Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning

Nimbus Manticore (aka Screening Serpens / UNC1549), an Iranian state-linked APT, ran coordinated campaigns from February–April 2026 targeting aviation, software, defense, telecom and energy organizations across multiple countries. The actor deployed new backdoors (MiniFast/MiniUpdate and MiniJunk V2), likely using AI-assisted development, and employed AppDomain hijacking, trojanized installers, phishing (including fake job offers and spoofed meeting invites), SEO poisoning, and persistence mechanisms to enable long-term remote command execution and data exfiltration.