China-backed UNC5221 targets US legal and tech firms by deploying BRICKSTORM malware on neglected VMware and Linux/BSD appliances, Google's Mandiant reports.

A group of hackers with links to China has been caught running a long-term spying operation against US companies. Cybersecurity researchers at Mandiant (part of the Google Threat Intelligence Group) are tracking this threat, named BRICKSTORM, which targets specialised operating systems like Linux and BSD (Berkeley Software Distribution).

Mandiant’s investigation shows the group’s mission to steal valuable intellectual property and sensitive information related to national security and international trade. These hackers have maintained access for a worryingly lengthy time, averaging 393 days, mostly targeting the legal services, technology, SaaS, and Business Process Outsourcers (BPOs) sectors since at least March 2025.

Industries targeted by BRICKSTORM (Image credit: Mandiant)

****BRICKSTORM Malware****

The hackers, tracked by Mandiant as UNC5221, which was also behind the widespread exploitation of the Ivanti VPN zero-day in January 2025, use a new and custom-designed Go-language BRICKSTORM malware. In this case as well, the group exploits zero-day vulnerabilities to infect network appliances and servers with malware.

According to Mandiant’s blog post, this initial access is consistently used to move to high-value systems, particularly VMware vCenter and ESXi hosts. To achieve this, the attackers first deploy BRICKSTORM to a network appliance, steal valid credentials, and then move laterally via SSH to the vCenter server

Researchers further explain that BRICKSTORM features SOCKS proxy functionality, enabling attackers to tunnel traffic and move quietly through the network. Once that is complete, they capture high-privilege user logins while using the organisation’s own network devices to hide their activity.

The malware is under active development, using “advanced obfuscation” (like the tool Garble and a custom internal library) to continuously evade security measures.

****What’s the Big Goal?****

Mandiant believes the hackers are focused on long-term objectives, beginning with the compromise of Software as a Service (SaaS) providers and extending to the networks of their customers.

Additionally, a common objective observed in these attacks is to access the emails of critical personnel, particularly system administrators and developers relevant to the economic and espionage interests of the People’s Republic of China (PRC). To infiltrate any mailbox, threat actors employed Microsoft Entra ID Enterprise Applications with elevated access scopes (like mail.read or full_access_as_app).

Mandiant strongly suggests that companies must work on their cybersecurity. The company has also shared a free scanner script on its GitHub page that organisations can use to check their Linux-based systems for the BRICKSTORM backdoor.

****Expert Takeaway****

Ensar Seker, CISO at SOCRadar, reflected on the seriousness of the campaign. In his exclusive insight shared with Hackread.com, Seker stated that BRICKSTORM is a “wake-up call.” He explained that the attackers’ strategy gives them a “multiplier effect on reach” because by getting into service providers, they gain “pathways into their clients and partners.”

Seker emphasised that this operation is about “building capabilities that can support multiple future attacks” by stealing internal designs and learning how to bypass defences. From a defence standpoint, he advises companies to “assume that any vendor they trust may be compromised, not eventually, but right now,” requiring them to adopt stricter security measures and “zero-trust architectures” around vendor connections.

“In a nutshell, Brickstorm is a wake-up call: adversaries are no longer treating high-value firms as endpoints to exploit, but as nodes in a broader intelligence and access network. Defending against that requires that we think in ecosystems and assume compromise, not just for ourselves, but for every connected party,” Seker advised.

China-Linked Hackers Hit US Tech Firms with BRICKSTORM Malware

Luxembourg, Luxembourg, 25th September 2025, CyberNewsWire

**Luxembourg, Luxembourg, September 25th, 2025, CyberNewsWire**

Gcore, the global edge AI, cloud, network, and security solutions provider, today announced the findings of its Q1-Q2 2025 Radar report into DDoS attack trends. DDoS attacks have reached unprecedented scale and disruption in 2025, and businesses need to act fast to protect themselves from this evolving threat. The report reveals a significant escalation in the total number of DDoS attacks and their magnitude, measured in terabits per second (Tbps).

