Could You Be Recruited? Hackers Nimbus Manticore Use Fake Job Offers for Espionage

Methodical planning has become Nimbus Manticore's primary weapon.

Methodical planning has become Nimbus Manticore's primary weapon.
Researchers from Check Point have uncovered a prolonged and targeted campaign by the group Nimbus Manticore—also known as UNC1549 and Smoke Sandstorm—which, since the beginning of 2025, has been targeting defense contractors, telecommunications operators, and aviation structures, aligning with the priorities of Iran's Islamic Revolutionary Guard Corps (IRGC).
The company's analysts have observed a surge in activity in Western Europe, particularly in Denmark, Sweden, and Portugal, where the threat actors used convincing recruitment lures and sophisticated infrastructure camouflage mechanisms.
The attacks begin with personalized phishing emails purportedly from HR staff—each recipient is provided with a unique link and individual login credentials for a fake portal built on React and often hosted behind Cloudflare proxy services. After logging in, the victim is prompted to download a ZIP archive containing Setup.exe—a legitimate-looking installer that initiates a complex chain of side-loading libraries via low-level Windows NT API calls.
The Malicious Procedure Involves Several Steps:
Setup.exe loads the userenv.dll library from the archive, then initiates the Windows Defender SenseSampleUploader.exe component, which forcibly loads xmllite.dll via a modified DllPath parameter. To establish persistence on the system, the attackers copy files to the %AppData%\Local\Microsoft\MigAutoPlay directory, rename the main file to MigAutoPlay.exe, and create a scheduled task for auto-start; each launch displays a fake network error window to distract the user.
The Core Toolset Consists of Two Components:
- The MiniJunk backdoor begins execution at the DLLMain point, collects system identifiers, hijacks the process termination behavior by intercepting ExitProcess, and launches a branching thread to communicate with the C2 server. Commands for device control and data exfiltration are transmitted as split strings and processed using standard file read operations, process creation, and loading of additional libraries.
- The MiniBrowse info-stealer injects itself into Chromium-based browser processes, extracts account databases, and sends them to command and control nodes via HTTP POST or named pipes.
The campaign demonstrates mature state-sponsored tactics: multiple layers of persistence, meticulous operational security, and lures tailored to specific industry audiences. Organizations in at-risk sectors should enhance anti-phishing measures, monitor for DLL loading anomalies, and scrutinize large, signed binary files as potential indicators of covert loading or exploitation.