Iran-Linked Hackers Target US Aviation with Phishing and SEO Poisoning Campaign

**Executive summary:** Check Point Research attributes a multi-wave campaign (Feb–Apr 2026) to IRGC-aligned Nimbus Manticore (UNC1549) targeting aviation, defense and telecoms across the US, Europe and Middle East; the actor shifted from career-themed phishing to search engine poisoning (fake Oracle SQL Developer download pages), used trojanized Zoom installers and OnlyOffice-hosted ZIPs, abused AppDomain hijacking to load malicious .NET DLLs, and deployed a new 64-bit backdoor named MiniFast (JSON-over-HTTP C2 disguised as Chrome) — tooling that shows signs of AI-assisted development.