Particle.news
Download on the App Store
3 ARTICLES
·
2h ago

Iran-Linked Nimbus Manticore Escalates European Targeting With Novel DLL-Sideloaded Malware

Check Point Research details fake recruitment portals using personalized credentials to funnel victims to MiniJunk and MiniBrowse payloads.

Iranian Hackers Use Fake Job Lures to Breach Europe’s Critical Industries
Image

Overview

  • Researchers report a westward shift in operations with elevated targeting of organizations in Denmark, Sweden and Portugal.
  • Phishing lures impersonate hiring sites for firms such as Boeing, Airbus, Rheinmetall and Flydubai, issuing unique logins to each target to control access and track activity.
  • The infection chain uses multi-stage DLL sideloading through legitimate Windows executables, including Defender components, by abusing search-path behavior to load malicious libraries.
  • Deployed tools include the MiniJunk backdoor and MiniBrowse infostealer, evolved Minibike variants that employ size inflation, junk-code obfuscation, encrypted strings and valid code-signing to evade detection.
  • Command-and-control relies on cloud infrastructure with Azure App Service domains protected by Cloudflare, and the activity is attributed to Nimbus Manticore, also tracked as UNC1549, Smoke Sandstorm and Imperial Kitten with overlaps to IRGC-linked groups.