Iranian Hackers Target US Aviation with New Malware and SEO Poisoning

Iranian state-aligned group Nimbus Manticore (UNC1549) launched a targeted campaign from February–April 2026 against the US aviation sector and related industries using career-themed phishing, SEO poisoning (counterfeit Oracle SQL Developer pages), trojanized Zoom installers and AppDomain hijacking to deploy a new AI-assisted backdoor called MiniFast (64-bit Windows DLL with JSON-based C2 traffic disguised as Chrome). Check Point Research and other vendors observed multiple waves, multi-region targeting, and recommend blocking malicious domains, monitoring for suspicious .NET DLL loads/AppDomain hijacking, and detecting MiniFast’s JSON-over-HTTP C2 patterns.