Nimbus Manticore Attacking Defense and Telecom Sectors With New Malware

The Iranian threat actor known as Nimbus Manticore has intensified its campaign targeting defense manufacturing, telecommunications, and aviation sectors across Western Europe with sophisticated new malware variants.

This mature advanced persistent threat group, also tracked as UNC1549 and Smoke Sandstorm, has evolved its tactics to include previously undocumented techniques for evading detection and maintaining persistence on compromised systems.

Nimbus Manticore’s recent operations demonstrate a strategic shift toward European targets, particularly in Denmark, Sweden, and Portugal.

The threat actor has refined its social engineering approach by impersonating legitimate aerospace giants including Boeing, Airbus, and Rheinmetall, as well as telecommunications companies like flydubai.

Their deceptive career portal websites utilize React-based templates that closely mimic authentic hiring platforms, complete with pre-shared credentials for each targeted victim.

The attack methodology begins with tailored spear-phishing campaigns where alleged HR recruiters direct victims to fake career portals.

Each target receives unique URLs and login credentials, enabling the threat actors to track victim engagement and maintain controlled access throughout the infection process.

This approach demonstrates sophisticated operational security measures and credible pretexting capabilities that align with nation-state tradecraft.

Check Point analysts identified the malware’s deployment through an intricate multi-stage infection chain that exploits legitimate Windows processes.

The initial payload, disguised as hiring-related software such as “Survey.zip,” contains multiple components including a legitimate Setup.exe file that initiates the sideloading sequence.

The malware leverages a Windows Defender component called SenseSampleUploader.exe to execute its payload through DLL hijacking techniques.

Multi-Stage DLL Sideloading Mechanism

The infection chain employs a novel technique that manipulates the Windows DLL search order through undocumented low-level APIs.

When the victim executes Setup.exe, the malware uses RtlCreateProcessParameters to modify the DllPath parameter in the RTL_USER_PROCESS_PARAMETERS structure.

This manipulation enables the malicious xmllite.dll to be loaded from the archive directory rather than the expected system location.

The userenv.dll component checks the executing process name to determine the infection stage. During initial setup, it uses low-level ntdll API calls to launch the Windows Defender binary located at C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe.

The malware exploits this legitimate executable’s vulnerability to DLL hijacking, forcing it to load the malicious xmllite.dll from the same folder as the archive.

Once loaded, the xmllite.dll creates a working directory at %AppData%\Local\Microsoft\MigAutoPlay\ and copies the backdoor components for persistence.

The malware establishes a scheduled task to execute MigAutoPlay.exe, which then sideloads the malicious userenv.dll containing the primary backdoor functionality.

This technique effectively bypasses traditional security controls by leveraging trusted Windows processes.

The evolution of the malware, now tracked as MiniJunk, incorporates substantial compiler-level obfuscation techniques that render samples nearly irreversible for standard static analysis.

The threat actors have implemented custom LLVM passes that introduce junk code insertion, control-flow obfuscation, opaque predicates, and encrypted strings. Each string receives individual encryption with unique keys, while function calls undergo arithmetic operations to obscure their actual destinations.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.