It also highlights a clear shift: attackers are growing more strategic, blending brute-force volume with precise application-layer manipulation.

**Key Insights From Q1-Q2 2025**

·      Attack volumes increased by 41% compared to Q1-Q2 2024, evidencing dangerous long term growth trends predicted in prior Radar reports.

·      The largest attack peaked at 2.2 Tbps in Q1-Q2, surpassing the 2 Tbps peak recorded in late 2024.

·      DDoS attacks are becoming longer in duration but more harmful.

·      Attackers are shifting focus to financial services and tech, with tech overtaking gaming as the most targeted sector.

·      DDoS attacks at the application layer have increased by 10% from Q3-Q4 2024 to Q1-Q2 2025.

·      The total number of DDoS attacks climbed from 969,000 in H2 2024 to 1.17 million in H1 2025.

> Andrey Slastenov, Head of Security at Gcore, commented: “The latest Gcore Radar should be a wake-up call to businesses across all industries. Not only are the number and intensity of attacks increasing, but attackers are expanding the scope of their attacks to reach an increasingly wide range of sectors. Businesses must invest in robust DDoS detection, mitigation, and protection to prevent the financial and reputational impact of an attack.’’

**Recent Data Shows Shift Toward Longer Sustained Assaults**

Attacks shorter than 10 minutes have decreased by about 33%, while those lasting between 10 and 30 minutes have nearly quadrupled. While previous reports highlighted the dominance of very short, intense DDoS attacks, this change indicates that attackers are adapting to the improved automatic detection and mitigation systems employed by companies to handle brief attacks. By extending attack durations, threat actors can circumvent these temporary defense thresholds, cause more extensive damage, and test infrastructure resilience over time.

Multi-vector attacks have also increasingly become a preferred tactic of attackers. By masking malicious activity within seemingly legitimate traffic, attackers complicate detection and extend their window to cause damage. This shift toward more sophisticated attacks underscores the need for an equally layered defense approach that anticipates attacker strategies and protects critical digital assets holistically.

**Data Indicates Rise in Attacks on Vulnerable Sectors**

Gaming is no longer the dominant target it once was. Its share of total DDoS attacks has dropped significantly (30% in the last year). This notable decline suggests attackers are shifting focus to other sectors such as tech (attacks increased by 15%) and financial services (attacks increased by 15%). These sectors are favored targets because they may be less protected against threat actors and have higher disruption potential.

**The Domino Effect of Cyberattacks**

Hosting providers, in particular, have become prime targets due to their role supporting SaaS, e-commerce, gaming, and financial clients. An attack on one hosting provider can have dangerous ripple effects: massive service outages and reputation damage to dozens of dependent companies.

**Geographical Distribution of DDoS Attacks**

With a presence that spans six continents, Gcore can accurately track the geographical sources of DDoS attacks. Gcore derives these insights from the attackers’ IP addresses and the geographic locations of the data centers where malicious traffic is targeted.

Although the **United States** and the **Netherlands** remain top sources for attacks (as found in previous Radar reports), Hong Kong is a new source of threats. **Hong Kong** now accounts for 17% of all network-layer and 10% of application-layer attacks. These findings indicate that attackers are expanding into emerging areas, highlighting the need for proactive and adaptive defenses across diverse regions.

**Emerging Origins of Attacks**

The rapid increase in application layer attacks (28% to 38% from Q3-Q4 2024 to Q1-Q2 2025) also reveals an overall trend toward multi-layered attacks targeting web application and API vulnerabilities, which particularly impact sectors with a high degree of customer interaction (ranging from e-commerce and online banking to logistics and public services).

To access the full report, please visit: https://gcore.com/resources/gcore-radar-attack-trends-q1-q2-2025

**About Gcore**

Gcore is a global edge AI, cloud, network, and security solutions provider. Headquartered in Luxembourg, with a team of 600 operating from ten offices worldwide, Gcore provides solutions to global leaders in numerous industries. Gcore manages its global IT infrastructure across six continents, with one of the best network performances in Europe, Africa, and LATAM due to the average response time of 30 ms worldwide. Gcore’s network consists of 210 points of presence worldwide in reliable Tier IV and Tier III data centers, with a total network capacity exceeding 200 Tbps.

Further information is available at gcore.com and updates are also shared on LinkedIn, Twitter, and Facebook.

**Gcore Press Contact**   

\[email protected\] 

**PR Agency Contact**  

\[email protected\]

**Contact**

**Ms.**  
**Kira Kurepina**  
**Gcore**  
**\[email protected\]**

Gcore Radar Report Reveals 41% Surge in DDoS Attack Volumes

The Python Software Foundation (PSF) warns developers of phishing emails leading to a fake PyPI login site designed to steal account credentials.

The Python Software Foundation (PSF) is warning developers about a fresh phishing campaign that targets users of the Python Package Index (PyPI) with convincing but fake emails and a fake login site.

The emails ask recipients to verify their account details for “maintenance and security procedures.” Those who don’t follow the instructions are threatened with account suspensions, and the link they are urged to click leads to a spoofed site hosted at pypi-mirror.org.

Seth Larson, a developer at the PSF, explained that anyone who entered their credentials on the phishing site should change their PyPI password right away and review their account’s Security History for any unusual activity. He also encouraged users to report suspicious emails or phishing attempts directly to [email protected].

The danger behind these attacks is not limited to individual accounts. Once threat actors obtain login details, they can tamper with trusted packages already published to PyPI or push out new ones with malware. This could expose developers and companies that rely on those packages, impacting anyone who relies on those packages

This campaign is not the first of its kind. A similar attempt in July used the domain pypj.org to trick developers into handing over their login details. The latest attack follows the same structure, suggesting that more phishing domains could appear in the future.

PyPI maintainers have already taken action by contacting registrars and content delivery networks to remove malicious domains, submitting them to browser blocklists, and coordinating with other open source platforms to improve response times. They are also exploring ways to strengthen two-factor authentication so that phishing attempts are less effective.

****Advice from an Expert****

Shane Barney, Chief Information Security Officer at Keeper Security, said phishing is not disappearing; it is adapting. Attackers will continue spinning up new domains to trick users, but the real focus for security leaders should be on limiting the damage when someone inevitably clicks.

According to Barney, this starts with stronger authentication methods, such as hardware-based keys like YubiKeys, which resist phishing attempts. Combined with password managers that only auto-fill credentials on verified domains, the two approaches shut down the most common paths attackers rely on.

For enterprises, he added, privileged access management plays a critical role by enforcing least privilege, restricting lateral movement, and monitoring activity. Even if malicious code makes it through, it cannot spread unchecked. “The aim isn’t to eliminate all risk, but to build enough guardrails so one stolen password doesn’t escalate into a full-blown breach,” Barney said.

Nevertheless, do not click on links in emails unless you initiated the action yourself, rely on verified legitimate domains, and consider using hardware keys for phishing-resistant two-factor authentication. Sharing suspicious emails with peers or community channels is also encouraged, since being cautious helps protect not just one developer but the Python community overall.

PSF Warns of Fake PyPI Login Site Stealing User Credentials

Darktrace researchers have uncovered ShadowV2, a new botnet that operates as a DDoS-for-hire service by infecting misconfigured Docker containers on AWS cloud servers.

Cybersecurity researchers at Darktrace have identified a new botnet called ShadowV2 is structured as a DDoS-for-hire service, offering attackers an easy way to launch large-scale attacks on demand.

This means anyone can rent access to its network to launch a distributed denial-of-service (DDoS) attack, making it easier for attackers to generate massive traffic surges similar to those seen in record-breaking incidents across the internet.

ShadowV2 doesn’t go after typical home computers; it infects misconfigured Docker containers on Amazon Web Services (AWS) cloud servers. Docker is a technology that lets developers package and run applications in isolated environments called containers. These containers are a modern way to build and run software, but if they’re not set up correctly, they can be exploited by cybercriminals.

****The Attack****

The attack starts with a Python script hosted on GitHub CodeSpaces, which creates a temporary ‘setup’ container on a victim’s machine. The botnet then installs its core malware, a Go-based Remote Access Trojan (RAT), into this setup. The botnet then uses this container to create a new, infected container.

According to Darktrace, this is a major example of ‘cybercrime-as-a-service’ (CaaS), where illegal activities are now being treated like professional business ventures. The attackers have built a complete platform with a user login screen and a user-friendly control panel. The system is well-designed enough to mirror “legitimate cloud-native applications in both design and usability,” researchers noted in the blog post.

ShadowV2 Login UI (Screenshot via Darktrace)

Additionally, the botnet regularly checks in with a central server using a “RESTful registration and polling mechanism” to get its commands. It uses advanced tactics like a Cloudflare under attack mode (UAM) bypass and “HTTP/2 rapid reset,” which allows it to send massive amounts of traffic at once.

****Fake Law Enforcement Seizure Notice****

Darktrace first spotted the attack on June 24 and found older versions of the malware that had been submitted to a public threat database on June 25 and July 30. The botnet’s main website even displays a fake law enforcement seizure notice as a trick, though the system itself remains fully functional.

Fake seizure notice (Image Source: Darktrace)

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), sees the botnet as evidence of a “maturing criminal market where specialisation beats sprawl.”

He notes that the operators have simplified their business by focusing only on DDoS attacks and selling access, which “reduces operational risk, simplifies tooling, and aligns incentives with paying customers.”

Soroko adds that the use of a professional API and full user interface turns the botnet into a “platform, which shifts detection from host indicators toward control plane behaviours.” He advises defenders to treat this botnet as a “product with a roadmap,” and to watch for upgrades and new tactics.

ShadowV2 Botnet Uses Misconfigured AWS Docker for DDoS-For-Hire Service

UK police arrest man over cyberattack on Collins Aerospace that disrupted check-in at Heathrow, Berlin, Brussels and other airports.

A 40-year-old man was arrested in West Sussex this week in connection with a cyberattack that knocked out check-in systems at several major European airports, including London’s Heathrow, Berlin and Brussels.

The UK’s National Crime Agency (NCA) has confirmed the arrest on suspicion of offences under the Computer Misuse Act and says the investigation is ongoing. However, after his arrest, the suspect was reportedly released on conditional bail. The NCA says it is still early days, and it has not publicly identified others involved or the full motive behind the attack.

_“_It is a positive update that a suspect has already been arrested in connection with this attack. It also highlights the priority law enforcement is placing on catching the perpetrators of cybercrime today,_“_ said Ryan McConechy, CTO at Barrier Networks.

_“_We don’t know how the attack was executed, but we do know ransomware was involved. Organisations must learn from this and prioritise their defences against the vector, and this means training staff regularly, patching vulnerabilities, deploying phishing-resistant MFA capabilities, inventorying assets, monitoring the security of suppliers and applying network segmentation to protect an organisation’s most important assets,_“_ Ryan emphasised.

****Cyber Attack on Collins Aerospace****

The attack targeted Collins Aerospace, a company whose systems handle check-in, baggage tagging and boarding processes at airports. Around Friday night, those systems began failing. Airport staff were forced to use handwritten boarding passes, backup laptops or manual check-in methods while efforts were underway to restore automated services.

Passengers faced delays and cancellations. Brussels in particular felt the impact hard: over the weekend, it cancelled dozens of flights and asked airlines to cut back departures after it proved difficult to restore the compromised system. Berlin also experienced long queues as staff tried to catch up.

Cyberattack Disrupts Airport Check-In Systems Across Europe

Authorities believed the attack involved ransomware. The EU cybersecurity agency ENISA said a “third-party ransomware” was behind the outages. Collins Aerospace acknowledged a “cyber-related disruption” and is coordinating with airports and law enforcement to restore systems.

This incident adds to a growing list of cyber events affecting transport infrastructure worldwide, from rail systems to shipping terminals. Last week, UK authorities arrested two individuals linked to the Scattered Spider group during an investigation into a cyberattack on Transport for London (TfL) that caused millions of pounds in damage.

UK Arrest Made After Cyberattack Disrupts Major European Airports

Cloudflare stopped a record 22.2 Tbps DDoS attack, showing how massive these threats have become and why strong DDoS attack protection is essential.

Cloudflare says it has stopped the largest DDoS attack (distributed denial of service attack) ever recorded. The attack peaked at 22.2 terabits per second and 10.6 billion packets per second. It was detected and mitigated automatically by Cloudflare’s network.

The company reported that the event lasted only 40 seconds but was still twice the size of anything previously seen on the internet. However, in the first week of September 2025, the company stopped a DDoS attack that reached 11.5 terabits per second and lasted about 35 seconds.

DDoS attacks work by overwhelming websites or services with massive amounts of traffic. In this case, the scale was so high that many providers without automated DDoS protection would not have been able to stay online.

Cloudflare has not shared details on the target of the attack, but in a tweet, it pointed out that its systems handled the surge without disruption. The announcement shows how attackers continue to test new levels of volume in their attempts to take services offline.

Massive DDoS incidents are becoming more common, and providers need the capacity to block them in real time. Organisations and users also need to rely on proper DDoS mitigation services to reduce the risk of becoming the next target.

Cloudflare Blocks Record 22.2 Tbps DDoS Attack

The FBI is warning internet users about fake versions of its official IC3 cybercrime reporting website. Learn how to spot these ‘spoofed’ sites, avoid scams where criminals impersonate agents, and protect your personal information by following the FBI’s crucial safety tips.

The Federal Bureau of Investigation (FBI) has issued a critical Public Service Announcement (PSA) revealing that cybercriminals are creating fake, or ‘spoofed,’ versions of the FBI’s IC3 (Internet Crime Complaint Center) website to steal user data.

IC3 is a primary tool where people can file reports on cybercrime and online scams. The platform was established in 2000 as the Internet Fraud Complaint Centre but was later renamed in 2003 to represent its overall mission.

According to the FBI’s advisory, threat actors create these fake websites by making slight changes to the legitimate domain name, such as alternate spellings or different web addresses, as seen in previous cases like ɢoogle.com rather than Google.com. This is done to “gather personally identifiable information entered by a user into the site, including name, home address, phone number, email address, and banking information.”

The advisory warns that users may unknowingly visit these fake portals while attempting to file an official report, exposing their sensitive data. The goal of these fake sites is to steal personal information and trick people into monetary scams.

The FBI also warns that these scammers may even pretend to be IC3 staff. They might contact you, claiming they can get your lost money back, but only if you pay them a fee first. This is a clear sign of a scam, as the FBI and IC3 will never ask for payment to help a victim. In fact, between December 2023 and February 2025, the agency received over 100 reports of these impersonation scams.

****Not The First Time****

This is not the first time that scammers have impersonated the Internet Crime Complaint Center to carry out possible phishing or malware campaigns. As far back as 2018, fraudulent emails and websites mimicking IC3 were used to trick users into providing sensitive information, sometimes even embedding malicious files for installation.

Screenshots of fake emails sent by hackers back in February 2018 (Screenshot credit: Hackread.com)

****What can you do to protect yourself?****

The FBI has some crucial advice. The safest way to access the site is to type www.ic3.gov directly into your browser’s address bar. The FBI specifically advises against using search engines and clicking on ‘sponsored’ results, which are often paid ads for these fake sites.

Always check the URL to make sure it ends in ‘.gov’ and has no misspellings, and avoid clicking on links with low-quality graphics, which are another hallmark of fraudulent websites.

Keep in mind that the IC3 does not have any social media pages, so if you see one claiming to be official, it’s a fake. If you fall victim to one of these impersonation scams, be sure to report it to the real IC3 site and provide as much detail as possible, including any financial transaction information.

FBI Warns of Fake IC3 Websites Designed to Steal Personal Data

Microsoft patched an Entra ID vulnerability that let attackers impersonate Global Admins across tenants, risking full Microsoft 365 and Azure takeover.

