Iranian APT Targets Aviation, Software Companies With Updated Tools

SecurityWeek reports that Nimbus Manticore, an Iranian advanced persistent threat (APT) group, has maintained an active campaign targeting aviation and software companies even during and in the aftermath of the US military campaign against Iran. Researchers tracking the group observed the use of updated malware tooling consistent with a deliberate effort to preserve long-term access within targeted organizations despite significant geopolitical disruption.

Threat Actor Profile: Nimbus Manticore

Nimbus Manticore is an Iranian state-aligned threat actor with a documented history of targeting aerospace, defense, and technology organizations. The group's operations align with Iranian strategic intelligence priorities — gathering technical and operational data from sectors where Iran seeks to close knowledge gaps or monitor adversary capabilities.

The group has demonstrated operational persistence, continuing to run active intrusion campaigns even during periods of significant pressure or geopolitical tension that might typically force a pause in offensive cyber operations. The continuation of activity during and after a US military campaign against Iran represents a notable escalation in operational tempo and signals the group's tasking reflects high-priority state intelligence objectives.

Updated Toolset

Researchers identified that Nimbus Manticore has updated its malware toolkit to evade detection and maintain persistence on previously compromised systems. While specific technical indicators are expected to be published in follow-on research, the updated tooling reportedly includes:

Modified backdoor variants with altered signatures and obfuscation to bypass existing detection rules
Revised command-and-control (C2) infrastructure to avoid blocklisted domains and IP ranges used in prior campaigns
Updated persistence mechanisms targeting legitimate system processes and scheduled tasks to blend with normal operating system behavior

This pattern of iterative tool evolution in response to detection and disruption is characteristic of well-resourced state-sponsored actors with dedicated development pipelines.

Targeted Sectors

The confirmed targeting of aviation and software development companies reflects two distinct strategic objectives:

Aviation Sector — Iran has long sought to circumvent Western sanctions on aviation parts and technology. Intelligence collected from aviation targets enables procurement of restricted components, insight into maintenance practices, and monitoring of Western aerospace capabilities. The aviation sector also represents critical national infrastructure in targeted countries, making it a strategic espionage and potential pre-positioning target.

Software Companies — Software firms represent a force-multiplier target. Compromising a software vendor can provide access to the vendor's customers through supply chain attacks, access to proprietary algorithms and intellectual property, and insight into software used by other targeted organizations.

Operational Context

The timing of continued Nimbus Manticore operations during a US military campaign against Iran carries strategic significance. The persistence suggests:

Pre-positioned access — The group likely maintained dormant implants in previously compromised networks that can be reactivated without new initial access operations
Resilient C2 infrastructure — Updated tooling and infrastructure indicates contingency planning for operational disruption
High-priority tasking — The continued risk-taking during a period of elevated geopolitical tension signals that the intelligence collection mandate outweighs operational security concerns

Defense Recommendations

Organizations in the aviation and software sectors, particularly those with US government contracts or defense supply chain relationships, should review their threat exposure against Iranian APT TTPs:

Audit for dormant implants — Conduct retrospective log analysis and endpoint hunting for indicators associated with known Nimbus Manticore campaigns
Review privileged access — Enumerate service accounts and privileged identities for signs of compromise or persistence mechanisms
Monitor outbound DNS and HTTP — Iranian APT groups frequently use DNS tunneling and HTTP-based C2; behavioral analytics on outbound traffic can surface anomalous patterns
Patch internet-facing systems — Iranian APT groups routinely exploit unpatched VPN gateways, web application flaws, and remote access tools for initial access
Enable multi-factor authentication — Credential theft via phishing remains a primary initial access vector for Iranian threat actors

Source: SecurityWeek

Threat Actor Profile: Nimbus Manticore

Updated Toolset

Modified backdoor variants with altered signatures and obfuscation to bypass existing detection rules

Revised command-and-control (C2) infrastructure to avoid blocklisted domains and IP ranges used in prior campaigns

Updated persistence mechanisms targeting legitimate system processes and scheduled tasks to blend with normal operating system behavior

This pattern of iterative tool evolution in response to detection and disruption is characteristic of well-resourced state-sponsored actors with dedicated development pipelines.

Targeted Sectors

The confirmed targeting of aviation and software development companies reflects two distinct strategic objectives:

Operational Context

The timing of continued Nimbus Manticore operations during a US military campaign against Iran carries strategic significance. The persistence suggests:

Pre-positioned access — The group likely maintained dormant implants in previously compromised networks that can be reactivated without new initial access operations

Resilient C2 infrastructure — Updated tooling and infrastructure indicates contingency planning for operational disruption

High-priority tasking — The continued risk-taking during a period of elevated geopolitical tension signals that the intelligence collection mandate outweighs operational security concerns

Defense Recommendations

Audit for dormant implants — Conduct retrospective log analysis and endpoint hunting for indicators associated with known Nimbus Manticore campaigns

Review privileged access — Enumerate service accounts and privileged identities for signs of compromise or persistence mechanisms

Monitor outbound DNS and HTTP — Iranian APT groups frequently use DNS tunneling and HTTP-based C2; behavioral analytics on outbound traffic can surface anomalous patterns

Patch internet-facing systems — Iranian APT groups routinely exploit unpatched VPN gateways, web application flaws, and remote access tools for initial access

Enable multi-factor authentication — Credential theft via phishing remains a primary initial access vector for Iranian threat actors

Source: SecurityWeek

Iranian APT Targets Aviation, Software Companies With Updated Tools

Threat Actor Profile: Nimbus Manticore

Updated Toolset

Targeted Sectors

Operational Context

Defense Recommendations

Russia's Forest Blizzard Harvests Logins via SOHO Router DNS Poisoning

Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign

Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware

Iranian APT Targets Aviation, Software Companies With Updated Tools

Threat Actor Profile: Nimbus Manticore

Updated Toolset

Targeted Sectors

Operational Context

Defense Recommendations

Russia's Forest Blizzard Harvests Logins via SOHO Router DNS Poisoning

Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign

Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware