Iranian State‑Sponsored Actor Deploys MiniFast & MiniJunk V2 via Phishing & SEO Poisoning Targeting Aviation & Software Firms
What Happened — The Iranian APT group “Nimbus Manticore” (aka Screening Serpens, UNC‑1549) launched a new campaign distributing the MiniFast and MiniJunk V2 malware families. The payloads are delivered through credential‑phishing emails and SEO‑poisoned webpages that masquerade as aviation‑industry and software‑vendor sites across the U.S., Europe, and the Middle East.
Why It Matters for TPRM —
- State‑backed actors are leveraging low‑cost, high‑visibility vectors (phishing, SEO) to gain footholds in critical‑infrastructure supply chains.
- MiniFast and MiniJunk V2 are modular loaders capable of installing ransomware, credential stealers, and espionage tools, raising the risk of downstream data exfiltration.
- The campaign’s focus on aviation and software vendors expands the attack surface for any third‑party services they provide (e.g., maintenance, cloud hosting, SaaS platforms).
Who Is Affected — Aviation manufacturers & service providers, software development firms, SaaS platforms, and any downstream customers that rely on these vendors.
Recommended Actions —
- Review all third‑party contracts with aviation and software vendors for security clauses and incident‑response obligations.
- Validate that vendors employ multi‑factor authentication, phishing‑resistance training, and web‑content monitoring for SEO poisoning.
- Conduct threat‑intel‑driven vulnerability scans on any exposed endpoints that could be leveraged by MiniFast/MiniJunk loaders.
Technical Notes — Attack vectors: credential‑phishing emails and SEO‑poisoned search results. Malware families: MiniFast (loader/remote‑access) and MiniJunk V2 (information‑stealer with optional ransomware module). No public CVEs disclosed; the threat relies on social‑engineering rather than software flaws. Source: The Hacker News