Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning

Nimbus Manticore, an Iranian state-sponsored threat actor tracked under multiple aliases including Screening Serpens and UNC1549, has launched a phishing campaign deploying malware variants MiniFast and MiniJunk V2. The group targets aviation and software sector organizations across the U.S., Europe, and the Middle East.

The campaign employs two primary infection vectors. Phishing emails impersonate legitimate organizations to trick recipients into executing malware. Search engine optimization poisoning redirects users searching for common software to malicious download pages hosting the payloads.

MiniFast and MiniJunk V2 function as information stealers and backdoors. Both malware families establish persistence on compromised systems, exfiltrating credentials, configuration data, and other sensitive information. MiniJunk V2 represents an evolved variant with enhanced evasion capabilities compared to earlier versions.

The timing correlates with geopolitical tensions following February 2026 military operations conducted jointly by the U.S. and Israel. Nimbus Manticore historically responds to perceived Western military action with offensive cyber campaigns targeting strategic sectors.

Aviation and software organizations face elevated risk. These sectors hold operational and intellectual property value attractive to state-sponsored actors. Compromised systems in aviation could expose flight operations data, maintenance records, or communications. Software firms risk losing source code, development roadmaps, and customer information.

Organizations should implement email filtering to block phishing attempts impersonating known partners and vendors. Restrict execution of files downloaded from search results, particularly when installing software. Deploy endpoint detection and response solutions configured to flag unusual process behavior and credential access attempts.

Users should verify software downloads from official vendor websites rather than search results. Spear-phishing emails targeting employees often leverage organizational context gathered from public sources. Security awareness training should emphasize verifying sender authenticity before clicking links