The Iranian hacker group Nimbus Manticore (UNC1549) executed a sophisticated spear-phishing campaign targeting Boeing, a major aerospace and defense company, under the guise of fake job applications. Employees received deceptive emails directing them to a fraudulent career portal mimicking Boeing’s branding, where they were tricked into downloading a malicious ZIP archive disguised as a legitimate installer (*setup.exe*). This file deployed an evolved variant of Minibike malware (MiniJunk and MiniBrowse), establishing a backdoor for persistent access and exfiltrating sensitive data including proprietary aerospace designs, defense contracts, and employee credentials. The breach compromised highly classified intellectual property, potentially undermining Boeing’s competitive edge in defense and aviation sectors. Given the group’s ties to Iran’s IRGC, the stolen data could be leveraged for geopolitical espionage or sold to adversarial nations, posing risks to national security. The attack also disrupted internal operations, forcing Boeing to initiate emergency cybersecurity audits, incident response protocols, and employee retraining incurring significant financial and reputational damage. The long-term impact includes eroded trust among defense partners and potential regulatory penalties for failing to safeguard critical infrastructure data.
Source: https://hackread.com/iranian-hackers-fake-job-breach-europe-industries/
TPRM report: https://www.rankiteo.com/company/boeing-defense-space-security
"id": "boe5592255092325",
"linkid": "boeing-defense-space-security",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'aerospace/defense',
'location': ['Europe (targeted)', 'USA (HQ)'],
'name': 'Boeing',
'size': 'large',
'type': 'corporation'},
{'industry': 'aerospace/defense',
'location': ['Europe (targeted)', 'France (HQ)'],
'name': 'Airbus',
'size': 'large',
'type': 'corporation'},
{'industry': 'aviation',
'location': ['Europe (targeted)', 'UAE (HQ)'],
'name': 'flydubai',
'size': 'large',
'type': 'corporation'},
{'industry': ['defense',
'telecommunications',
'aerospace'],
'location': ['Denmark',
'Sweden',
'Portugal',
'other European countries'],
'name': 'Unnamed defense/telecom/aerospace companies',
'type': ['corporations', 'government contractors']}],
'attack_vector': ['spear-phishing emails',
'fake job application websites',
'malicious ZIP archives (setup.exe)',
'backdoor installation',
'evolved malware (MiniJunk, MiniBrowse)'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': ['potential (via '
'stolen credentials)'],
'sensitivity_of_data': 'high (defense/telecom/aerospace '
'sector intelligence)',
'type_of_data_compromised': ['corporate credentials',
'sensitive intelligence',
'passwords']},
'date_detected': 'early 2025',
'description': 'A group of Iranian hackers known as Nimbus Manticore (also '
'called UNC1549 or Smoke Sandstorm) is expanding its '
'operations to target major companies across Europe, '
'particularly in the defense, telecommunications, and '
'aerospace sectors. The group uses sophisticated '
'spear-phishing campaigns, including fake job invitations and '
'malicious websites mimicking legitimate companies like '
'Boeing, Airbus, and flydubai. The attacks deploy evolved '
'malware variants (MiniJunk, MiniBrowse) derived from older '
'tools like Minibike (SlugResin) to steal sensitive '
'information. The campaign aligns with Iran’s IRGC strategic '
'intelligence-gathering goals and marks a shift from the '
'group’s traditional focus on the Middle East (Israel, UAE) to '
'Europe (Denmark, Sweden, Portugal).',
'impact': {'brand_reputation_impact': ['potential reputational damage to '
'targeted companies (Boeing, Airbus, '
'flydubai, etc.)'],
'data_compromised': ['sensitive corporate information',
'credentials',
'passwords'],
'identity_theft_risk': ['high (credentials stolen via '
'MiniBrowse)']},
'initial_access_broker': {'backdoors_established': True,
'entry_point': ['spear-phishing emails (fake job '
'invites)',
'LinkedIn HR recruiter '
'impersonation'],
'high_value_targets': ['defense contractors',
'telecom firms',
'aerospace companies']},
'investigation_status': 'ongoing (tracked by CPR since early 2025)',
'lessons_learned': ['Iranian threat actors are expanding beyond the Middle '
'East to Europe, targeting high-value sectors '
'(defense/telecom/aerospace).',
'Sophistication of malware (MiniJunk, MiniBrowse) '
'demonstrates evolving TTPs to evade detection.',
'Multi-stage attack chains (fake job sites → malicious '
'ZIPs → backdoors) highlight the need for pre-emptive '
'email/file filtering.',
'Parallel low-sophistication campaigns (HR recruiter '
'impersonation) show diversified attack strategies.'],
'motivation': ['strategic intelligence gathering',
'geopolitical espionage',
'alignment with Iran’s IRGC goals'],
'post_incident_analysis': {'root_causes': ['Successful spear-phishing via '
'socially engineered job lures.',
'Use of legitimate-looking React '
'templates for fake career sites '
'(hidden behind Cloudflare).',
'Evolved malware (MiniJunk, '
'MiniBrowse) bypassing traditional '
'detection.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Implement pre-emptive blocking of malicious emails and '
'files before they reach employees (as recommended by '
'CPR).',
'Enhance employee training on spear-phishing lures, '
'especially fake job offers.',
'Monitor for React-based fake career websites registered '
'behind Cloudflare.',
'Track Iranian APT groups (e.g., Nimbus '
'Manticore/UNC1549) for evolving TTPs.',
'Segment networks to limit lateral movement '
'post-compromise.',
'Deploy behavioral analysis tools to detect evolved '
'malware variants (e.g., MiniJunk).'],
'references': [{'source': 'Check Point Research (CPR)'},
{'source': 'PRODAFT (parallel campaign report)'}],
'response': {'communication_strategy': ['public advisory via CPR research '
'report'],
'enhanced_monitoring': ['recommended by CPR to block malicious '
'emails/files pre-employee access'],
'third_party_assistance': ['Check Point Research (CPR)',
'PRODAFT (parallel campaign)']},
'stakeholder_advisories': ['CPR research report warning European '
'defense/telecom/aerospace sectors'],
'threat_actor': ['Nimbus Manticore',
'UNC1549',
'Smoke Sandstorm',
'Iranian IRGC-aligned group'],
'title': 'Nimbus Manticore (UNC1549/Smoke Sandstorm) Cyber Espionage Campaign '
'Targeting European Defense, Telecom, and Aerospace Sectors',
'type': ['cyber espionage',
'spear-phishing',
'malware deployment',
'data theft']}