Check Point — IRGC-linked group uses AI-assisted MiniFast malware

AI relevance: IRGC-affiliated threat actor Nimbus Manticore (UNC1549) is using commercial AI tools to accelerate malware development, producing a new backdoor (MiniFast) that combines career-themed phishing, SEO poisoning, and AppDomain hijacking into a cohesive campaign targeting defense, aerospace, and telecom sectors.

• Check Point Research documented Nimbus Manticore's resurfaced campaign in February 2026, introducing the MiniFast (aka MiniUpdate) backdoor with clear indicators of AI-assisted development.
• Researchers flagged excessive error handling around trivial functions, verbose and repetitive naming patterns, and debug-style status strings scattered through the MiniFast codebase — coding artifacts consistent with LLM-generated code.
• The group replaced its traditional DLL sideloading with AppDomain hijacking: a trojanized XML file placed alongside a legitimate binary directs the .NET runtime to load an attacker-controlled AppDomainManager class tied to a malicious DLL.
• SEO poisoning was introduced as a malware delivery vector for the first time, complementing existing career-themed phishing lures that impersonate aviation and software companies.
• Trojanized Zoom installers are used to conceal malware execution within normal system activity, blending malicious payloads with trusted software installation flows.
• Target expansion: previously focused on Europe, Middle East, and Africa (especially Israel and UAE), the campaign now includes U.S. aviation-sector organizations.
• Check Point's AI Threat Landscape digest (March–April 2026) notes a related case where a single operator used commercial AI to compromise nine Mexican government agencies and execute over 5,000 automated commands.

Why it matters

This is not theoretical AI risk — it's wartime acceleration of state-sponsored cyber operations through accessible commercial AI. When an IRGC-linked group can use off-the-shelf AI to produce functional backdoors, the barrier to sophisticated malware drops significantly. AppDomain hijacking bypasses application whitelisting, SEO poisoning expands the initial-attack surface beyond email, and the AI-assisted coding means the group can iterate faster on detection evasion. Defenders should treat LLM-assisted malware development as a present-day tradecraft evolution, not a future concern.

What to do

• Monitor for AppDomain hijacking indicators: unexpected XML configuration files alongside legitimate binaries, particularly with AppDomainManager references.
• Block known Nimbus Manticore IOCs and track UNC1549 campaign updates from Check Point Research.
• Review .NET application execution logs for unauthorized DLL loads via AppDomainManager injection.
• Train security teams to flag LLM-generated code artifacts (verbose naming, excessive error handling, debug strings) in malware analysis — this is becoming a useful triage signal.
• Extend phishing awareness beyond email: SEO poisoning and trojanized installers are now part of the infection chain.

Sources

• Check Point Research — Fast and Furious: Nimbus Manticore Operations
• Check Point — 25 May Threat Intelligence Report
• The Hacker News — Iranian Hackers Deploy MiniFast and MiniJunk V2
• Industrial Cyber — Nimbus Manticore attacks defense, aerospace, telecom
• Check Point — AI Attacks Are No Longer Experimental