Detecting Nimbus Manticore and their sideloading infection chains

This report documents a targeted hiring-themed phishing campaign attributed to Nimbus Manticore (UNC1549) that uses convincing recruiter personas, lure PDFs (with a distinctive Author metadata string), fake 2FA tooling, and multi-stage .NET payloads delivered via cloud-hosted C2 and trusted-binary sideloading. The article includes a YARA rule to detect the lure PDFs, a comprehensive set of IOCs (file hashes, domains, file paths), and actionable mitigations such as applying AppLocker policies and restricting access to newly-registered domains.