Iran’s Nimbus Manticore Used Trojanized Zoom Installers Against US Firms

The emergence of Nimbus Manticore underscores a growing sophistication among Iranian cyber‑espionage units tied to the Islamic Revolutionary Guard Corps. By weaponizing a widely trusted collaboration tool, the group sidestepped traditional phishing filters and gained footholds in high‑value U.S. enterprises. Their timeline—starting with fake job offers, moving to Zoom installer hijacks, and culminating in SEO‑poisoned download sites—mirrors a strategic pivot toward supply‑chain compromise, a tactic that aligns with the broader geopolitical surge following Operation Epic Fury.

Technically, the attackers leveraged AppDomain hijacking, a Windows runtime feature that allows a benign executable to load a malicious configuration file, thereby executing DLLs such as InitInstall.dll without raising alerts. The MiniFast backdoor, noted for its AI‑assisted code quality, disguises network traffic as Chrome browsing, making detection by conventional IDS challenging. Meanwhile, the SEO poisoning campaign created a counterfeit getsqldeveloper.com site that outranked legitimate Oracle resources on Bing and DuckDuckGo, illustrating how search‑engine manipulation can serve as a potent delivery mechanism for malware.

For businesses, the campaign signals an urgent need to harden software procurement processes and monitor for anomalous installer behavior. Organizations should enforce strict download policies, verify code signatures, and employ endpoint detection that can spot atypical scheduled tasks like ZoomUpdateTaskUser. The convergence of AI‑generated malware and search‑engine abuse also suggests that threat intelligence teams must broaden their horizon beyond email phishing, incorporating OSINT monitoring of fake vendor sites. As state‑backed actors continue to blend advanced coding tools with deceptive online tactics, proactive defense and rapid incident response become essential to safeguard critical infrastructure.