Ethical Hacking News
Suspected Iranian government-backed online attackers have expanded their cyber operations to target organizations in Western Europe, using a novel technique to load malicious software from alternate paths. The attack uses fake job portals to phish for employees, delivering custom backdoors and infostealers that compromise the security of targeted companies.
The suspected Iranian government-backed online attackers, known as Nimbus Manticore or UNC1549, have expanded their cyber operations to target organizations in Europe. The attack begins with a phishing link that directs victims to a fake job-related login page spoofing companies such as Boeing and Airbus. The malicious software used in the attack is heavily obfuscated to avoid detection while stealing information, using techniques like size inflation, junk code, and code signing. The attack has been identified as a continuation of the Iranian Dream Job campaign, which mimics the North Korean Lazarus Group's Operation Dream Job. The attackers have focused on organizations in Western Europe, specifically Denmark, Portugal, and Sweden, using fake job portals to phish for employees.
In a recent report, Check Point Research has revealed that suspected Iranian government-backed online attackers have expanded their cyber operations to target organizations in the defense, manufacturing, telecommunications, and aviation sectors across Europe. The group, known as Nimbus Manticore or UNC1549 (also tracked by Google as Smoke Sandstorm and Microsoft as Imperial Kitten), has been identified as responsible for this new phishing expedition.
The attack begins with a phishing link that directs the victim to a fake job-related login page spoofing companies such as Boeing, Airbus, Rheinmetall, and Flydubai. Each victim receives a unique set of credentials with the link to the login page, and after they enter the correct information, the site delivers a malicious archive containing the malware.
The archive masquerades as legitimate software related to the hiring process, and the execution chain uses a multi-stage sideloading technique to deliver the final payload. According to Check Point Research, the attackers use a novel technique to load DLLs from alternate paths by modifying process execution parameters, which suggests a significant increase in the actor's abilities.
The malicious software used in this attack is heavily obfuscated to avoid detection while it steals information. The Check Point research team noted that the most recent Minibike variants suggest a higher level of sophistication in the attackers' tactics, techniques, and procedures (TTPs), including using size inflation, junk code, obfuscation, and code signing to lower detection rates.
The attack has been identified as a continuation of the Iranian Dream Job campaign, which mimics the North Korean Lazarus Group's Operation Dream Job. The Iranian government-backed attackers claim to represent companies in the aerospace, defense manufacturing, and telecommunications industries that are looking to hire staff. However, instead of landing a job, victims receive a custom backdoor called MiniJunk and an infostealer called MiniBrowse.
The attack has been particularly concerning for its targeted nature, with the attackers focusing on organizations in Western Europe, specifically Denmark, Portugal, and Sweden. The use of fake job portals to phish for employees is a novel tactic that highlights the evolving threat landscape in the cyber security world.
Check Point Research attributes the new campaign to Nimbus Manticore, which has been linked to another gang previously associated with Facebook's Mandiant threat hunters and the Iranian Islamic Revolutionary Guard Corps (IRGC). The group's activities have raised concerns about their potential ties to state-sponsored actors, highlighting the need for increased vigilance in detecting and responding to cyber threats.
The incident serves as a reminder of the ongoing cat-and-mouse game between attackers and defenders. As cyber threats continue to evolve, it is essential that organizations prioritize cybersecurity measures, including regular software updates, robust firewalls, and multi-factor authentication, to protect themselves against such attacks.
In conclusion, this sophisticated phishing expedition underscores the need for heightened awareness and proactive measures to prevent falling prey to such attacks. Organizations must remain vigilant in monitoring their networks and implementing robust security protocols to safeguard against the latest tactics employed by state-backed attackers.
Related Information:
https://www.ethicalhackingnews.com/articles/Suspected-Iranian-Government-Backed-Attackers-Expand-Cyber-Ops-in-European-Aerospace-Sector-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/09/23/iran_targeting_european_aerospace/
Published: Tue Sep 23 06:26:00 2025 by llama3.2 3B Q4_K_M
