Headline
Iranian Hackers Use Fake Job Lures to Breach Europe’s Critical Industries
New research from Check Point Research reveals the Iranian cyber group Nimbus Manticore is targeting defence, telecom, and aerospace companies in Europe with fake job offers. Learn how they use advanced malware to steal sensitive data.
A group of Iranian hackers known as Nimbus Manticore is expanding its operations, now focusing on major companies across Europe. According to new research from the cybersecurity firm Check Point Research (CPR), the group is targeting businesses in the defence, telecommunications, and aerospace sectors to steal sensitive information.
Nimbus Manticore, also called UNC1549 or Smoke Sandstorm, has been actively tracked since early 2025 and previously ran the Iranian Dream Job campaign. These campaigns align with the strategic intelligence-gathering goals of Iran’s IRGC, especially during times of heightened geopolitical tension.
****Attack Flow Explained****
The attack starts with a fake email invitation to a job application. This email, which looks very real, directs victims to a fraudulent website built using a React template that mimics well-known companies like Boeing, Airbus, and flydubai.
Email lure (source: CPR)
To make it seem legitimate, each person receives a unique login and password to access the site. These “career” themed websites are registered behind Cloudflare to hide the true location of the server. Once logged in, victims are tricked into downloading a malicious file. This file then begins a complex chain of events to infect their computer.
As shown in the CPR’s research flow chart, the downloaded file, which is a compressed ZIP archive, contains a legitimate-looking program (setup.exe). This program then secretly installs and runs other malicious files, including a backdoor, to take control of the system and communicate with the attackers’ servers.
Attack Chain (Source: CPR)
****New Tools and Widespread Targets****
Inside the downloaded file, the hackers place special malware that is are evolved variant of an older malware called Minibike (also known as SlugResin). Recent activity shows a “significant leap in sophistication” with a new variant, MiniJunk, which demonstrates the group’s efforts to evade detection. Another tool, MiniBrowse, is designed to steal important data, such as passwords, without being noticed.
While Nimbus Manticore has a history of consistently targeting the Middle East, specifically Israel and the UAE, its new focus on Europe is a significant development. Researchers noted that the group has been active in countries like Denmark, Sweden, and Portugal.
The report also notes that a parallel, simpler campaign is in use, with attackers posing as HR recruiters and likely reaching out to victims on platforms like LinkedIn before moving the conversation to email. This separate cluster of activity, previously reported by another firm, PRODAFT, also uses spear-phishing with a less complex set of tools but the same goal of stealing access.
While Check Point Research will continue to track the group’s activities, the firm suggests that companies need to be protected from these types of attacks right at the start, before the fake emails or malicious files can even reach employees.