Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers

(Pierluigi Paganini – Security Affairs) When the United States launched Operation Epic Fury against Iran at the end of February 2026, most analysts expected the country’s cyber apparatus to hunker down and weather the storm. That’s not what happened. Instead, researchers at Check Point have documented something more unsettling: the Iran-linked threat actor Nimbus Manticore (aka UNC1549) used the chaos of active conflict as cover to accelerate its operations, debut new malware, and experiment with delivery methods it had never tried before. “The campaign leveraged malicious lures impersonating organizations in the aviation and software sectors across the United States, Europe and the Middle East.” reads the report published by CheckPoint. “For the first time, we observed the use of SEO poisoning as an additional malware delivery method.”. The APT group is affiliated with Iran’s Islamic Revolutionary Guard Corps. It has been on the radar of threat intelligence experts for years, primarily targeting defense, aviation, and telecommunications organizations through career-themed phishing, fake job opportunities convincing enough to fool employees at major companies. What Check Point observed between February and April of this year, however, goes well beyond that established playbook. – Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers