thehackernews.com web signal

Nimbus Manticore AI backdoor hits US defense sectors

cybersecurity military ai-security state-sponsored-malware iran

Key insights

  • Check Point identified AI-assisted coding in MiniFast via excessive error handling, verbose identifiers, and modular structure typical of LLM output.
  • Nimbus Manticore bypasses spearphishing by using SEO poisoning to surface a trojanized Oracle SQL Developer installer on Bing and DuckDuckGo.
  • The campaign targets US and European aviation, defense, telecom, and energy sectors, expanding Nimbus Manticore's documented targeting scope.

Why this matters

LLM-assisted malware development marks a qualitative shift in threat actor capability: AI compresses the time from concept to functional backdoor, letting even mid-tier state actors field novel tools at higher tempo. The SEO poisoning delivery mechanism shows adversaries now treat search engine manipulation as a primary infection vector, one that most enterprise security stacks have no established detection pipeline for. For practitioners deploying internal tooling or enterprise developer software, trojanized legitimate-tool installers ranking above authentic sources represent a supply-chain attack surface that identity and endpoint controls were not designed to catch.

Summary

Iran's IRGC-affiliated Nimbus Manticore group has deployed MiniFast, a new backdoor, against aviation, defense, telecom, and energy targets in the US, Europe, and Middle East, per a Check Point analysis published this week. Check Point flagged strong indicators of AI-assisted development inside the malware code: excessive error handling, verbose variable names, and modular structure consistent with LLM output. The group appears to be using AI tools to compress its malware development cycle and deploy novel tools faster than defenders can build signatures. Essentially: (Nimbus Manticore, Check Point) this documents an IRGC-linked actor using AI to write operational malware at tempo. - SEO poisoning on Bing and DuckDuckGo ranks a trojanized Oracle SQL Developer installer at the top of results, bypassing spearphishing entirely. - Targets include US and European defense contractors, aviation firms, telecom providers, and energy infrastructure operators. Offensive AI tooling is now inside documented nation-state pipelines, not just defenders' stacks.

Potential risks and opportunities

Risks

  • US and European defense contractors whose employees searched for Oracle SQL Developer on Bing or DuckDuckGo in recent months may have installed MiniFast without detection if endpoint tools lack behavioral signatures for this malware family
  • If the AI-assisted development pattern is confirmed and replicated across IRGC-linked groups, Nimbus Manticore could iterate MiniFast variants faster than threat-intel vendors can publish signatures, widening the detection gap for aviation and telecom targets
  • Aviation sector targets, including potential CISA-designated critical infrastructure operators, face elevated risk if MiniFast is used as a precursor loader for a destructive or ransomware payload in the next 90 days

Opportunities

  • Endpoint detection vendors (CrowdStrike, SentinelOne, Microsoft Defender) can accelerate enterprise deals by publishing behavioral detection rules specifically for AI-coded malware patterns such as excessive error handling and modular backdoor structure
  • Browser and enterprise DNS security vendors (Cisco Umbrella, Cloudflare Gateway, Zscaler) have a concrete pitch to SOC teams: intercept poisoned search results at the network layer before download, before endpoint controls engage
  • Threat intelligence firms with IRGC-tracking capability (Recorded Future, Mandiant, ClearSky) are positioned to capture inbound demand from aviation and defense primes auditing their exposure to this campaign

What we don't know yet

  • Whether the specific LLM or AI coding assistant used by Nimbus Manticore has been identified by Check Point or any intelligence agency as of May 2026
  • The number of confirmed victims or organizations breached across aviation, defense, and telecom sectors before MiniFast was detected and attributed
  • Whether Oracle or Microsoft (Bing) have been notified or taken action to delist the trojanized SQL Developer installer from search results

Originally reported by thehackernews.com

Read the original article →

Original headline: Iranian IRGC-Linked Nimbus Manticore Expands Attacks With AI-Assisted MiniFast Backdoor Targeting US and European Defense, Aviation, and Telecom Sectors