HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Iranian APT Nimbus Manticore Deploys MiniFast & MiniJunk V2 via Phishing and SEO Poisoning

Nimbus Manticore, an Iranian state‑backed threat actor, is distributing the MiniFast and MiniJunk V2 malware families through phishing emails and SEO‑poisoned sites targeting aviation and software firms worldwide, raising supply‑chain risk for third‑party relationships.

LiveThreat™ Intelligence · 📅 May 26, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

Iranian State‑Sponsored Actor Deploys MiniFast & MiniJunk V2 via Phishing & SEO Poisoning Targeting Aviation & Software Firms

What Happened — The Iranian APT group “Nimbus Manticore” (aka Screening Serpens, UNC‑1549) launched a new campaign distributing the MiniFast and MiniJunk V2 malware families. The payloads are delivered through credential‑phishing emails and SEO‑poisoned webpages that masquerade as aviation‑industry and software‑vendor sites across the U.S., Europe, and the Middle East.

Why It Matters for TPRM

  • State‑backed actors are leveraging low‑cost, high‑visibility vectors (phishing, SEO) to gain footholds in critical‑infrastructure supply chains.
  • MiniFast and MiniJunk V2 are modular loaders capable of installing ransomware, credential stealers, and espionage tools, raising the risk of downstream data exfiltration.
  • The campaign’s focus on aviation and software vendors expands the attack surface for any third‑party services they provide (e.g., maintenance, cloud hosting, SaaS platforms).

Who Is Affected — Aviation manufacturers & service providers, software development firms, SaaS platforms, and any downstream customers that rely on these vendors.

Recommended Actions

  • Review all third‑party contracts with aviation and software vendors for security clauses and incident‑response obligations.
  • Validate that vendors employ multi‑factor authentication, phishing‑resistance training, and web‑content monitoring for SEO poisoning.
  • Conduct threat‑intel‑driven vulnerability scans on any exposed endpoints that could be leveraged by MiniFast/MiniJunk loaders.

Technical Notes — Attack vectors: credential‑phishing emails and SEO‑poisoned search results. Malware families: MiniFast (loader/remote‑access) and MiniJunk V2 (information‑stealer with optional ransomware module). No public CVEs disclosed; the threat relies on social‑engineering rather than software flaws. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/iranian-hackers-deploy-minifast-and.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →