Nimbus Manticore Malware Campaign Puts Defense and Telecom on Alert

 

Nimbus Manticore Intensifies Attacks on Defense and Telecom Sectors With New Malware

The Iranian state-aligned threat actor Nimbus Manticore has escalated its cyber-espionage operations against defense manufacturing, telecommunications, and aviation sectors across Western Europe. Leveraging new malware variants and novel evasion techniques, this advanced persistent threat (APT) group is sharpening its tradecraft to infiltrate high-value targets.

Also tracked as UNC1549 and Smoke Sandstorm, Nimbus Manticore has adopted previously undocumented persistence and detection-evasion mechanisms, highlighting its continued evolution as a mature APT group.

Strategic Targeting in Europe

Recent campaigns reflect a deliberate shift toward European targets, particularly organizations in Denmark, Sweden, and Portugal. To enhance credibility, attackers are impersonating aerospace and telecom giants, including Boeing, Airbus, Rheinmetall, and flydubai, using convincing lures in their phishing campaigns.

Their fraudulent career portal websites, built with React-based templates, mimic authentic hiring platforms and are preloaded with victim-specific credentials. This tailored approach allows Nimbus Manticore to track engagement while maintaining tightly controlled access.

Sophisticated Social Engineering Tactics

The intrusion chain begins with spear-phishing emails disguised as HR recruitment outreach. Each victim receives a unique URL and login details, directing them to fake career portals. This credible pretexting—combined with operational security discipline—exemplifies nation-state-level tradecraft.

Multi-Stage Malware Deployment

Check Point researchers uncovered a multi-layered infection chain designed to exploit trusted Windows processes.

• The initial payload, often disguised as “Survey.zip,” contains a legitimate-looking Setup.exe that triggers the malware.

• The malware abuses Windows Defender’s SenseSampleUploader.exe via DLL hijacking, enabling the execution of its payload.

• A novel DLL sideloading mechanism manipulates the Windows DLL search order through undocumented APIs, ensuring the malicious xmllite.dll is loaded instead of its legitimate counterpart.

Infection Workflow

1. Setup.exe is launched, modifying the DllPath parameter using RtlCreateProcessParameters.

2. xmllite.dll is loaded from the archive directory rather than the system folder.

3. userenv.dll evaluates the process stage, then executes SenseSampleUploader.exe from Windows Defender’s path.

4. The hijacked process loads the malicious DLL, which sets up persistence at:

   %AppData%\Local\Microsoft\MigAutoPlay\
   

5. A scheduled task ensures MigAutoPlay.exe launches at startup, sideloading the backdoor-laced userenv.dll.

This infection method effectively bypasses traditional endpoint defenses by leveraging legitimate Windows binaries.