Iranian Hackers Strike with MiniFast and MiniJunk V2

Michael Miller · 2026-05-26

You might think cybersecurity threats only come from lone wolves in basements. But sometimes, entire nations get involved. That's exactly what's happening with a recent campaign tied to an Iranian state-sponsored group known as Nimbus Manticore, also called Screening Serpens and UNC1549. These aren't just random hackers—they're backed by a government, and they're using some clever tricks to get inside your systems. ### What's the Big Deal? Here's the situation. In late February 2026, the U.S. and Israel launched a joint military campaign against Iran. Almost immediately after, this threat actor started a fresh wave of attacks. They're not just blasting out generic phishing emails either. They're using lures that impersonate real organizations in the aviation and software industries. Think about that for a second: they're pretending to be companies you might actually trust, like an airline or a software vendor you work with. - **Targets:** Organizations in the U.S., Europe, and the Middle East. - **Method:** Phishing emails and SEO poisoning to trick people into visiting malicious sites. - **Tools:** Two malware strains called MiniFast and MiniJunk V2. ### How Do They Get In? The attackers are using two main entry points. First, there's phishing. You get an email that looks totally legit—maybe it's from your IT department or a partner company. It asks you to click a link or download an attachment. But that link takes you to a fake login page, or that attachment installs malware on your machine. Second, they're using SEO poisoning. This is a bit sneakier. They create malicious websites that rank high in search results for common terms. So if you search for "aviation software update" or something similar, their fake site pops up before the real one. You click it, thinking it's safe, and boom—you're infected. ### What Are MiniFast and MiniJunk V2? These are the actual malware tools used in the campaign. MiniFast is a backdoor that gives attackers remote access to your system. It can steal files, log keystrokes, and even take screenshots. MiniJunk V2 is a dropper—it downloads and installs other malicious software onto your computer. Together, they form a one-two punch that can compromise your entire network. > "The attackers are using phishing and SEO poisoning as a one-two punch to bypass traditional defenses." ### Why Should You Care? If you work in aviation, software development, or any related field in the U.S., you're a potential target. This isn't just about data theft—it's about espionage. These attackers want to steal intellectual property, disrupt operations, and gain a strategic advantage. And since they're state-sponsored, they have deep pockets and plenty of patience. ### What Can You Do? First, stay skeptical. If an email looks urgent or too good to be true, pause before clicking. Check the sender's address carefully. Hover over links to see where they really go. Second, use strong, unique passwords and enable two-factor authentication everywhere you can. Third, keep your software updated. Many of these attacks exploit known vulnerabilities that patches already fix. Finally, consider using an antidetect browser if you're managing multiple accounts or working in sensitive environments. These tools help mask your digital fingerprint, making it harder for attackers to track you or launch targeted attacks. It's not a silver bullet, but it adds another layer of protection. ### The Bottom Line This campaign is a reminder that cyber threats are constantly evolving. The bad guys are using sophisticated methods like SEO poisoning to reach you, even when you think you're safe. Stay alert, stay updated, and don't let your guard down.