HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Iran‑linked Nimbus Manticore Deploys Trojanized Zoom Installers Against US Enterprises

Nimbus Manticore, an Iranian state‑sponsored hacking group, embedded a malicious back‑door into legitimate Zoom installers, targeting US companies. The supply‑chain compromise highlights the risk of third‑party software and the need for strict verification controls in third‑party risk programs.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 hackread.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
hackread.com

Iran‑linked Nimbus Manticore Deploys Trojanized Zoom Installers to Target US Enterprises

What Happened — The Iranian state‑aligned group “Nimbus Manticore” inserted malicious payloads into legitimate Zoom client installers. When US‑based employees downloaded the compromised installers, the trojan silently installed a back‑door that can exfiltrate credentials and execute further payloads. The campaign is part of a broader IRGC‑sponsored operation aimed at espionage against Western organizations.

Why It Matters for TPRM

  • Third‑party software supply chains can be weaponised, exposing your organization even when you use trusted vendors.
  • Compromise of a ubiquitous collaboration tool provides attackers a foothold for lateral movement and data theft.
  • The threat originates from a nation‑state actor, indicating a high likelihood of persistent, targeted espionage.

Who Is Affected — Primarily technology‑focused enterprises, professional services, and any organization that relies on Zoom for video conferencing across the United States.

Recommended Actions

  • Verify the integrity of Zoom client binaries using vendor‑signed hashes.
  • Enforce application allow‑listing and block execution of unsigned installers.
  • Conduct a rapid scan for the identified back‑door on all endpoints that installed Zoom in the last 90 days.
  • Review contracts with Zoom and assess any security‑by‑design clauses related to supply‑chain integrity.

Technical Notes — The attackers leveraged a trojanized installer (malware delivered via a third‑party dependency). No specific CVE is cited; the malicious code is a custom back‑door that can harvest credentials and download additional modules. Data at risk includes login credentials, internal communications, and potentially exfiltrated documents. Source: HackRead

📰 Original Source
https://hackread.com/iran-nimbus-manticore-trojan-zoom-installers-us-firms/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →