Iranian APT escalates cyber campaign targeting US and European aviation infrastructure

Iranian state-sponsored threat group Nimbus Manticore launched a multi-vector cyber campaign targeting aerospace and aviation infrastructure across the US, Europe, and Middle East between February and April 2026, introducing custom malware families and supply chain compromise techniques as tensions escalated during Operation Epic Fury.

The campaign marked a strategic shift from traditional espionage toward operational disruption capabilities in civilian Critical Infrastructure. Nimbus Manticore, affiliated with Iran’s Islamic Revolutionary Guard Corps, deployed two new Malware families—MiniFast and MiniJunk V2—while adopting SEO poisoning and AI-assisted malware development for the first time, according to Check Point Research.

Three-stage escalation

The campaign unfolded in three distinct waves. Initial phishing operations in February 2026 targeted Aviation professionals with personalized lures impersonating industry organizations. By March, the group deployed trojanized installers masquerading as legitimate software. The April phase introduced SEO poisoning—a first for Nimbus Manticore—using a fake SQL Developer download portal ranked via keyword stuffing on Bing and DuckDuckGo, per GBHackers.

MiniFast, the group’s new 64-bit DLL backdoor, provided full remote control including file exfiltration, command execution, and process manipulation. The malware incorporated AppDomain hijacking to evade detection—a technique requiring deeper knowledge of .NET runtime internals than previous Nimbus Manticore tools demonstrated.

Targets included US domestic airlines and European organizations in Denmark, Sweden, and Portugal. Palo Alto Networks Unit 42 independently verified parallel campaigns against aerospace, defense, and telecommunications professionals in the US, Israel, and UAE using the same malware families under the tracking name Screening Serpens.

AI-accelerated development

Check Point researchers identified evidence of AI-assisted malware development in MiniFast’s codebase, suggesting Iranian operators leveraged large language models to accelerate production during wartime operations. The finding aligns with broader patterns: over 60 Iranian-linked cyber groups claimed activity by March 2, 2026, according to Unit 42, with MOIS-affiliated Handala Hack compromising Israeli energy firms, Jordanian fuel systems, and healthcare targets in parallel.

The operational tempo suggests wartime pressure drove innovation. “The ongoing conflict in the Middle East, combined with the operational demands of wartime activity, appears to have significantly accelerated their malware evolution,” Check Point noted in its analysis.

Critical infrastructure expansion

Beyond aerospace targeting, Iranian-affiliated actors demonstrated willingness to disrupt operational technology. A joint FBI, CISA, and NSA advisory issued April 7, 2026 warned that Iranian APT actors had been targeting internet-exposed programmable logic controllers across US government services, water and wastewater systems, and energy sectors since at least March, causing operational disruption and financial losses.

Jeffrey Troy, president of the Aviation Information Sharing and Analysis Center, told CNN: “We have been expecting attacks as a consequence of the war. In the bigger picture, we have seen fake IT worker schemes and attempts to get credentials by abusing the help desks at companies.”

Researchers do not believe aviation or oil firms were successfully breached by the specific Nimbus Manticore campaign, but confirmed other targets were compromised. The distinction matters: the group demonstrated capability to reach supply chains feeding critical infrastructure operators, even if final exploitation remains unconfirmed.

Asymmetric leverage

The campaigns reflect calculated asymmetric escalation. Iran cannot match US kinetic capabilities, but cyber operations impose costs on adversaries and allies while remaining below thresholds that trigger conventional military response. Palo Alto Networks researchers emphasized the personalization of recent attacks: “By leveraging tailored social engineering tactics, including fake job requisitions and spoofed video conferencing meeting invitations, the attackers lure victims into initiating the infection chain.”

The technical sophistication—particularly AppDomain hijacking and AI-assisted malware development—signals Iran’s willingness to invest in capabilities during conflict rather than relying solely on pre-existing toolsets. Check Point assessed the campaign “reflects a mature, well‑resourced actor prioritizing stealth, resiliency, and operational security across delivery, infrastructure, and payload layers.”

What to watch

Monitor for expansion beyond reconnaissance toward active disruption of aviation operational systems. The gap between demonstrated capability (supply chain access) and observed exploitation (espionage) may narrow if conflict intensifies. CISA’s April advisory on PLC targeting suggests Iranian operators are already testing disruption tactics in parallel sectors—water, energy, government services—where defense postures may be weaker than commercial aviation.

Track whether other Iranian APT groups adopt Nimbus Manticore’s AI-assisted development techniques or SEO poisoning tactics, indicating knowledge transfer across IRGC and MOIS cyber units. The 60+ groups active by early March represent decentralized operations; capability diffusion would complicate attribution and defense.

Watch for targeting pattern shifts. Current campaigns focused on US allies (Denmark, Sweden, Portugal) and regional adversaries (Israel, UAE) alongside direct US targets. Broadening to NATO infrastructure or Indo-Pacific partners would signal strategic escalation beyond Middle East conflict theaters.