Iranian Hacking Group Nimbus Manticore Expands European Targeting

A long-running cyber-espionage campaign tied to Iran has intensified its operations in Europe, with a significant expansion of targets across the continent. The group, known as Nimbus Manticore, has a history of targeting aerospace, telecommunications and defense industries in line with Iranian Revolutionary Guard Corps (IRGC) priorities.

According to new findings by Check Point Research (CPR), the group's latest wave of activity shows a shift toward Western Europe, with organizations in Denmark, Sweden and Portugal facing heightened risk. Attackers pose as recruiters from well-known aerospace and telecommunications firms, directing victims to convincing but fraudulent career portals.

Each target receives personalized login credentials, a tactic that allows close tracking of victims and tight control of access. From there, attackers distribute malicious archives that launch a sophisticated, multi-stage infection process. This involves sideloading malicious DLL files into legitimate Windows executables, including Microsoft Defender components, to avoid detection.

At the center of these campaigns is a family of custom backdoors. First identified as 'Minibike' in 2022, the malware has since evolved into new strains, notably 'MiniJunk' and 'MiniBrowse.' These tools enable attackers to exfiltrate files, steal browser credentials and issue remote commands while employing heavy obfuscation to resist analysis.

The malware shows advanced techniques such as:

  • Multi-stage DLL sideloading to evade normal security checks
  • Inflated binary sizes to bypass antivirus scans
  • Use of valid code-signing certificates from trusted providers
  • Compiler-level obfuscation that inserts junk code and encrypted strings

"The campaign reflects a mature, well-resourced actor prioritizing stealth, resiliency and operational security," CPR said. Nimbus Manticore relies heavily on cloud services to host its infrastructure, including domains registered under Azure App Service and shielded behind Cloudflare.

This setup provides redundancy, allowing attackers to quickly re-establish command-and-control (C2) servers if one is taken down. The campaign's targeting is consistent with past operations against Israel and the Gulf states. However, CPR researchers recently noted a clear expansion toward Europe, with recent attacks tied to fake career portals impersonating aerospace and telecom companies.

The sectors most at risk include:

  • Aerospace
  • Telecommunications
  • Defense

CPR's analysis suggests the campaign remained active even during the 12-day conflict between Israel and Iran in mid-2025. The ability to operate undetected through heavy obfuscation and use of legitimate infrastructure highlights the group's growing sophistication.