Indonesian Political, Business & Finance News

Iran-Backed Cyberattacks Secretly Cripple US and Israel

| Source: CNBC Translated from Indonesian | Politics
Iran-Backed Cyberattacks Secretly Cripple US and Israel
Image: CNBC

Cyberattacks allegedly originating from Iran have been quietly targeting the United States (US) and Israel amid rising geopolitical tensions. These operations are becoming increasingly sophisticated, aided by artificial intelligence (AI) technology.

The hacking group tracked as Nimbus Manticore, reportedly affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), has been conducting digital operations against strategic sectors including defence, aviation, and telecommunications.

According to recent cybersecurity research from Checkpoint, the group has not only stolen data and infiltrated corporate systems but also launched destructive attacks against entities in the US and Israel, as reported on Tuesday, 26 May 2026.

The first wave was observed in February 2026, as military tensions escalated and troop build-ups occurred in the region. During this period, Nimbus Manticore distributed phishing emails disguised as job offers to employees in the technology and aviation sectors.

Victims were directed to download fake files resembling official documents. Once executed, the malware infiltrated systems and silently activated remote access.

The attacks escalated during the military operation dubbed Epic Fury. In this phase, the group deployed fake Zoom installers and fictitious meeting invitations to deceive targets.

Similar to previous campaigns, the perpetrators used AppDomain Hijacking for initial access before executing the final backdoor. This time, they introduced a new backdoor named MiniFast, replacing the MiniJunk malware family.

Many files in this campaign carried valid digital signatures via SSL.com, continuing a pattern of abusing trusted signing infrastructure first detected in 2025.

Researchers identified strong indications that AI was involved in the malware’s development, including neater code structure, rapid adaptability, and automation in writing malicious code.

With AI assistance, the group is believed to accelerate malware creation and rapidly introduce new features.

A new wave emerged in April 2026, with Nimbus Manticore creating fake websites mimicking SQL Developer download pages.

Analysis showed the domain appeared in Bing and DuckDuckGo search results for ‘sql developer’, increasing the likelihood of users being deceived.

Technical Analysis of MiniFast

According to Checkpoint Research, MiniFast is a 64-bit Windows DLL file with a primary function called CheckForUpdates. The malware serves as a full backdoor for long-term persistence and remote command execution.

Samples indicate the malware is continuously developed and updated. MiniFast communicates with command-and-control servers via JSON data exchanges.

To mimic normal traffic, the malware disguises itself as the Chrome browser using a predefined User-Agent.

View JSON | Print