Iran’s Nimbus Manticore Used Trojanized Zoom Installers Against US Firms

If you installed Zoom from unofficial sites earlier this year, your device may have been exposed to malware linked to Iran’s Nimbus Manticore hackers.

Check Point Research (CPR) recently exposed a series of cyberattacks carried out by an Iranian group called Nimbus Manticore (also tracked as UNC1549), which is affiliated with the Islamic Revolutionary Guard Corps (IRGC).

Nimbus Manticore has been most active between February and April 2026- a time of major military tension after the launch of Operation Epic Fury on 28 February 2026. Reportedly, the group has expanded its targets beyond Israel and the UAE to hit aviation and software firms in the US.

According to CPR’s blog post, in February 2026, the hackers targeted workers in Saudi Arabia and Australia with fake job offers on OnlyOffice. When victims downloaded a ZIP archive, the group used a technique called AppDomain hijacking. By placing a malicious configuration file (Setup.exe.config) with a safe Microsoft binary (Setup.exe), they tricked the system into running a malicious file (uevmonitor.dll) to launch MiniJunk malware.

By March 2026, they switched to fake Zoom meeting invitations containing Zoominstall64.zip. This launched a real Zoom installer (Zoom_cm.exe) to hide the attack, while AppDomain hijacking quietly deployed a new backdoor called MiniFast via InitInstall.dll. The malware even hijacked a real Windows scheduled task (ZoomUpdateTaskUser) to stay hidden on the system.

MiniFast stands out for showing clear signs of AI-assisted development. The code was exceptionally neat, featured modular organisation, and included excessive error handling for basic tasks such as GetUserName. This allowed the group to build tools rapidly mid-conflict, and when active, MiniFast gave hackers full remote control via cmd.exe while hiding its traffic by impersonating a Google Chrome browser.

In April, the group abandoned emails for SEO poisoning. They built a fake website, getsqldevelopercom, to mimic Oracle’s SQL Developer software. By registering dozens of connected domains and using keyword stuffing, they pushed the scam site to the top of Bing and DuckDuckGo results, tricking developers into downloading the MiniFast backdoor directly.

Check Point Research noted that wartime pressures actually accelerated the group’s capabilities. By mixing AI-driven coding with public search engine manipulation, Nimbus Manticore skipped targeted emails entirely to compromise systems faster, showing an expansion of their ambitions well beyond regional spying.