The Invisible Threat: How Iranian Hackers Are Infiltrating European Defense

Researchers at Check Point have uncovered a prolonged and targeted campaign by the group Nimbus Manticore (also tracked as UNC1549 and Smoke Sandstorm), which since early 2025 has been directing operations against defence contractors, telecom providers, and aviation entities—targets that align with the priorities of the Islamic Revolutionary Guard Corps.

The analysts recorded an intensification of activity across Western Europe, notably in Denmark, Sweden, and Portugal, where the attackers employed persuasive recruitment lures and carefully engineered infrastructure obfuscation.

Intrusions begin with personalized phishing emails purporting to come from HR personnel: each recipient receives a unique link and bespoke credentials for a fake portal built in React and often shrouded behind Cloudflare proxy services. Once the victim logs in, they are prompted to download a ZIP archive containing Setup.exe—a seemingly legitimate installer that initiates a complex side-loading chain of libraries via low-level Windows NT API calls.

The malicious routine unfolds through multiple stages. Setup.exe extracts a library named userenv.dll from the archive and then coerces the Windows component SenseSampleUploader.exe to load xmllite.dll by abusing a modified DllPath parameter. To establish persistence, the attackers copy files into %AppData%\Local\Microsoft\MigAutoPlay, rename the main binary to MigAutoPlay.exe, and register a scheduled task for autorun; each launch displays a faux network-error dialog to distract the user.

The toolset centers on the MiniJunk backdoor and the MiniBrowse infostealer. MiniJunk executes from DLLMain, harvests system identifiers, hooks ExitProcess to alter process termination behavior, and spawns a branched thread to communicate with command-and-control servers. Commands—encoded as delimited strings—orchestrate device control and data exfiltration via standard file I/O, process creation, and dynamic library loading.

MiniBrowse implants itself into Chromium-family browser processes, extracts credential databases, and exfiltrates them to controller nodes via HTTP POST or named pipes. Both tools carry apparently valid digital signatures, present inflated binary sizes, and employ compiler-level obfuscation that has enabled some samples to evade detection for extended periods on platforms like VirusTotal.

The campaign exemplifies mature statecraft: layered resilience, meticulous operational security, and lures tailored to industry audiences. Organizations in at-risk sectors should harden anti-phishing defences, monitor for anomalous DLL loads, and treat unusually large signed binaries as potential indicators of stealthy side-loading or exploitation.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy