Nimbus Manticore Expands Cyber-Espionage Campaigns Across Europe
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Backdoor,Dropper,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
Nimbus Manticore, an Iranian threat actor overlapping with UNC1549 and Smoke Sandstorm, has intensified its espionage operations against defense manufacturing, telecommunications, and aviation sectors in Western Europe, notably Denmark, Sweden, and Portugal. The group uses spear-phishing lures posing as HR recruiters to deliver multi-stage DLL side-loading malware via fake career portals. Its evolving toolset—MiniJunk backdoor and MiniBrowse stealer—employs advanced obfuscation, code signing, and cloud-based C2 infrastructure on Azure and Cloudflare to evade detection. The campaign reflects a highly sophisticated, well-resourced actor aligned with IRGC intelligence objectives.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Defense | Verified |
| Sector | Aerospace | Verified |
| Sector | Telecommunication | Verified |
| Region | Azerbaijan | Verified |
| Region | Denmark | Verified |
| Region | Egypt | Verified |
| Region | Israel | Verified |
| Region | Pakistan | Verified |
| Region | Portugal | Verified |
| Region | Sweden | Verified |
| Region | United Arab Emirates | Verified |
Extracted IOCs
- acupuncturebentonville[.]com
- airtravellog[.]com
- arabiccountriestalent[.]com
- boeing-careers[.]com
- careers-hub[.]org
- careers-portal[.]org
- careersworld[.]org
- cloudaskquestionanswers[.]com
- collaboromarketing[.]com
- createformquestionshelper[.]com
- ehealthpsuluth[.]com
- exchtestcheckingapihealth[.]com
- germanywork[.]org
- global-careers[.]com
- gocareers[.]org
- healthcarefluent[.]com
- mojavemassageandwellness[.]com
- rheinmetallcareer[.]com
- rheinmetallcareer[.]org
- sulumorbusinessservices[.]com
- talenthumanresourcestalent[.]com
- thetacticstore[.]com
- theworldcareers[.]com
- traveltipspage[.]com
- usa-careers[.]com
- virgomarketingsolutions[.]com
- activehealthlab.azurewebsites[.]net
- activespiritluth.eastus.cloudapp.azure[.]com
- aeroclinicit.azurewebsites[.]net
- airbus.careers-portal[.]org
- airbus.careersworld[.]org
- airbus.germanywork[.]org
- airbus.global-careers[.]com
- airbus.usa-careers[.]com
- airmdsolutions.azurewebsites[.]net
- arabiccountriestalent.azurewebsites[.]net
- arabiccountriestalenthr.azurewebsites[.]net
- arabiccountriestalents.azurewebsites[.]net
- arabiccountriestalentshr.azurewebsites[.]net
- asylimed.azurewebsites[.]net
- backsrv66.azurewebsites[.]net
- backsrv74.azurewebsites[.]net
- biolinksystems.azurewebsites[.]net
- cardiomedspecialists.azurewebsites[.]net
- carebytesolutions.azurewebsites[.]net
- check-backup-service-179.azurewebsites[.]net
- check-backup-service-288.azurewebsites[.]net
- check-backup-service-736.azurewebsites[.]net
- check-backup-service.azurewebsites[.]net
- clinichaven.azurewebsites[.]net
- cloudaskingquestioning.azurewebsites[.]net
- cloudaskingquestioning.azurewebsites.net[.]net
- cloudaskingquestions.azurewebsites.net[.]net
- cloudaskingquestions.eastus.cloudapp.azure[.]com
- cloudaskingquestions.eastus.cloudapp.azure.com[.]net
- cloudaskquestionanswers.azurewebsites[.]net
- cloudaskquestionanswers.azurewebsites.net[.]net
- cloudaskquestionanswers.com[.]net
- cloudaskquestioning.eastus.cloudapp.azure[.]com
- cloudaskquestioning.eastus.cloudapp.azure.com[.]net
- createformquestionshelper.com[.]net
- datasheet96.azurewebsites[.]net
- digicura.azurewebsites[.]net
- digithealthplatform.azurewebsites[.]net
- doctorconsult-app.azurewebsites[.]net
- exchtestcheckingapijson.azurewebsites[.]net
- exchtestchecking.azurewebsites[.]net
- flydubaicareers.ae[.]org
- focusfusion.eastus.cloudapp.azure[.]com
- frameforward.azurewebsites[.]net
- grownehealth.eastus.cloudapp.azure[.]com
- healsanctum.azurewebsites[.]net
- healthbodymonitoring.azurewebsites[.]net
- healthcare-azureapi.azurewebsites[.]net
- healthdataanalyticsrecord.azurewebsites[.]net
- hivemedtech.azurewebsites[.]net
- lensvisionary.azurewebsites[.]net
- mainrepo10.azurewebsites[.]net
- managetools-platform.azurewebsites[.]net
- marsoxygen.azurewebsites[.]net
- masterflexiblecloud.azurewebsites[.]net
- maydaymed.azurewebsites[.]net
- mediasylum.azurewebsites[.]net
- medical-deepresearch.azurewebsites[.]net
- medicalit-imaging.azurewebsites[.]net
- medicoreit.azurewebsites[.]net
- medicpathsolutions.azurewebsites[.]net
- mentalhealth-support-portal.azurewebsites[.]net
- msnotetask-insights.azurewebsites[.]net
- mstrakcer-tools.azurewebsites[.]net
- nanobreathe.azurewebsites[.]net
- neurocloudhq.azurewebsites[.]net
- nextgenhealthtrack.azurewebsites[.]net
- olemanage-dashboard.azurewebsites[.]net
- oletask-tracker.azurewebsites[.]net
- patient-azureportal.azurewebsites[.]net
- patientcare-portal.azurewebsites[.]net
- pharmainfo.azurewebsites[.]net
- rheinmetall.careers-hub[.]org
- rheinmetall.careersworld[.]org
- rheinmetall.gocareers[.]org
- rheinmetall.theworldcareers[.]com
- rpcconnection.azurewebsites[.]net
- send-feedback-296.azurewebsites[.]net
- send-feedback-413.azurewebsites[.]net
- send-feedback-838.azurewebsites[.]net
- send-feedback.azurewebsites[.]net
- services-update-check.azurewebsites[.]net
- smartapptools.azurewebsites[.]net
- smartmediq.azurewebsites[.]net
- storagewiz.co.azurewebsites[.]net
- symptom-recordchecker.azurewebsites[.]net
- systemmedicaleducation.azurewebsites[.]net
- tacticalsnap.eastus.cloudapp.azure[.]com
- telehealthconnectpro.azurewebsites[.]net
- thecloudappbox.azurewebsites[.]net
- therashelter.azurewebsites[.]net
- totalcaremedcenter.azurewebsites[.]net
- trustedcarehub360.azurewebsites[.]net
- turbulencemd.azurewebsites[.]net
- ventilateainest.azurewebsites[.]net
- virgomarketingsolutions.comtions[.]com
- virtualcliniczone.azurewebsites[.]net
- vitatechlink.azurewebsites[.]net
- vitatechlinks.azurewebsites[.]net
- wellnessfirstgroup.azurewebsites[.]net
- wellnessglowluth.azurewebsites[.]net
- yourfamilymdclinic.azurewebsites[.]net
- zerogmed.azurewebsites[.]net
- 054483046c9f593114bc3ddc3613f71af6b30d2e4b7e7faec1f26e72ae6d7669
- 061c28a9cf06c9f338655a520d13d9b0373ba9826a2759f989985713b5a4ba2b
- 0b2c137ef9087cb4635e110f8e12bb0ed43b6d6e30c62d1f880db20778b73c9a
- 0e4ff052250ade1edaab87de194e87a9afeff903695799bcbc3571918b131100
- 1b629042b5f08b7460975b5ecabc5b195fcbdf76ea50416f512a3ae7a677614a
- 23c0b4f1733284934c071df2bf953a1a894bb77c84cff71d9bfcf80ce3dc4c16
- 3b4667af3a3e6ed905ae73683ee78d2c608a00e566ae446003da47947320097f
- 3b58fd0c0ef8a42226be4d26a64235da059986ec7f5990d5c50d47b7a6cfadcd
- 41d60b7090607e0d4048a3317b45ec7af637d27e5c3e6e89ea8bdcad62c15bf9
- 4260328c81e13a65a081be30958d94b945fea6f2a483d051c52537798b100c69
- 4da158293f93db27906e364a33e5adf8de07a97edaba052d4a9c1c3c3a7f234d
- 53ff76014f650b3180bc87a23d40dc861a005f47a6977cb2fba8907259c3cf7a
- 5985bf904c546c2474cbf94d6d6b2a18a4c82a1407c23a5a5eca3cd828f03826
- 5d832f1da0c7e07927dcf72d6a6f011bfc7737dc34f39c561d1457af83e04e70
- 6780116ec3eb7d26cf721607e14f352957a495d97d74234aade67adbdc3ed339
- 7c77865f27b8f749b7df805ee76cf6e4575cbe0c4d9c29b75f8260210a802fce
- 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
- 954de96c7fcc84fb062ca1e68831ae5745cf091ef5fb2cb2622edf2358e749e0
- 95d246e4956ad5e6b167a3d9d939542d6d80ec7301f337e00bb109cc220432cf
- 9b186530f291f0e6ebc981399c956e1de3ba26b0315b945a263250c06831f281
- 9ec7899729aac48481272d4b305cefffa7799dcdad88d02278ee14315a0a8cc1
- a37d36ade863966fb8520ea819b1fd580bc13314fac6e73cb62f74192021dab9
- a4f5251c81f080d80d1f75ad4cc8f5bc751e7c6df5addcfca268d59107737bd0
- afe679de1a84301048ce1313a057af456e7ee055519b3693654bbb7312083876
- b405ae67c4ad4704c2ae33b2cf60f5b0ccdaff65c2ec44f5913664805d446c9b
- b43487153219d960b585c5e3ea5bb38f6ea04ec9830cca183eb39ccc95d15793
- b9b3ba39dbb6f4da3ed492140ffc167bde5dee005a35228ce156bed413af622d
- bc9f2abce42141329b2ecd0bf5d63e329a657a0d7f33ccdf78b87cf4e172fbd1
- c22b12d8b1e21468ed5d163efbf7fee306e357053d454e1683ddc3fe14d25db5
- cf0c50670102e7fc6499e8d912ce1f5bd389fad5358d5cae53884593c337ac2e
- d2db5b9b554470f5e9ad26f37b6b3f4f3dae336b3deea3f189933d007c17e3d8
- e69c7ea1301e8d723f775ee911900fbf7caf8dcd9c85728f178f0703c4e6c5c0
- e77b7ec4ace252d37956d6a68663692e6bde90cdbbb07c1b8990bfaa311ecfb2
- f54fccb26a6f65de0d0e09324c84e8d85e7549d4d04e0aa81e4c7b1ae2f3c0f8
- f8a1c69c03002222980963a5d50ab9257bc4a1f2f486c3e7912d75558432be88
- ffeacef025ef32ad092eea4761e4eec3c96d4ac46682a0ae15c9303b5c654e3e
Tip: 165 related IOCs (0 IP, 129 domain, 0 URL, 0 email, 36 file hash) to this threat have been found.
FAQs
What You Need to Know About the Nimbus Manticore Attacks
An Iranian-linked hacking group called Nimbus Manticore launched a cyber-espionage campaign using fake job offers to trick employees in sensitive industries into downloading malware.
The attacks are attributed to Nimbus Manticore, a state-aligned group connected to Iran's Islamic Revolutionary Guard Corps (IRGC). The group is known for sophisticated spying campaigns.
The aim was to spy on organizations involved in defense, aerospace, and telecommunications by stealing credentials, sensitive files, and gaining long-term access to their systems.
Targets included individuals and companies in Europe and the Middle East, particularly in countries like Denmark, Sweden, Portugal, Israel, and the UAE.
Victims received emails pretending to be from HR recruiters. When they clicked a link, they were taken to a fake job portal that delivered malware hidden inside seemingly legitimate software.
Defense, satellite, and telecom firms hold valuable strategic and technological information, making them prime targets for state-sponsored espionage.
They should train staff on phishing awareness, monitor for suspicious network traffic, and implement endpoint security to catch unusual behavior like DLL sideloading or credential theft.
This is a targeted campaign aimed at specific sectors and regions, but the techniques used could be applied more broadly in future attacks.