MiniFast Windows DLL backdoor activity
Malware Activity
Summary
Hide ▲
Show ▼
The MiniFast backdoor adds a new 64-bit Windows DLL implant to Nimbus Manticore's toolkit, increasing the group's ability to run commands, move files, and persist on compromised systems. It communicates with C2 over JSON while masquerading as a Chrome browser, making the malware harder to spot in network traffic. The new implant replaced MiniJunk in April 2026 and appears in a broader operation that used phishing and search engine poisoning.
Related Happenings
MiniFast and MiniJunk V2 phishing-and-SEO deployment
Malware Activity
First: 26.05.2026 10:13
Last: 26.05.2026 10:13
Sources 1
About this happening:
**MiniFast** and **MiniJunk V2** expanded Nimbus Manticore's malware set with a **new backdoor** and an **updated RAT** that support **persistence**, **remote command execution**,...
MiniFast and MiniJunk V2 phishing-and-SEO deployment
Malware ActivityAbout this happening: **MiniFast** and **MiniJunk V2** expanded Nimbus Manticore's malware set with a **new backdoor** and an **updated RAT** that support **persistence**, **remote command execution**,...
AshTag modular .NET backdoor deployment via sideloading
Malware Activity
First: 11.12.2025 13:00
Last: 11.12.2025 13:00
Sources 1
About this happening:
The **AshTag** backdoor was deployed through **DLL sideloading** and **in-memory execution**, enabling **persistence** and **remote command execution** in targeted environments. I...
AshTag modular .NET backdoor deployment via sideloading
Malware ActivityAbout this happening: The **AshTag** backdoor was deployed through **DLL sideloading** and **in-memory execution**, enabling **persistence** and **remote command execution** in targeted environments. I...
Timeline
-
26.05.2026 12:10 2 articles · 1d ago
MiniFast Windows DLL backdoor appears in Nimbus Manticore campaign
Initial DisclosureCheck Point Research identifies MiniFast as a previously undocumented 64-bit Windows DLL backdoor used by IRGC-affiliated Nimbus Manticore in an April 2026 campaign targeting the US aviation sector and related organizations. The implant communicates with its command-and-control server over JSON while masquerading as a Chrome browser, and its opcode-driven command set supports shell execution, file transfer, process control, and scheduled-task persistence. The new malware replaced MiniJunk and appeared alongside phishing, trojanized Zoom delivery, ZIP archives hosted on the OnlyOffice platform, and a counterfeit Oracle SQL Developer download page used for search engine poisoning.
Show sources
- Iran-Linked Hackers Target US Aviation with Phishing and SEO Poisoning Campaign — www.infosecurity-magazine.com — 26.05.2026 12:10
- Iran-Linked Hackers Target US Aviation with Phishing and SEO Poisoning Campaign — www.infosecurity-magazine.com — 26.05.2026 12:10