Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning
#Security

Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning

Security Reporter
5 min read

Check Point and Unit 42 attribute a new multi‑stage campaign by the IRGC‑backed group Nimbus Manticore to AI‑assisted malware (MiniFast and MiniJunk V2) delivered through career‑themed phishing, Zoom installers and SEO‑poisoned fake Oracle SQL Developer pages.

Featured image

Nimbus Manticore – the Iran‑linked threat actor also known as Screening Serpens and UNC‑1549 – has rolled out a new, AI‑aided malware family in a series of campaigns that span from February to April 2026. The operations target aviation, software, and energy firms across the United States, Europe, the Middle East and the United Arab Emirates, and they combine familiar career‑themed lures with a novel delivery method: SEO poisoning of a fake Oracle SQL Developer download page.

How the campaign unfolded

Date Delivery vector Primary payload
Feb 2026 AppDomain hijacking via a malicious ZIP on an OnlyOffice host MiniJunk V2 (DLL)
Mar 2026 Trojanized Zoom installer sent in fake meeting invites MiniFast backdoor
Apr 2026 SEO‑poisoned domain getsqldeveloper.com mimicking Oracle’s download page MiniFast installer

The first wave used a classic “dream‑job” phishing email promising a senior engineering role at a fictitious airline. Recipients were directed to a ZIP file that, when opened, launched a benign executable. That binary performed AppDomain hijacking – a .NET technique that loads a malicious DLL into the host process’s application domain – to drop the MiniJunk V2 DLL. The DLL establishes a lightweight command‑and‑control (C2) channel but is primarily a loader for later stages.

In March the group switched to a Zoom installer that appeared to be a legitimate meeting‑software update. The installer executed a similar hijack routine, this time loading MiniFast – a fully‑featured backdoor that supports file manipulation, process enumeration, command execution, scheduled‑task persistence, and privilege escalation via runas.

April’s campaign diverged from the group’s normal playbook. By registering dozens of low‑authority domains that all point to a counterfeit getsqldeveloper.com, the attackers manipulated search‑engine ranking signals (link‑based reputation) to surface the fake page on Bing and DuckDuckGo. When a developer searches for “SQL Developer download”, the poisoned result appears at the top, prompting an automatic download of a weaponised installer that drops MiniFast.

AI‑assisted malware development

Check Point’s analysis highlighted several code‑level fingerprints that suggest large‑language‑model assistance:

  • Verbose naming – functions such as InitializeNetworkCommunicationAndBeaconing and HandleErrorAndRetryConnection repeat similar phrasing across modules.
  • Excessive defensive checks – the binary includes dozens of try/catch blocks and explicit error‑message strings that read like autogenerated documentation.
  • Modular layout – despite the overall simplicity, the source is split into clearly separated networking, persistence, and command‑execution modules, a pattern typical of AI‑guided code scaffolding.

Sergey Shykevich, Threat Intelligence Group Manager at Check Point Research, said, “The amount of boilerplate and the consistency of naming conventions strongly indicate the use of AI‑assisted code generation. They were able to produce a new backdoor in the middle of an active conflict, something that would normally take weeks of manual development.”

Technical deep‑dive: MiniFast’s capabilities

MiniFast communicates over plain HTTP (no TLS) to a hard‑coded C2 domain. After an initial beacon that reports OS version, CPU architecture, and logged‑in user, it enters a polling loop where it can receive any of the following commands:

  • list_dir <path> – returns a recursive directory listing.
  • download <file> – streams the requested file back to the server.
  • upload <file> – receives a file and writes it to disk.
  • exec <cmd> – runs a command via cmd.exe and returns stdout/stderr.
  • runas <user> <cmd> – attempts privilege escalation using the runas utility.
  • load_dll <url> – downloads a DLL and loads it into the current process.
  • schedule_task <task_name> <exe_path> – creates a persistent scheduled task.
  • zip <src> <dest> – creates a ZIP archive of the specified folder.
  • set_poll_interval <seconds> <jitter> – adjusts beacon timing to evade detection.

The backdoor’s persistence relies on a scheduled task named SystemUpdateTask that runs the binary every 30 minutes. Because the task is created under the current user context, it survives reboots and does not require elevated privileges to install.

Practical takeaways for defenders

  1. Watch for AppDomain hijacking – Look for unexpected DLL loads in legitimate .NET processes (e.g., OnlyOffice.exe, Zoom.exe). Enable Sysmon rule 7 to capture Load Image events with the ImageLoaded field pointing to suspicious paths.
  2. Monitor SEO‑poisoned domains – Add getsqldeveloper.com and any newly‑registered look‑alike domains to your threat‑intel feed. Use DNS query logs to spot rare, low‑reputation domains queried from developer workstations.
  3. Inspect Zoom installers – Verify the digital signature of any Zoom update. Deploy application control (e.g., Windows Defender Application Control) to block unsigned executables in the %TEMP% folder.
  4. Network hygiene – Block outbound HTTP to unknown domains on workstations. Enforce TLS inspection to detect clear‑text beaconing.
  5. User‑education – Reinforce that job offers and meeting invites from unknown senders are high‑risk. Simulated phishing campaigns should include “fake‑job” scenarios.

Broader implications

Unit 42’s parallel report confirms that MiniJunk V2 adds a few new commands (registry manipulation and PowerShell script execution) but otherwise follows the same loader pattern. The group’s shift to SEO poisoning mirrors tactics used by North Korean actors in the “Operation Dream Job” campaign, suggesting cross‑regional knowledge sharing.

Beyond espionage, the same actors have been linked to attacks on automatic tank gauge (ATG) systems at U.S. gas stations, exploiting unsecured web interfaces to alter displayed fuel levels. While no physical damage was reported, the incidents underline the danger of unprotected OT assets becoming footholds for broader intrusion campaigns.

What to do now

  • Update endpoint detection – Add IoCs for MiniFast/MiniJunk V2 binaries (SHA‑256 hashes published by Check Point) to your EDR.
  • Patch Zoom – Ensure all Zoom clients are at version 6.2.5 or later, which includes hardening against unsigned installer execution.
  • Secure developer tools – Enforce code‑signing verification for any downloaded IDE extensions or database tools.
  • Review DNS hygiene – Deploy a DNS firewall that flags newly‑registered domains with high similarity to legitimate vendor names.

Staying ahead of AI‑augmented threat actors means tightening both technical controls and user awareness. The Nimbus Manticore campaign shows that even well‑known groups can rapidly adopt new delivery vectors when geopolitical pressure intensifies.

Sources: Check Point Research analysis (May 2026), Palo Alto Networks Unit 42 report (May 2026), CNN reporting on ATG attacks (April 2026).

#Malware#Phishing#SEO Poisoning#AI-assisted#C2

Comments

Loading comments...
Back to Home