Iran‑linked Nimbus Manticore Deploys Trojanized Zoom Installers to Target US Enterprises
What Happened — The Iranian state‑aligned group “Nimbus Manticore” inserted malicious payloads into legitimate Zoom client installers. When US‑based employees downloaded the compromised installers, the trojan silently installed a back‑door that can exfiltrate credentials and execute further payloads. The campaign is part of a broader IRGC‑sponsored operation aimed at espionage against Western organizations.
Why It Matters for TPRM —
- Third‑party software supply chains can be weaponised, exposing your organization even when you use trusted vendors.
- Compromise of a ubiquitous collaboration tool provides attackers a foothold for lateral movement and data theft.
- The threat originates from a nation‑state actor, indicating a high likelihood of persistent, targeted espionage.
Who Is Affected — Primarily technology‑focused enterprises, professional services, and any organization that relies on Zoom for video conferencing across the United States.
Recommended Actions —
- Verify the integrity of Zoom client binaries using vendor‑signed hashes.
- Enforce application allow‑listing and block execution of unsigned installers.
- Conduct a rapid scan for the identified back‑door on all endpoints that installed Zoom in the last 90 days.
- Review contracts with Zoom and assess any security‑by‑design clauses related to supply‑chain integrity.
Technical Notes — The attackers leveraged a trojanized installer (malware delivered via a third‑party dependency). No specific CVE is cited; the malicious code is a custom back‑door that can harvest credentials and download additional modules. Data at risk includes login credentials, internal communications, and potentially exfiltrated documents. Source: HackRead