Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
Campaign
Summary
Hide ▲
Show ▼
Nimbus Manticore's February-April 2026 campaign widened into multi-wave phishing and SEO poisoning, increasing risk to organizations in the U.S., Europe, and the Middle East. The operation used career-themed lures, fake meeting invitations, trojanized installers, and SEO-poisoned download pages to deliver MiniFast/MiniUpdate and MiniJunk V2. The shift shows a more varied delivery playbook and more personalized social engineering across the aviation and software sectors.
Related Happenings
MiniFast and MiniJunk V2 phishing-and-SEO deployment
Malware Activity
First: 26.05.2026 10:13
Last: 26.05.2026 10:13
Sources 1
How related:
The disclosure coincides with a report from Palo Alto Networks Unit 42 about the threat actor's targeting of entities in the U.S., Israel, the United Arab Emirates, and the Middle East with MiniUpdate and an updated version of MiniJunk called MiniJunk V2.
About this happening:
**MiniFast** and **MiniJunk V2** expanded Nimbus Manticore's malware set with a **new backdoor** and an **updated RAT** that support **persistence**, **remote command execution**,...
MiniFast and MiniJunk V2 phishing-and-SEO deployment
Malware ActivityHow related: The disclosure coincides with a report from Palo Alto Networks Unit 42 about the threat actor's targeting of entities in the U.S., Israel, the United Arab Emirates, and the Middle East with MiniUpdate and an updated version of MiniJunk called MiniJunk V2.
About this happening: **MiniFast** and **MiniJunk V2** expanded Nimbus Manticore's malware set with a **new backdoor** and an **updated RAT** that support **persistence**, **remote command execution**,...
DarkSpectre browser extension campaign cluster targeting meeting data
Campaign
First: 31.12.2025 18:14
Last: 31.12.2025 18:14
Sources 1
About this happening:
The **DarkSpectre** browser-extension campaign expanded with a third operation that affected **2.2 million users** across **Google Chrome, Microsoft Edge, and Mozilla Firefox**. T...
DarkSpectre browser extension campaign cluster targeting meeting data
CampaignAbout this happening: The **DarkSpectre** browser-extension campaign expanded with a third operation that affected **2.2 million users** across **Google Chrome, Microsoft Edge, and Mozilla Firefox**. T...
Albiriox Austrian-targeting distribution campaign
Campaign
First: 01.12.2025 10:45
Last: 01.12.2025 10:45
Sources 1
About this happening:
The **Albiriox** distribution campaign targeted **Austrian victims**, using **German-language SMS lures** and fake **Google Play Store** listings to deliver a dropper APK and enab...
Albiriox Austrian-targeting distribution campaign
CampaignAbout this happening: The **Albiriox** distribution campaign targeted **Austrian victims**, using **German-language SMS lures** and fake **Google Play Store** listings to deliver a dropper APK and enab...
Dragon Breath Campaign Trio and Campaign Chorus brand-impersonation Gh0st RAT campaign
Campaign
First: 17.11.2025 13:20
Last: 17.11.2025 13:20
Sources 1
About this happening:
Dragon Breath's **Campaign Trio** and **Campaign Chorus** are using **trojanized NSIS installers** to deliver **Gh0st RAT** to **Chinese-speaking users**, widening the risk of rem...
Dragon Breath Campaign Trio and Campaign Chorus brand-impersonation Gh0st RAT campaign
CampaignAbout this happening: Dragon Breath's **Campaign Trio** and **Campaign Chorus** are using **trojanized NSIS installers** to deliver **Gh0st RAT** to **Chinese-speaking users**, widening the risk of rem...
Smishing Triad evolves into a multi-role phishing-as-a-service ecosystem
Threat Actor Meta
First: 24.10.2025 21:35
Last: 24.10.2025 21:35
Sources 1
About this happening:
**Smishing Triad** has evolved from a phishing-kit purveyor into a **multi-role phishing-as-a-service (PhaaS) ecosystem**, making its smishing operation more scalable and harder t...
Smishing Triad evolves into a multi-role phishing-as-a-service ecosystem
Threat Actor MetaAbout this happening: **Smishing Triad** has evolved from a phishing-kit purveyor into a **multi-role phishing-as-a-service (PhaaS) ecosystem**, making its smishing operation more scalable and harder t...
Timeline
-
26.05.2026 10:13 2 articles · 1d ago
Initial report: Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
Initial DisclosureIn **February 2026**, Nimbus Manticore used **career-themed lures** and an AppDomain-hijacking chain to deliver **MiniJunk** through a ZIP archive hosted on **OnlyOffice**. The opening wave focused on employees in the **software** and **aviation** sectors and set up the later **MiniFast** and **SEO-poisoning** phases.
Show sources
- Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning — thehackernews.com — 26.05.2026 10:13
- Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning — thehackernews.com — 26.05.2026 10:13