Microsoft has addressed a critical security vulnerability in Azure Entra ID, tracked as CVE-2025-55241, that was initially described as a low-impact privilege escalation bug. Security research later revealed the flaw was far more severe, allowing attackers to impersonate any user, including Global Administrators.

The vulnerability was originally identified by cybersecurity researcher Dirk-Jan Mollema while preparing for Black Hat and DEF CON presentations earlier this year. His findings showed that undocumented “Actor tokens,” combined with a validation failure in the legacy Azure AD Graph API, could be abused to impersonate any user in any Entra ID tenant, even a Global Administrator.

This meant a token generated in one lab tenant could grant administrative control over others, with no alerts or logs if only reading data, and limited traces if modifications were made.

The design of Actor tokens, as per Mollema, made the problem even worse. These tokens are issued for backend service-to-service communication and bypass normal security protections like Conditional Access. Once obtained, they allowed impersonation of other identities for 24 hours, during which no revocation was possible.

Microsoft applications could generate them with impersonation rights, but non-Microsoft apps would be denied that privilege. Because the Azure AD Graph API lacked logging, administrators would not see when attackers accessed user data, groups, roles, tenant settings, service principals, BitLocker keys, policies, etc.

In his detailed technical blog post, Mollema demonstrated that impersonation worked across tenants because the Azure AD Graph API failed to validate the token’s originating tenant. By changing the tenant ID and targeting a known user identifier (netId), he could move from his own tenant into any other.

With a valid netId of a Global Admin, the door opened to full takeover of Microsoft 365, Azure subscriptions, and connected services. Worse, netIds could be brute forced quickly, or in some cases, retrieved from guest account attributes in cross-tenant collaborations.

“The demo video shows how Actor tokens can be used within a single tenant, though the same method could have been applied across tenants through this vulnerability.”  

Microsoft rolled out a global fix on July 17, just three days after the initial report and later added further mitigations that block applications from requesting Actor tokens for the Azure AD Graph. The company said no evidence of exploitation was found in its internal telemetry. On September 4, the vulnerability was officially catalogued as CVE-2025-55241.

Security professionals, however, say the issue exposes broader concerns about trust in cloud identity systems. Anders Askasan, Director of Product at Radiant Logic, argued that “This incident shows how undocumented identity features can quietly bypass Zero Trust.”

_“_Actor tokens created a shadow backdoor with no policies, no logs, no visibility, undermining the very foundation of trust in the cloud. The takeaway is clear: vendor patching after the fact simply isn’t enough,” he added.

_“_To reduce systemic risk, enterprises need independent observability across their entire identity fabric, continuously correlating accounts, entitlements, and policies,_“_ he advised. “Organisations need a trusted, vendor-agnostic view of their identity data and controls, so they can validate in real time and act before an adversarial incursion escalates into a breach that’s almost impossible to unwind.”

Microsoft Fixed Entra ID Vulnerability Allowing Global Admin Impersonation

Pittsburg, United States, 23rd September 2025, CyberNewsWire

**Pittsburg, United States, September 23rd, 2025, CyberNewsWire**

Defy Security, a leading provider of cybersecurity solutions and services, today announced the appointment of Gary Warzala to its Board of Directors.

Warzala is a highly regarded cybersecurity executive with more than 20 years of leadership experience, having served as Chief Information Security Officer (CISO) at Visa Inc., PNC Bank, Fifth Third Bank, Aon Corporation, and GE Aviation. Most recently, he was an Executive Partner with Gartner, Inc., where he advised CISOs across the globe. He is currently Managing Principal at CyberRisk, LLC.

As a member of Defy Security’s Board, and a former customer of Defy Security, Warzala will provide oversight, governance, and strategic counsel to the executive leadership team. He will also meet with existing and prospective customers, serving as a trusted partner to help them realize the full value of Defy Security’s offerings and support Defy’s focus on customer experience and a customer-centric strategy.

In addition to his new role with Defy Security, Warzala serves on the Board of Directors for First Financial Bank in Cincinnati, OH, and the Indiana Golf Foundation (IGF) in Indianapolis, IN. In 2022, he was inducted into the Chief Information Security Officer (CISO) Hall of Fame. He holds an MBA from Xavier University and a BS from Utica College of Syracuse University.

> “Gary has been a trusted partner to me and to Defy Security for many years. His reputation in the cybersecurity industry is unmatched – not only for his depth of expertise, but for his integrity and ability to build lasting, trusted relationships with CISOs across industries,” said Justin Domachowski, Founder and CEO of Defy Security. “Having Gary join our Board is a natural extension of our long-standing relationship, and I could not be more excited to officially welcome him. His experience, perspective, and leadership will help us continue to strengthen the unique culture of partnership that defines Defy Security and deliver even greater value to our clients.”

> “As a CISO, I always valued true partnerships, and Defy Security consistently stood out as a company I could rely on,” commented Warzala. “Justin and his team have built an organization deeply committed to client success, and I am proud to join the Board to continue that mission in a new and meaningful way.”

**About Defy Security**

Defy Security is a trusted cybersecurity partner for organizations nationwide, delivering tailored solutions and services that align with business goals and strengthen security posture. With a culture built on commitment, partnership, and measurable outcomes, Defy Security empowers clients to navigate complex security challenges with confidence. www.defysecurity.com

**Contact**

**Head of Marketing and Partnerships**  
**Monicka Mann**  
**Defy Security**  
**\[email protected\]**

Defy Security Appoints Esteemed Cybersecurity Leader Gary Warzala to Its Board of Directors

New research from Check Point Research reveals the Iranian cyber group Nimbus Manticore is targeting defence, telecom, and aerospace companies in Europe with fake job offers. Learn how they use advanced malware to steal sensitive data.

A group of Iranian hackers known as Nimbus Manticore is expanding its operations, now focusing on major companies across Europe. According to new research from the cybersecurity firm Check Point Research (CPR), the group is targeting businesses in the defence, telecommunications, and aerospace sectors to steal sensitive information.

Nimbus Manticore, also called UNC1549 or Smoke Sandstorm, has been actively tracked since early 2025 and previously ran the Iranian Dream Job campaign. These campaigns align with the strategic intelligence-gathering goals of Iran’s IRGC, especially during times of heightened geopolitical tension.

****Attack Flow Explained****

The attack starts with a fake email invitation to a job application. This email, which looks very real, directs victims to a fraudulent website built using a React template that mimics well-known companies like Boeing, Airbus, and flydubai.

Email lure (source: CPR)

To make it seem legitimate, each person receives a unique login and password to access the site. These “career” themed websites are registered behind Cloudflare to hide the true location of the server. Once logged in, victims are tricked into downloading a malicious file. This file then begins a complex chain of events to infect their computer.

As shown in the CPR’s research flow chart, the downloaded file, which is a compressed ZIP archive, contains a legitimate-looking program (setup.exe). This program then secretly installs and runs other malicious files, including a backdoor, to take control of the system and communicate with the attackers’ servers.

Attack Chain (Source: CPR)

****New Tools and Widespread Targets****

Inside the downloaded file, the hackers place special malware that is are evolved variant of an older malware called Minibike (also known as SlugResin). Recent activity shows a “significant leap in sophistication” with a new variant, MiniJunk, which demonstrates the group’s efforts to evade detection. Another tool, MiniBrowse, is designed to steal important data, such as passwords, without being noticed.

While Nimbus Manticore has a history of consistently targeting the Middle East, specifically Israel and the UAE, its new focus on Europe is a significant development. Researchers noted that the group has been active in countries like Denmark, Sweden, and Portugal.

The report also notes that a parallel, simpler campaign is in use, with attackers posing as HR recruiters and likely reaching out to victims on platforms like LinkedIn before moving the conversation to email. This separate cluster of activity, previously reported by another firm, PRODAFT, also uses spear-phishing with a less complex set of tools but the same goal of stealing access.

While Check Point Research will continue to track the group’s activities, the firm suggests that companies need to be protected from these types of attacks right at the start, before the fake emails or malicious files can even reach employees.

Source

HackRead