Iran’s Nimbus Manticore Used Trojanized Zoom Installers Against US Firms

Check Point Research attributes a Feb–Apr 2026 campaign to Iranian APT Nimbus Manticore (UNC1549) that used fake job offers and Zoom installers to deploy MiniJunk and MiniFast backdoors via AppDomain hijacking, hijacked a legitimate Windows scheduled task to maintain persistence, and employed SEO poisoning (fake getsqldevelopercom) to distribute malware; the report highlights AI-assisted, modular development and expanded targeting beyond regional actors to aviation and software firms.