Iran Targets Job-Seeking European Aerospace Engineers

Western Europeans working in aerospace, defense manufacturing or telecoms are receiving waves of emails from putative job recruiters who actually are Iranian state hackers ready to unleash a backdoor and an infostealer.

See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It

Iranian state hackers have proven enthusiastic devotees of fake recruiter phishing scams pioneered by North Korea, so much so that some researchers have said it’s possible that Pyongyang shared attack methods and tools with their Tehran counterparts (see: Iranian Threat Actors Mimic North Korean Job Scam Techniques).

In a campaign spotted by researchers at Check Point, Iranian hackers have focused on workers in Denmark, Sweden and Portugal by sending tailored emails from supposed recruiters directing victims to fake career portals supposedly built by companies including Airbus and Boeing.

Check Point tracks the threat actor as “Nimbus Manticore,” which overlaps with hacking activity also tracked as UNC1549 and Smoke Sandstorm.

Each target receives a unique URL and login credentials, enabling the attackers to control access and track individual victims. A login begins a unique infection chain resulting in malware infections that “reflects a mature, well‑resourced actor prioritizing stealth, resiliency and operational security across delivery, infrastructure and payload layers,” Check Point wrote.

The infection chain begins with a ZIP archive file – it was named Survey.zip in a sample analyzed by Check Point – which contains a legitimate Windows executable, Setup.exe, that sideloads a malicious userenv.dll. The attackers exploit an undocumented low-level Windows API to hijack DLL loading paths. By abusing SenseSampleUploader.exe, a Windows Defender component vulnerable to DLL hijacking, the attackers sideload xmllite.dll from the archive’s directory. Persistence is achieved by copying the files to %AppData%LocalMicrosoftMigAutoPlay and scheduling tasks to run the malicious executable under the guise of MigAutoPlay.exe.

Victims ultimately see a fake error message while the malware installs. At the core of the attack is the MiniJunk backdoor, an evolution of a previous implant known as Minibike, also referred to as SlugResin. MiniJunk employs heavy compiler-level obfuscation, junk code and encrypted strings to resist reverse engineering. It collects system identifiers, establishes persistence and communicates with multiple redundant command-and-control servers using HTTPS requests.

In parallel, hackers deploy MiniBrowse, a lightweight credential stealer targeting Chrome and Edge browsers. Delivered as an injected DLL, MiniBrowse extracts stored passwords. Unique to its design, MiniBrowse expects its command and control server to respond with any HTTP code other than 200 before proceeding to search for browser login files.

Check Point researchers said that the group’s use of valid digital code-signing certificates from SSL.com drastically lower detection rates. The actors also inflate binary sizes with junk code to bypass antivirus heuristics and machine-learning models that truncate analysis of large files. In June, Nimbus Manticore re-architected its infrastructure to blend Cloudflare with Microsoft Azure App Service, ensuring resiliency if domains or providers are suspended.

Researchers identified a separate but related cluster of activity using a different payload like dxgi.dll delivered through DLL hijacking. While less sophisticated, this variant shares a code base with MiniJunk, suggesting multiple actors may have access to the same toolkit.