing Entity
IRGC
authority
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.