An Iranian threat group that typically has targeted organizations in the Middle East, including Israel and the United Arab Emirates, is turning its focus on Western European countries with sophisticated new malware and expanded evasion and obfuscation techniques.

Nimbus Manticore – also known as UNC1549 and Smoke Sandstorm – for several years has used fake job openings and emails from non-existing job recruiters in North Korean-like spearphishing campaigns to entice targets to inadvertently download malware used to control victims’ systems and steal information.

According to threat intelligence analysts with Check Point, Nimbus Manticore since early this year is putting a greater emphasis on aerospace, defense manufacturing, and telecommunications organizations in Western Europe, in particular Sweden, Denmark, and Portugal.

The latest campaign “reflects a mature, well‑resourced actor prioritizing stealth, resiliency, and operational security across delivery, infrastructure, and payload layers, an approach consistent with nation‑state tradecraft,” the Check Point researchers wrote in a report this week.

Nimbus Manticore has been linked to previous campaigns, including one dubbed “Iranian Dream Job” last year that researchers with cybersecurity firm ClearSky Cyber Security researchers said included apparent overlaps with similar operations run by the North Korea-nexus bad actors Lazarus Group. They suggested that the Iranian group either was impersonating Lazarus Group to hide its activities and that North Korea was sharing attack methods and tools with its Iranian counterparts.

Nimbus Manticore runs targeted phishing campaigns that convince unsuspecting targets to deploy custom implants, including one called Minibike – or SlugResin – that has been used since 2022. The malware “has evolved steadily since its creation,” Check Point researchers wrote. “Sample analysis over the years shows its progress, including the addition of obfuscation techniques to evade detection and static analysis, a modular architecture, and the introduction of redundant command-and-control (C2) servers.”

From Minibike to MiniJunk

With the latest operation, the Minibike backdoor has evolved into a new variant Check Point calls MiniJunk.

“The most recent Minibike variants suggest a significant increase in the actor’s abilities, including using a novel (and previously undocumented) technique to load DLLs from alternate paths by modifying process execution parameters,” they wrote. “This variant has new TTPs [tactics, techniques, and procedures] such as size inflation, junk code, obfuscation, and code signing to lower detection rates.”

The attack starts with a phishing link sent by alleged hiring recruiters that, if clicked on, takes the victim to a fake job-related login page that shows off the threat group’s improved operation. The fraudulent career portal goes so far as to use React-based templates that appear to be legitimate hiring platforms and come with pre-shared and individualized credentials for each victim. It also impersonates such high-profile aerospace companies like Airbus, Boeing, and flydubai and other companies like Rheinmetall, a German supplier of technologies for the automotive and defense industries.

Side-Loading and Obfuscation

The attack includes the unique side-loader technique that uses undocumented low-level APIs to create the multi-stage DLL side-loading chain, which the researchers wrote “causes a legitimate process to sideload a malicious DLL from a different location and override the normal [Microsoft] DLL search order.”

The MiniJunk backdoor and the MiniBrowse info-stealer – which comes in two variants: one to steal Google Chrome credentials and the other one targeting Microsoft Edge – both come with compiler-level code obfuscation, including the use of junk code, opaque predicates, obfuscated function calls, encrypted strings, and control-flow obfuscation. The threat group continues to work on such techniques, with each generation show improvements.

“The actor appears to be targeting a substantial number of victims, and these obfuscations help the malware remain undetected while at the same time slowing down researchers trying to determine the samples’ behavior,” the researchers wrote. “As with most obfuscation, no single tool addresses all cases: off‑the‑shelf tools often fail unless the scheme matches a generic framework … which is not the case here. This underscores the attacker’s willingness to invest in their toolset and, conversely, benefits researchers by exposing new techniques.”

A Parallel Campaign

As Check Point was writing about this Nimbus Manticore campaign, another security firm, PRODAFT, wrote about a parallel campaign run by the Iranian-nexus threat group Subtle Snail – or UNC1549 – that includes similar tactics but comes with a smaller payload and less sophisticated obfuscation techniques.

The group also has been using tactics that align with those of Nimbus Manticore, impersonating a HR pro and using social media like LinkedIn to contact victims with spearphishing messages before asking them move to email. Subtle Snail also has shifted focus to European telecom, aerospace, and defense organizations, according to PRODAFT.

That said, despite the overlaps, MiniJunk and dxgi.dll, which is used by Subtle Snail, use different command sets and Subtle Snail doesn’t use evasion or obfuscation techniques, Check Point wrote.

“The findings … suggest dxgi.dll shares a common code base with MiniJunk versions,” the researchers wrote. “Both of the activity clusters may have access to the code base, and can modify the code as needed, adding compiler passes, and altering the logic slightly. At the same time, the programming paradigm remains similar. This is hard to notice at first, due to MiniJunk obfuscations, the different layout of the HTTP request method (classes vs non-classes), and other variations. But once the obfuscations are addressed, it becomes clear that they share the same code base.”