MiniFast and MiniJunk V2 phishing-and-SEO deployment
Malware Activity
Summary
Hide ▲
Show ▼
MiniFast and MiniJunk V2 expanded Nimbus Manticore's malware set with a new backdoor and an updated RAT that support persistence, remote command execution, and file exfiltration. The activity ran across February-April 2026 and used phishing, AppDomain hijacking, trojanized installers, and SEO poisoning to reach targets. It broadened the operator's post-compromise reach across entities in the U.S., Israel, the UAE, and the Middle East.
Related Happenings
MiniFast Windows DLL backdoor activity
Malware Activity
First: 26.05.2026 12:10
Last: 26.05.2026 12:10
Sources 1
About this happening:
The **MiniFast** backdoor adds a new **64-bit Windows DLL** implant to **Nimbus Manticore's** toolkit, increasing the group's ability to run commands, move files, and persist on c...
MiniFast Windows DLL backdoor activity
Malware ActivityAbout this happening: The **MiniFast** backdoor adds a new **64-bit Windows DLL** implant to **Nimbus Manticore's** toolkit, increasing the group's ability to run commands, move files, and persist on c...
Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
Campaign
First: 26.05.2026 10:13
Last: 26.05.2026 10:13
Sources 1
How related:
The Iranian state-sponsored threat actor known as Nimbus Manticore (aka Screening Serpens and UNC1549) has been attributed to a fresh campaign using lures impersonating organizations in the aviation and software sectors across the U.S., Europe, and the Middle East following the joint U.S.-Israeli military campaign against the country in late February 2026.
About this happening:
Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...
Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
CampaignHow related: The Iranian state-sponsored threat actor known as Nimbus Manticore (aka Screening Serpens and UNC1549) has been attributed to a fresh campaign using lures impersonating organizations in the aviation and software sectors across the U.S., Europe, and the Middle East following the joint U.S.-Israeli military campaign against the country in late February 2026.
About this happening: Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...
BeaverTail and OtterCookie malware evolution in Contagious Interview
Malware Activity
First: 17.10.2025 16:33
Last: 17.10.2025 16:33
Sources 1
About this happening:
**Contagious Interview** malware activity tied to **North Korean threat actors** continues to evolve its npm-based delivery chain. A recent wave added **197 malicious npm packages...
BeaverTail and OtterCookie malware evolution in Contagious Interview
Malware ActivityAbout this happening: **Contagious Interview** malware activity tied to **North Korean threat actors** continues to evolve its npm-based delivery chain. A recent wave added **197 malicious npm packages...
Timeline
-
26.05.2026 10:13 2 articles · 1d ago
Initial report: MiniFast and MiniJunk V2 phishing-and-SEO deployment
Initial DisclosureIn **February 2026**, the operator used **AppDomain hijacking** to deliver **MiniJunk** through career-lure infection chains. By **March 2026**, the playbook had shifted to **MiniFast** and **trojanized installers**, then expanded to **SEO poisoning** in April.
Show sources
- Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning — thehackernews.com — 26.05.2026 10:13
- Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning — thehackernews.com — 26.05.2026 10:13